Case Study 1: Tornado Cash — When the US Government Sanctioned a Smart Contract

Case Study 1: Tornado Cash — When the US Government Sanctioned a Smart Contract

Overview

On August 8, 2022, the Office of Foreign Assets Control (OFAC) of the US Department of the Treasury took an action that would become one of the most consequential and contested decisions in the short history of cryptocurrency regulation. OFAC added Tornado Cash, a decentralized Ethereum mixing protocol, to its Specially Designated Nationals and Blocked Persons (SDN) list. It was the first time the US government had sanctioned an autonomous, ownerless smart contract — a piece of immutable code running on a decentralized network. The decision triggered an immediate legal battle, forced the open-source software community to confront questions about developer liability, and established a precedent whose implications extend far beyond cryptocurrency into the fundamental relationship between government authority, code, and speech.

This case study traces the full arc of the Tornado Cash affair: the technology, the illicit use, the sanctions decision, the developer prosecutions, the legal challenges, and the lasting implications.

Part 1: What Tornado Cash Was

The Technical Architecture

Tornado Cash launched on Ethereum in 2019, created primarily by developers Alexey Pertsev, Roman Storm, and Roman Semenov. Its purpose was straightforward: to break the on-chain link between a depositor and a withdrawer, providing financial privacy on an otherwise fully transparent blockchain.

The protocol operated through a set of smart contracts — self-executing code deployed to the Ethereum blockchain. Users deposited fixed denominations of cryptocurrency (0.1, 1, 10, or 100 ETH, plus USDC and other tokens) into the contract. Each deposit was accompanied by a cryptographic commitment — a hash of a secret note that only the depositor knew. The contract stored these commitments in a Merkle tree, an efficient cryptographic data structure.

To withdraw, a user presented a zero-knowledge proof (specifically, a zk-SNARK) demonstrating that they knew the secret corresponding to one of the commitments in the Merkle tree — without revealing which one. The smart contract verified the proof and released the specified denomination to a fresh withdrawal address. Because the proof revealed nothing about which commitment was being claimed, there was no on-chain connection between the deposit and the withdrawal.

Several design features were critical:

Non-custodial. At no point did any person or entity have control over the deposited funds. The smart contract held the deposits and released them automatically upon presentation of a valid proof. There was no operator who could steal funds, freeze accounts, or selectively censor withdrawals.

Immutable. The core smart contracts were deployed as immutable code — once deployed, even the developers could not modify them. This meant that no one could add censorship, compliance features, or backdoors after deployment.

Decentralized (partially). The protocol had a governance structure through TORN, a governance token. TORN holders could vote on certain parameters and upgrades. However, the core mixing contracts themselves were immutable and operated independently of governance decisions.

Open source. The code was publicly available on GitHub, audited by multiple security firms, and could be forked or redeployed by anyone.

The Privacy Model

Tornado Cash's privacy depended on the anonymity set — the number of deposits in the pool at any given time. If 1,000 users had each deposited 1 ETH, then any withdrawal of 1 ETH could have originated from any of those 1,000 deposits. The larger the pool, the stronger the privacy.

The fixed denomination requirement was essential. If users could deposit arbitrary amounts, the amounts themselves would be linkable (a deposit of 1.23456 ETH followed by a withdrawal of 1.23456 ETH would be trivially connected). By requiring fixed denominations, Tornado Cash ensured that all deposits within a denomination were fungible.

Users were advised to wait before withdrawing — the longer the delay, the more deposits would accumulate in the pool, growing the anonymity set. Withdrawing immediately after depositing would narrow the anonymity set and potentially allow timing-based de-anonymization.

Part 2: The Illicit Use Problem

North Korea and the Lazarus Group

The most damaging allegation against Tornado Cash centered on North Korea. The Lazarus Group, a state-sponsored hacking organization attributed to the North Korean government, was responsible for a series of massive cryptocurrency thefts:

Ronin Bridge Hack (March 2022): $625 million stolen from the Axie Infinity gaming platform's bridge. The FBI attributed the hack to the Lazarus Group, and blockchain analytics firms traced a significant portion of the stolen funds through Tornado Cash.
Harmony Bridge Hack (June 2022): $100 million stolen from the Harmony blockchain bridge. Funds were subsequently laundered through Tornado Cash.
Various DeFi Exploits: Smaller but still substantial thefts from various DeFi protocols, with proceeds consistently routed through Tornado Cash.

