Tornado Cash Launches Sanctions Compliant Web Interface

  • Tornado Cash front-end website will prevent access from OFAC-sanctioned wallet addresses
  • The immutable smart contracts that underpin the mixing service remain unchanged and therefore work the same as before

Privacy tool Tornado Cash, which has been used to hide the proceeds of multiple frauds, scams and hacks in the past, updated its web interface on Friday to restrict access from government-sanctioned wallet addresses. US Treasury’s Office of Foreign Assets Control (OFAC).

The move follows an update from OFAC yesterday, which identified the wallet known to have received the funds stolen from the Ronin Bridge last month as being controlled by North Korean hacking organization Lazarus Group. The wallet still holds 144,000 of the original 173,000 Ether, worth around $439 million as of 1:30 p.m. ET on Friday.

The change to Tornado Cash’s decentralized application (dapp) has no impact on the code of the underlying privacy protocols – a set of smart contracts on Ethereum intended to bring privacy to transactions on the transparent public network of blockchain.

Understanding the difference between a protocol and a website that adds usability isn’t always easy for newcomers to Web3, as evidenced by the recent Uniswap class action lawsuit.

In the Web2 world of Google and Facebook, a website runs on a server owned by a company that exists within a country’s jurisdiction. In the case of Tornado Cash, the smart contract code runs on public Ethereum and cannot be changed, the project documentation explains.

“No one – including the original developers – can modify or close them,” the documentation says.

The service is even accessible from a decentralized storage infrastructure known as IPFS rather than a particular centralized web server.

So what does this mean for hackers?

Tornado Cash’s main user interface is an application that implements a Chainalysis sanctions oracle – essentially a blacklist of Ethereum addresses maintained by the Chainalysis blockchain data platform. The address used in the Ronin hack has been added to this list.

But the Tornado Cash protocol itself can still be used as before, using an alternate front-end UI. That doesn’t mean it can be successfully used to mask the origins of the stolen Ether in the Ronin Bridge exploit, though.

Chainalysis co-founder Jonathan Levin has touted the firm’s ability to unmask transactions from mixers like Tornado Cash, especially when they contain large amounts of value relative to the total liquidity available.

“The fact that the entire industry and all law enforcement and regulators can all have access to the same information about the services and entities behind these transactions, it allows us to take unprecedented steps to be able to collaborate on weeding out illicit activities,” Levin told a Senate panel in March.

Get the top crypto news and insights of the day delivered to your inbox each evening. Subscribe to Blockworks’ free newsletter now.

  • Macauley Peterson

    Macauley has been an editor and content creator in the professional chess world for 14 years. He graduated from Bucerius Law School in Hamburg, Germany (Master in Law and Business 2020), where he researched stablecoins, decentralized finance and central bank digital currencies. He also has a master’s degree in film studies and his film credits include associate producer of the 2016 feature-length documentary, “Magnus” about world chess champion Magnus Carlsen. He is based in Germany. Contact Macauley by email at [email protected]


Comments are closed.