Crypto Mixers and Tornado Cash Sanctions Explained: What Happened and What It Means Today

For years, crypto mixers like Tornado Cash were seen as a way to protect financial privacy-just like using cash instead of a credit card. But in 2022, everything changed. The U.S. government didn’t just block a website. It declared an entire piece of code illegal. Then, in 2025, it walked that back. And yet, the person who built it is still being prosecuted. This isn’t just about money laundering. It’s about whether software can be a crime.

What is a crypto mixer?

A crypto mixer, also called a tumbler, takes your cryptocurrency and mixes it with other users’ funds before sending it out to a new address. Think of it like putting your cash into a pile with hundreds of others, then pulling out an equal amount-but none of it is yours anymore. The original trail? Gone.

This isn’t inherently illegal. People use mixers for legitimate reasons: to hide their spending habits from advertisers, protect themselves from hackers who track wallet activity, or avoid surveillance in countries with strict capital controls. In places like Russia or Iran, mixing crypto can be a basic privacy tool.

Tornado Cash was different because it didn’t require a company to run it. It ran on Ethereum as a smart contract-code that executes automatically. No middleman. No login. No KYC. Just deposit ETH, wait a few minutes, and withdraw from a different address. The system was designed so no one, not even the developers, could trace where the money came from or where it went.

Why did the U.S. government sanction Tornado Cash?

On August 8, 2022, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) added Tornado Cash to its list of sanctioned entities. The reason? Money laundering.

According to Treasury reports, criminals used Tornado Cash to clean over $7 billion in stolen crypto since 2019. That included $455 million stolen by North Korea’s Lazarus Group from the Axie Infinity game, $96 million from the Harmony Bridge hack, and $7.8 million from the Nomad Bridge breach. Those weren’t small losses-they were nation-state-level cyberattacks.

OFAC didn’t accuse Tornado Cash of being run by criminals. They accused it of being a tool that made laundering too easy. The statement said Tornado Cash “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors.” In other words: you didn’t have to know the money was stolen to use it-and that was enough to make it illegal.

The sanctions meant U.S. citizens and companies couldn’t interact with Tornado Cash’s smart contracts. Even accidentally sending ETH to one of its addresses could be a violation. Wallet providers like MetaMask and Coinbase blocked access. Developers were warned not to build tools that connected to it. The website went offline. But the code? Still running on the blockchain.

What happened after the sanctions?

At first, usage dropped sharply. But not to zero.

By September 2023, Tornado Cash was still processing around $200 million in transactions. Why? Because you didn’t need the website to use it. Tech-savvy users wrote scripts to interact directly with the smart contracts. Others used mirrors on the dark web. The system was decentralized-it didn’t rely on a single server. That’s what made it so hard to shut down.

Then came the legal challenge. A user named Van Loon sued the Treasury, arguing that sanctioning a piece of code violated the Administrative Procedure Act. The key point? Smart contracts aren’t property. They’re not owned. They’re not controlled. They just run.

In November 2024, the U.S. Fifth Circuit Court of Appeals agreed. The court ruled that OFAC had overstepped its authority. You can’t sanction code the same way you sanction a bank account or a company. Code isn’t a person. It doesn’t have a bank. It can’t be sued. And under the International Emergency Economic Powers Act (IEEPA), sanctions only apply to “property” or “interests in property.”

The court ordered the Treasury to remove Tornado Cash from the SDN list.

The twist: Sanctions lifted-but the developer is still in trouble

On March 21, 2025, the U.S. Treasury officially removed Tornado Cash’s smart contracts from the sanctions list. For the first time since 2022, Americans could legally interact with the protocol again.

But here’s the catch: they didn’t lift sanctions on Roman Semenov, one of Tornado Cash’s creators. He’s still on the SDN list. And the Department of Justice didn’t drop its case.

In fact, in early 2025, the DOJ filed three criminal charges against Roman Storm (another developer linked to the project): conspiracy to launder money, conspiracy to operate an unlicensed money transmitting business, and conspiracy to violate IEEPA. Even though the protocol itself is now legal to use, the person who built it is still being prosecuted.

This is the new gray zone in crypto regulation: you can’t sanction code, but you can jail the person who wrote it.

Legal experts say this sets a dangerous precedent. If you can be charged for building a tool that others misuse, then every developer who creates open-source software could be at risk. Think of it like this: if someone uses a knife to commit a crime, do you jail the knife maker? Or the person who held it?

What does this mean for privacy in crypto?

The Tornado Cash case forced the world to ask a hard question: Is financial privacy a right-or a loophole?

Privacy advocates say yes, it’s a right. In a world where every transaction is tracked, where governments and corporations monitor your spending, mixing tools are a necessary shield. They point out that Tornado Cash was used by over 1.5 million unique addresses. Most of them were ordinary users-not criminals.

Regulators argue that privacy tools become dangerous when they’re used by bad actors at scale. They say if a tool is used to launder billions, then the burden should be on the creators to stop it. But Tornado Cash had no way to stop it. It was designed to be unstoppable.

The outcome? A compromise. The code is free. The people behind it are not.

For users, this means using a mixer is technically legal again. But if you’re in the U.S., you’re still walking a tightrope. If you use Tornado Cash, you might get flagged by your exchange. You might get asked questions by your bank. You might trigger a compliance alert-even if you’re doing nothing wrong.

What about other mixers?

Tornado Cash isn’t the only mixer out there. Others like Blender.io, Wasabi Wallet (for Bitcoin), and Secret Network’s private transfers offer similar functions. Some are custodial (meaning a company holds your funds). Others are decentralized like Tornado Cash.

After the sanctions, many non-custodial mixers added optional KYC checks or transaction limits to avoid being targeted. But that defeats the whole purpose. If you have to prove who you are to use a mixer, you’re not really mixing anymore.

Now, the industry is watching closely. Will regulators go after other mixers? Will they try to force developers to build “compliance features” into decentralized protocols? If they do, it could kill innovation in privacy tech.

For now, the safest approach is simple: don’t mix large sums from known stolen sources. Don’t use tools that are clearly associated with dark market activity. And if you’re using a mixer, understand that you might be under scrutiny-even if the law says you’re allowed to.

What’s next?

The legal battle isn’t over. The DOJ is still pursuing criminal charges against Roman Storm. The Treasury says it’s done. The court says the sanctions were invalid. But the message is clear: the government doesn’t want you to use tools that hide money trails.

Future regulations might require all crypto services to monitor for mixer usage. Exchanges might start blocking all transactions that touch known mixer addresses-even if the user didn’t know it. That’s already happening with some platforms.

And the big question remains: Can you regulate privacy without killing freedom? The answer isn’t in the code. It’s in the courts. And it’s still being written.