In total, OFAC estimated that the Lazarus Group had laundered over $455 million through Tornado Cash. Given that North Korean cryptocurrency theft was widely believed to fund the country's nuclear weapons and ballistic missile programs, the national security dimension was severe.

Other Illicit Flows

Beyond North Korea, Tornado Cash was used by a range of illicit actors:

Proceeds from ransomware attacks, including funds from several high-profile incidents
Stolen funds from exchange hacks and DeFi exploits
Funds moving from sanctioned entities and darknet markets

Blockchain analytics firm Chainalysis estimated that approximately 30% of all ETH sent to Tornado Cash came from addresses associated with stolen funds or sanctioned entities. The Treasury Department cited a figure of $7.6 billion in total deposits, with $1.5 billion from illicit sources.

The Other 70%

What the statistics also showed, and what the sanctions' critics emphasized, was that the majority of Tornado Cash users had no known illicit connection. The 70% of legitimate users included:

Individuals who simply wanted financial privacy (not wanting their employer, ex-spouse, or the public to see their transactions)
Ethereum users who had received funds from compromised protocols and wanted to "clean" their addresses
People who had doxxed their Ethereum addresses by accident and wanted to break the link to their identity
Crypto-native individuals who philosophically believed in financial privacy as a right

These users were collateral damage of the sanctions — their funds trapped in a protocol they could no longer legally interact with.

Part 3: The Sanctions Decision

OFAC's Legal Authority

OFAC derives its authority primarily from the International Emergency Economic Powers Act (IEEPA), which authorizes the President to block the "property" of foreign persons who pose a threat to national security, and the Executive Orders issued under that authority.

The sanctions regime works by adding persons and entities to the SDN list. US persons (individuals and companies) are prohibited from engaging in any transactions with designated persons or their property. The practical effect is financial ostracism: sanctioned persons are cut off from the US dollar system and the global financial infrastructure that depends on it.

The Unprecedented Move

What made the Tornado Cash designation unprecedented was the nature of the target:

No person or entity. Traditional sanctions target people (dictators, oligarchs) or entities (companies, government agencies). Tornado Cash was not a company. It had no CEO, no board, no employees, no office. The core smart contracts were autonomous code running on Ethereum.

No property in the traditional sense. OFAC can block "property" of designated persons. But the Tornado Cash smart contracts were not owned by anyone — they were immutable code deployed to a public blockchain. OFAC designated the smart contract addresses themselves, effectively declaring pieces of code to be sanctioned "property."

No ability to comply. A sanctioned person can petition OFAC for delisting. A sanctioned company can reform its practices. Tornado Cash could do neither — the smart contracts were immutable and had no operator who could implement compliance measures.

Immediate Fallout

The sanctions triggered a cascade of compliance responses:

GitHub removed the Tornado Cash repository and suspended the personal GitHub accounts of its contributors. This meant that the source code — which is itself protected speech under prior court rulings — was taken offline from the largest code hosting platform.

Ethereum infrastructure providers (Infura, Alchemy) blocked API calls to Tornado Cash contract addresses, preventing most users from interacting with the contracts through standard tools.

Circle froze USDC held in Tornado Cash contracts — approximately $75,000. This demonstrated that centralized stablecoin issuers could and would comply with OFAC designations that affected smart contracts.

DeFi protocols began blocking addresses that had ever interacted with Tornado Cash. Some protocols implemented blanket bans; others used more targeted screening.

"Dusting" attacks occurred: someone sent small amounts of ETH from Tornado Cash to the public addresses of prominent figures (including Jimmy Fallon, Shaquille O'Neal, and Ethereum co-founder Vitalik Buterin). This raised the absurd possibility that these individuals were technically in violation of OFAC sanctions by having received tainted funds — sanctions they could not have prevented.

Part 4: The Developer Prosecutions

Alexey Pertsev (Netherlands)

On August 10, 2022, two days after the OFAC designation, Dutch authorities arrested Alexey Pertsev, a 29-year-old Russian developer living in the Netherlands, on suspicion of facilitating money laundering.

