On August 8, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned crypto-mixer Tornado Cash – which was founded in 2019 – for its use in several money-laundering schemes that totaled $7 billion. The service is a virtual currency mixer, also known as a crypto blender, that operates on the Ethereum blockchain. It facilitates anonymous transactions by jumbling up data on the origin, destination and parties involved in a crypto transaction.
Crypto mixers are designed to protect user privacy, but the Treasury Department says that many services “are commonly used by illicit actors to launder funds, especially those stolen during significant heists.” The reality is that crypto mixers have been connected to several major hacks, casting a shadow over their other use cases.
How do crypto mixers work?
Most cryptocurrency transactions are recorded on a public ledger called a blockchain, where the movement of funds from one wallet address to another is logged and visible to anyone. Cryptocurrency mixers aim to make it harder to track individual transactions by mixing the source funds with other funds, resulting in an amalgamated deposit that is more difficult to trace.
Let's look at how this would work with bitcoin. You could use a centralized mixer, which are third-party services that receive bitcoin, stir in other bitcoin from other deposits, and send back an equivalent amount of bitcoin at the end of the transaction. These services typically take a transaction fee, and while they obscure the public origin and destination of crypto payments, the company may still maintain a record that can link transactions together.
Decentralized mixers do not use an intermediary to complete a transaction, and instead, use open-source protocols like CoinJoin. Essentially, users can blend their coins into a larger transaction and receive an equal amount of crypto in the end, making it difficult to trace where the payment originated from.
Tornado Cash, for example, is a decentralized, open-source protocol for private transactions on the Ethereum network. Tornado Cash deploys smart contracts that allow users to deposit ether or an ERC-20 token to one address and enable withdrawal from another address. After depositing, the company advises users to “wait some amount of time” before withdrawing their funds to “improve their privacy.”
Are cryptocurrency blenders legal?
Crypto mixers are not inherently illegal, though they are used for illegal activity. According to a July report from Chainalysis, cryptocurrency mixers are a “go-to tool for cybercriminals dealing in cryptocurrency” and illicit addresses account for nearly a quarter of funds sent to mixers since January.
In the U.S., the Financial Crimes Enforcement Network (FinCEN) considers mixers to be money transmitters under the Bank Secrecy Act (BSA) that need to be registered and meet certain requirements. Chainalysis, however, noted in its report that it is “not aware of any bitcoin or Ethereum mixers currently following these rules.”
Notable hacks using crypto blenders
In January, Tornado Cash co-founder Roman Semenov told CoinDesk that privacy protocols “are defending people’s rights to financial privacy.” But some of these mixers have been linked to large-scale hacks and money laundering, and several popular blender tools have already been flagged by the U.S. for their association with cybercrime:
- Blender.io, a bitcoin mixer, was the first of its kind ever sanctioned by the OFAC. The service is said to have been used by North Korean state-sponsored hackers Lazarus Group in a large-scale hack on the online game Axie Infinity in March 2022, resulting in losses of about $620 million. According to the OFAC, Blender.io was used in processing $20.5 million of the illicit funds.
- Helix, a darknet bitcoin mixer, was the first bitcoin mixer penalized by FinCEN in October 2020 for violating anti-money-laundering laws. Larry Dean Harmon, the service’s founder, was ordered to pay a $60 million civil penalty and pleaded guilty to one count of conspiracy to launder monetary instruments. Between July 2014 and its shutdown in December 2017, Helix is reported to have processed 354,468 BTC.
- Bitcoin Fog, another bitcoin mixer, was labeled by the Department of Justice as the “longest-running bitcoin money-laundering service on the darknet.” Dual Russian-Swedish national Roman Sterlingov was arrested in April 2021 and is alleged to have laundered $336 million in bitcoin since the service's launch in 2011.
- Tornado Cash, an Ethereum mixer, was used to launder more than $96 million in malicious funds derived from the June 2022 attack on Harmony’s Horizon bridge, and at least $7.8 million from a hack of cross-chain bridge Nomad, according to the U.S. Treasury Department. In addition, Singapore-based Cryptocurrency exchange Crypto.com was hacked in January, and on-chain data from PeckShield suggested that 4,600 ETH in stolen funds were laundered through Tornado Cash.
Some exchanges, including Paxos, have flagged the use of mixers as a way to ensure users are “not engaged in money-laundering or other illicit activities.”
Ultimately, crypto mixers are a tool that can be used to enhance user privacy and make cryptocurrency transactions more anonymous. This may be helpful for people looking to make their transaction history more private or prefer an added layer of protection from third parties that may have access to their personal information.
Nonetheless, some mixers have long been used by malicious parties to launder money, and may not adhere to regulatory obligations laid out by FinCEN. Some mixers also have a minimum and maximum limit per transaction and can vary in their legitimacy, and ability to obscure financial transactions.
There are alternatives to mixers, including privacy-oriented cryptocurrencies, such as monero, that use stealth addresses, among other measures, to hide the sender, receiver and amount per transaction. Privacy wallets like Wasabi Wallet, which generates a new address for every transaction, can also be used to facilitate private transactions, though Elliptic previously reported that at least 13% of all proceeds from crime in bitcoin, roughly $160 million, were sent through privacy wallets in 2020.