Crypto Mixers and Tornado Cash Sanctions Explained: What Happened and Why It Matters

When you send money through a bank, the transaction leaves a paper trail. With cryptocurrency, that trail is public, permanent, and visible to anyone with the right tools. That’s where crypto mixers come in. They’re designed to break that trail-swapping your coins with others’ so no one can trace where your funds came from. One of the most famous tools for this was Tornado Cash. And in 2022, the U.S. government made headlines by sanctioning it. But by 2025, those sanctions were lifted. Here’s what actually happened, why it confused so many people, and what it means for privacy on the blockchain.

What Is a Crypto Mixer?

A crypto mixer, sometimes called a tumbler, takes your cryptocurrency-say, 5 ETH-and mixes it with deposits from dozens or hundreds of other users. It then sends back an equivalent amount from a different address. To an outside observer, it looks like the money came from someone else entirely. There’s no central server holding the funds. Instead, it’s all handled by smart contracts on the Ethereum blockchain. That means no one person controls it. No one can freeze it. No one can shut it down with a single command.

People use mixers for different reasons. Some want to protect their financial privacy. Others use them to hide stolen funds. That’s the problem regulators faced: the same tool that helps a whistleblower in a repressive regime stay anonymous also helps North Korean hackers launder millions.

Tornado Cash: The Most Used Mixer

Tornado Cash launched in August 2019. It wasn’t a company. It didn’t have employees. It was just code-open-source, running on Ethereum. Users deposited ETH into its smart contracts and later withdrew from a new address. The system used zero-knowledge proofs to prove you owned the funds without revealing which deposit you made. It was mathematically private.

By 2022, Tornado Cash had processed over $7.6 billion in Ethereum. Chainalysis estimated that about 30% of that came from illicit sources. That included:

• $455 million stolen in the Axie Infinity hack by North Korea’s Lazarus Group
• $96 million from the Harmony Bridge heist
• $7.8 million from the Nomad Bridge exploit
• And millions more from other hacks like BitMart, Beanstalk, and Fei Protocol

Those numbers made it impossible for regulators to ignore. But the real question wasn’t whether it was used for crime-it was whether the tool itself should be banned.

The OFAC Sanction: A First of Its Kind

On August 8, 2022, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) added Tornado Cash to its Specially Designated Nationals (SDN) list. That meant it was illegal for any U.S. person-or anyone doing business in the U.S.-to interact with Tornado Cash’s Ethereum addresses. Even if you didn’t know you were sending funds to a sanctioned address, you could still be breaking the law.

This was unprecedented. OFAC had sanctioned individuals, companies, and even entire countries. But never a piece of code. The smart contracts were immutable-they couldn’t be changed or shut down. They ran on their own. So OFAC wasn’t punishing a business. They were punishing a program.

Reaction was immediate. Crypto exchanges like Coinbase and Kraken blocked access to Tornado Cash addresses. Wallets like MetaMask started warning users. Developers scrambled. Some deleted their code. Others paused projects fearing they’d be next.

But here’s the twist: Tornado Cash didn’t disappear. People still used it. Developers wrote scripts to interact with the contracts directly. Dark web mirrors popped up. By September 2023, it was still processing $200 million in transactions a month. The sanction had created chaos-but not compliance.

The Court Ruling That Changed Everything

In November 2024, the U.S. Fifth Circuit Court of Appeals made a landmark decision in Van Loon v. Department of Treasury. The court ruled that OFAC had overstepped its authority. Under the International Emergency Economic Powers Act (IEEPA), the government can only sanction property or interests in property. Smart contracts aren’t property. They’re code. They’re not owned by anyone. They can’t be seized. They can’t be controlled.

The court said: “You can’t sanction a computer program the same way you sanction a bank.” It ordered the District Court to vacate the sanctions against Tornado Cash’s smart contracts.

That didn’t mean the case was over. It meant the legal basis for the sanction was invalid. The government had to admit it had no authority to ban code.

The Delisting: What the Treasury Actually Did

On March 21, 2025, the U.S. Treasury officially removed Tornado Cash from the SDN list. But here’s the catch: they didn’t lift sanctions on everyone involved. They only removed the sanctions from the smart contracts themselves. Roman Semenov, one of the original developers, remained on the list. He’s still blocked. He’s still a target.

The Treasury didn’t apologize. They didn’t say they were wrong. They just changed the target. They argued they had always intended to sanction the *people* behind the tool, not the tool itself. And since the court forced them to drop the contract sanctions, they did the bare minimum to comply-while keeping pressure on the developers.

So technically, yes-you can use Tornado Cash again. But if you’re a U.S. citizen and you interact with it, you’re still risking trouble. Why? Because the Justice Department is still prosecuting Roman Storm (another developer) for conspiracy to launder money, operate an unlicensed money transmitting business, and violate IEEPA.

Why This Matters for Everyone

This case isn’t just about one mixer. It’s about the future of privacy on the blockchain. If the government can sanction code, then any open-source tool could be next. A decentralized exchange? A privacy wallet? A decentralized identity system? All could be targeted.

The Fifth Circuit’s ruling was a win for developers and privacy advocates. It set a precedent: you can’t regulate immutable code the same way you regulate banks. But the DOJ’s continued prosecution of the developers shows the government still wants to punish the people who build these tools-even if the tools themselves are legal.

It creates a dangerous gray area. You can use Tornado Cash. But if you’re seen as supporting it, or if you’re a developer who helped build it, you could still go to jail. That’s not regulation. That’s intimidation.

What’s Next for Crypto Privacy Tools?

Tornado Cash’s story didn’t end with a win or a loss. It ended with a warning. Regulators now know they can’t ban code. So they’re shifting tactics:

• They’re going after developers, not tools
• They’re pressuring exchanges to block known addresses
• They’re pushing for “KYC for wallets” laws

Some privacy tools are already adapting. New mixers are being built with no public documentation. Others are running on non-Ethereum chains where U.S. jurisdiction is weaker. The arms race has begun.

For users, the lesson is simple: privacy tools are powerful, but they’re not safe. Using them might be legal now. But if you’re flagged, you could still face years of legal battles-even if the tool itself was cleared.

Is It Safe to Use a Crypto Mixer Today?

Legally? For U.S. persons, using Tornado Cash’s smart contracts is now permitted. But practically? It’s still risky.

• If you’re a U.S. citizen, your wallet provider might still block access
• If you interact with the mixer, your transaction history could be flagged
• If you’re a developer or contributor, you’re still in legal danger

Outside the U.S., rules vary. In New Zealand, where I live, there are no specific laws banning crypto mixers. But banks and exchanges still watch for suspicious activity. If you send funds through a mixer and then try to cash out to fiat, you’ll likely be asked for proof of origin.

There’s no clear answer. Privacy is a right. But regulators see it as a loophole. And until there’s a global legal consensus, users are caught in the middle.

What This Means for the Future of Crypto

The Tornado Cash case is a turning point. It showed that:

• Blockchains can’t be controlled like traditional finance
• Smart contracts are not property
• Regulators can’t punish code, but they can punish people

That’s why this case will be studied for decades. It’s the first time a court forced a government to admit it had no legal power to ban a decentralized protocol. And it’s also the first time a government responded by doubling down on prosecuting the humans behind it.

What happens next depends on who wins: the developers building tools for privacy, or the regulators trying to control them. One thing’s certain-this isn’t over. The next mixer is already being coded. And the next legal battle is already being prepared.