Pertsev was held in detention for nine months before being granted supervised release. His trial centered on a fundamental question: was Pertsev merely writing code, or was he facilitating money laundering?

The prosecution argued that Pertsev did not simply write a neutral tool and walk away. He actively maintained the protocol, promoted it, and was aware that it was being used to launder stolen funds. The prosecution pointed to evidence that Pertsev and his co-developers discussed the illicit use of Tornado Cash internally and took no steps to implement compliance measures.

The defense argued that Tornado Cash was a legitimate privacy tool — analogous to a VPN, Tor, or end-to-end encryption — and that writing and maintaining code should not be criminal. The defense emphasized that the smart contracts were non-custodial (Pertsev never controlled user funds) and immutable (he could not add compliance features after deployment).

In May 2024, the Dutch court convicted Pertsev and sentenced him to 64 months (five years and four months) in prison. The court found that Pertsev was not merely a passive developer but an active participant in a system he knew was being used for money laundering.

Roman Storm (United States)

In August 2023, the US Department of Justice arrested Roman Storm, a US-based Tornado Cash developer, and unsealed an indictment against both Storm and Roman Semenov (who remained at large). The charges included:

Conspiracy to commit money laundering
Conspiracy to violate the International Emergency Economic Powers Act
Conspiracy to operate an unlicensed money-transmitting business

The US prosecution made arguments similar to the Dutch case but within the American legal framework. The money-transmitting business charge was particularly significant — it implied that deploying a decentralized smart contract could constitute operating a money-transmitting business, a characterization with enormous implications for DeFi developers.

Storm's defense team, supported by significant legal resources from the cryptocurrency industry, raised constitutional arguments including First Amendment protection for code and due process concerns. The case proceeded through 2024 and into 2025, with the judge ruling on several pre-trial motions that shaped the legal landscape.

Implications for Developers

The developer prosecutions sent a clear message — but the message was interpreted very differently by different audiences:

To regulators and law enforcement: The prosecutions signaled that developing tools for money laundering would be prosecuted, regardless of whether those tools were decentralized, non-custodial, or open source.

To the cryptocurrency industry: The prosecutions created a chilling effect. If developers could be imprisoned for writing mixing software, what about developers of decentralized exchanges, lending protocols, or any other DeFi application that could be used for illicit purposes?

To the open-source community: The prosecutions raised existential questions. If contributing to an open-source project could result in criminal liability for how others use the code, the incentive structure for open-source development is fundamentally altered.

Part 5: The Legal Challenge

Van Loon v. Department of the Treasury

In September 2022, six Tornado Cash users — represented by lawyers funded by Coinbase — filed a lawsuit challenging the OFAC designation. The plaintiffs argued that OFAC exceeded its statutory authority and violated the constitutional rights of Tornado Cash users.

The core legal arguments:

Statutory authority. IEEPA authorizes OFAC to block the "property" of designated foreign persons. The plaintiffs argued that Tornado Cash's immutable smart contracts are not the "property" of any person. They are ownerless code — deployed to the Ethereum blockchain and operating autonomously. If no person owns them, OFAC has no statutory authority to designate them.

First Amendment. Courts have held that code is speech (citing Bernstein v. Department of Justice and Universal City Studios v. Corley). The Tornado Cash smart contracts are code. Sanctioning them — making it illegal for any US person to interact with them — is a restriction on speech that must satisfy First Amendment scrutiny.

Due process. Sanctions designations typically allow the designated party to petition for removal. An immutable smart contract cannot petition for anything. The lack of any process for the "designated party" to challenge or remedy the designation violates due process.

The District Court Decision

In August 2023, Judge Robert Pitman of the Western District of Texas ruled against the plaintiffs on all counts. The court found that OFAC had authority to designate Tornado Cash because the smart contracts were "property" of the Tornado Cash entity (which OFAC considered to include its developers and governance token holders). The court rejected the First Amendment argument, finding that the sanctions regulated conduct (financial transactions), not speech.

