Tornado Cash and Crypto Mixers: Privacy, Legality, and Risk

In March 2025, the U.S. Treasury reversed sanctions on Tornado Cash after the Fifth Circuit Court ruled it had exceeded its authority by targeting immutable smart contracts. While this landmark decision affirms that decentralized code is not “property” under current law, ongoing prosecutions of Tornado’s developers underscore unresolved tensions between privacy rights and anti-money laundering enforcement. With nearly $2 billion in deposits flowing through Tornado Cash in early 2024 alone, the platform remains central to debates on financial autonomy, legal accountability, and the future of crypto regulation.

• Legal Precedent: Treasury dropped sanctions in March 2025 after the Fifth Circuit ruled immutable code cannot be sanctioned under IEEPA.
• Developer Liability: Roman Storm faces U.S. charges, while co-founders Pertsev and Semenov remain under legal and sanctions pressure.
• Legitimate Uses: Mixers protect business confidentiality, activist funding, and DeFi traders against front-running—beyond illicit finance concerns.
• Costs & Risks: Users face fees, tax reporting duties, and governance vulnerabilities despite Tornado’s immutability.
• Regulatory Outlook: Sanctions lifted on code, but regulators signal focus will shift to user behavior—likely requiring new legislation in 2025 and beyond.

In March 2025, the U.S. Treasury Department reversed its sanctions on Tornado Cash, a decentralized cryptocurrency mixer that had been blacklisted since August 2022. This decision came after a ruling by the U.S. Fifth Circuit Court of Appeals, which determined that the Treasury had exceeded its legal authority by sanctioning immutable smart contracts that are not controlled by any individual or entity.

The decision has reignited a major debate in the crypto community: how to balance privacy rights with anti-money laundering (AML) and national security efforts. Even during its sanction period, Tornado Cash processed nearly $2 billion in deposits in the first half of 2024, demonstrating its continuing relevance. Now, as co-founder Roman Storm trial winds to a close, the platform sits at the center of a growing conversation about financial privacy, legal boundaries, and decentralized governance.

What Is Tornado Cash?

Tornado Cash is a decentralized, non-custodial privacy tool built on Ethereum, using zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge) to break the on-chain link between sender and recipient. Users deposit ETH or other ERC-20 tokens into a pool and later withdraw them to a different address, obscuring transaction history.

Unlike centralized mixers, Tornado Cash is governed by smart contracts that are immutable and open source. Since launching in 2019, it has handled over $7 billion in cryptocurrency transactions, making it one of the most widely used privacy protocols in the blockchain ecosystem.

Legal Background and Sanctions Reversal

The Office of Foreign Assets Control (OFAC) initially sanctioned Tornado Cash on August 8, 2022, alleging its use by the Lazarus Group, a North Korean state-sponsored hacking organization. According to OFAC, more than $455 million in stolen funds had been laundered through the platform, including assets from the Ronin Bridge exploit.

This unprecedented sanction, targeting open-source code, prompted backlash. In 2023, advocacy groups supported a lawsuit challenging OFAC’s authority, arguing that immutable smart contracts don’t constitute “property” under the International Emergency Economic Powers Act (IEEPA).

In November 2024, the Fifth Circuit Court ruled in favor of Tornado Cash’s defenders. It concluded that the smart contracts could not be sanctioned under current law because they were not controlled by any specific party. Rather than appeal, Treasury dropped its sanctions in March 2025, acknowledging the “novel legal and policy issues” involved.

Legal Pressure on Developers

Despite the protocol being de-sanctioned, legal action against its creators continues. Roman Storm is facing criminal charges in the U.S. for money laundering and violating sanctions laws. His trial is expected to conclude soon.

Another Tornado Cash developer, Alexey Pertsev, was sentenced to over five years in a Dutch court but was released in February this year.  while Roman Semenov remains individually sanctioned by OFAC and is wanted by the FBI.

These cases are critical in defining the line between writing decentralized code and being legally accountable for how others use it.

Legitimate Use Cases for Crypto Mixers

Privacy tools like Tornado Cash are often portrayed as gateways to illicit finance, but they also serve essential roles in safeguarding digital autonomy. For example, businesses can use them to protect confidential transactions such as mergers or competitive investments.

High-net-worth individuals benefit from financial anonymity that protects against threats like theft or extortion. In regions under authoritarian rule, activists and whistleblowers rely on tools like Tornado Cash to receive donations and communicate securely.

In decentralized finance (DeFi), traders use mixers to prevent front-running or MEV attacks, where bots exploit public transaction data for profit. Even for average users, mixers offer basic financial privacy, comparable to the confidentiality expected in traditional banking systems.

Cost Considerations

When using privacy protocols like Tornado Cash, users face multiple forms of cost:

• Protocol Fees: Platforms like Wasabi Wallet charge 0.3%, while others range between 1%–3%.

• Gas Fees: Ethereum network congestion can drive costs higher than mixer fees.

• Time Delays: Transactions may take hours or days to complete for anonymity.

• Opportunity Cost: Locked funds cannot be traded or used for staking/yield generation.

• Exchange Risks: Centralized platforms may flag, freeze, or close accounts linked to mixers.

• Tax Complexity: Even anonymous transactions must be accurately reported under tax law.

Security, Trust, and Technical Risks

Although Tornado Cash’s contracts are immutable, the platform is not without risks. Smart contracts, despite undergoing multiple audits, can still contain undiscovered vulnerabilities.

The protocol’s decentralized nature also means its user interface can be targeted. In fact, during the 2022 sanctions period, Tornado Cash’s website and GitHub repository were taken offline, though its smart contracts remained live on-chain.

Moreover, in May 2023, Tornado Cash’s DAO governance system was exploited by an attacker who gained control through a malicious proposal, highlighting governance risks even in decentralized systems.

Alternatives to Tornado Cash

Since the original sanctions, privacy-minded users have explored new options:

• Cyclone Protocol: Tornado-inspired, with multi-chain support.

• RAILGUN: zk-SNARK-based private DeFi protocol, publicly endorsed by Vitalik Buterin.

Privacy coins like Monero and Zcash remain popular but face increasing exchange de-listings due to regulatory pressure.

Regulatory Outlook in 2025

The Tornado Cash ruling marks the first time OFAC has lifted sanctions on a cryptocurrency protocol, acknowledging the limits of existing legal tools. The court’s decision set a precedent by clarifying that autonomous code is not equivalent to people or property.

Still, Treasury made it clear that it remains committed to pursuing individuals who use such protocols for illegal purposes. Regulators may now shift from targeting code to targeting behavior, suggesting that future regulation may require new legislation rather than reinterpretation of outdated frameworks.

Conclusion: Privacy at a Crossroads

The Tornado Cash case is a landmark in digital privacy and decentralized technology. By lifting sanctions, the U.S. government tacitly acknowledged the complexity of regulating immutable, decentralized systems. At the same time, the prosecution of Tornado’s developers shows that authorities are still grappling with how to apply existing laws to new technologies.

As blockchain surveillance expands and transparency becomes the norm, privacy tools like Tornado Cash may become essential, not just optional, for users looking to protect personal and financial freedom. Whether through legal reform or precedent-setting court cases, the future of financial privacy will likely depend on our ability to reconcile personal rights with global compliance efforts.