The Fifth Circuit Reversal

On appeal, the Fifth Circuit Court of Appeals partially reversed in November 2024. In a decision that drew significant attention, the Fifth Circuit held that the immutable Tornado Cash smart contracts were not "property" within the meaning of IEEPA. The court reasoned that "property" implies ownership and control — someone must own the property for it to be blocked. Because the immutable smart contracts could not be altered, controlled, or accessed by any person, they were not anyone's property.

However, the Fifth Circuit did not address the First Amendment question, and its ruling was narrow — applying specifically to the immutable contracts rather than to Tornado Cash as a broader entity.

The government sought rehearing, and the case remained unresolved as of early 2026, with the potential for Supreme Court review.

Part 6: Lasting Implications

For Cryptocurrency Privacy

The Tornado Cash sanctions did not eliminate cryptocurrency mixing. Other mixing protocols continued to operate, and Tornado Cash itself continued to function (the immutable smart contracts were still on the blockchain, even if US persons were prohibited from using them). However, the sanctions significantly reduced the volume of funds flowing through mixing protocols and created a legal risk that deterred many users.

The sanctions also accelerated research into compliance-compatible privacy — zero-knowledge proof systems that allow users to demonstrate that their funds are not illicit without revealing their identity. The "proof of innocence" concept, which would allow mixer users to prove their funds are not from sanctioned sources, emerged directly from the Tornado Cash aftermath.

For Open-Source Development

The developer prosecutions created an ongoing debate about the responsibilities and liabilities of open-source developers. If deploying a smart contract can result in money laundering charges, developers must consider the potential uses of their code before deploying it. This represents a significant departure from the open-source ethos of neutral, permissionless tool creation.

Some in the industry have proposed "safe harbor" legislation that would protect developers who deploy non-custodial, open-source smart contracts, provided they do not actively promote illicit use. Others argue that such protections would create a loophole for money launderers who merely need to frame their services as "open-source tools."

For DeFi Regulation

The Tornado Cash case established a template that regulators could apply to other DeFi protocols. If a decentralized exchange, lending protocol, or derivatives platform is used for sanctions evasion, the Tornado Cash precedent suggests that OFAC could sanction the protocol's smart contracts and prosecute its developers. This creates a fundamental challenge for the DeFi ecosystem, which is built on the premise that autonomous, decentralized protocols can operate without intermediaries or gatekeepers.

For the Privacy-Surveillance Debate

Most fundamentally, the Tornado Cash case crystallized the tension between financial privacy and government authority. The case forced the legal system to grapple with questions that will define technology policy for decades: Is code speech? Can autonomous software be sanctioned? Are developers responsible for the uses of their tools? And can the government effectively prohibit privacy — not just regulate financial intermediaries, but ban the very code that enables private transactions?

These questions do not have settled answers. The Tornado Cash case is not over — it is the opening act of a legal and philosophical drama that will play out for years to come.

Discussion Questions

The 70/30 split. Chainalysis estimated that 30% of Tornado Cash deposits came from illicit sources. Does this ratio justify sanctioning the entire protocol? What if the ratio were 10%? 50%? Is there a threshold that would change your analysis?
The developer liability question. Do you agree with the Dutch court's distinction between a "passive developer" (writing code and releasing it) and an "active participant" (maintaining and promoting a tool known to be used for money laundering)? Where would you draw the line?
The code-as-speech argument. Courts have held that source code is protected speech. Does this mean that deploying executable code (a smart contract on Ethereum) is also protected speech? Is there a meaningful distinction between writing code, publishing code, and deploying code?
Precedent and analogy. Consider the Tornado Cash case in light of these analogies: (a) The gun manufacturer who knows their products are used in crimes. (b) The telecommunications company whose network is used by criminals. (c) The locksmith who publishes a lock-picking guide. Which analogy is most apt, and why?
The alternative. If you believe the Tornado Cash sanctions were inappropriate, what alternative action should the government have taken to address the laundering of hundreds of millions in North Korean-stolen funds? If you believe they were appropriate, how should the precedent be limited to avoid chilling legitimate software development?
Future implications. The Fifth Circuit ruled that immutable smart contracts are not "property" under IEEPA. What are the implications of this ruling for other DeFi protocols? Could a protocol be designed to be intentionally "unsanctionable" by making its contracts immutable and ownerless?