- The U.S. Treasury Department on Friday lifted sanctions on Tornado Cash, a cryptocurrency mixer previously accused of facilitating money laundering for North Korean hackers
- The decision follows a U.S. appeals court ruling that the Treasury had overstepped its authority in sanctioning the platform
- One of the biggest beneficiaries of the reversal will be North Korean hacking giant Lazarus, which will now be able to launder its stolen funds as easily as before
Of all the beneficiaries of Friday’s decision by the U.S. Treasury Department to remove sanctions against cryptocurrency mixer Tornado Cash, North Korean hacking giant Lazarus is one of the biggest. A U.S. appeals court determined that the Treasury had exceeded its authority in imposing the sanctions, stating that the Tornado Cash code could not be sanctioned, allowing all measures to be removed. Lazarus has laundered over $450 million in stolen funds through the platform, and although the sanctioning of code does indeed represent overreach and shouldn’t have been allowed, the fact remains that this figure is only going to increase.
Sanctions Applied in 2022
Tornado Cash is an Ethereum-based cryptocurrency mixer that allows users to obscure the origins and destinations of their digital assets, enhancing transaction privacy. In August 2022, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash, alleging it had been used to launder over $7 billion in virtual currencies since its inception in 2019. This sum included more than $455 million purportedly stolen by the Lazarus Group, a North Korean state-sponsored hacking organization.
The sanctions faced legal opposition from six Tornado Cash users, financially backed by the cryptocurrency exchange Coinbase. They argued that the Treasury’s actions were beyond its statutory authority, particularly since Tornado Cash’s immutable smart contracts could not be considered property under federal law.
In November 2024, a three-judge panel from the Fifth U.S. Circuit Court of Appeals sided with the plaintiffs, stating that OFAC had overstepped its authority. In response to the court’s decision, the Treasury lifted the sanctions on March 21 after reviewing the legal and policy implications.
Hacking Groups Celebrate
While individuals may have gained more privacy over their transactions, the same can also be said for hacking groups who siphon off millions (or, in the case of the Bybit hack, billions) from crypto companies and require an easy method of laundering the funds. The estimated $1.5 billion that flowed through Tornado Cash by hackers and their ilk between 2019 and 2022 is only going to increase now that they have carte blanche to use Tornado Cash again.
Treasury Secretary Scott Bessent emphasized ongoing concerns about North Korea’s cyber activities:
Securing the digital asset industry from abuse by North Korea and other illicit actors is essential to establishing U.S. leadership and ensuring that the American people can benefit from financial innovation and inclusion.
The Treasury also noted that it would continue to monitor transactions that might benefit malicious cyber actors or the Democratic People’s Republic of Korea (DPRK). This development puts the onus back on crypto firms to improve their security.
75% of Tornado Cash Usage is Legal
The core argument against Tornado Cash being used solely for illicit means can be spelt out in the numbers: according to Chainalysis estimates, around $5.5 billion worth of the transactions carried out on Tornado Cash since its launch have been for privacy-focused but legal purposes. These include obfuscating wallet history for privacy reasons, donating to causes anonymously (like during protests or humanitarian crises), and separating on-chain identity from public-facing activity.
The question, therefore, is: are the side effects worth the curative impact? Does the solution provided by Tornado Cash warrant the ease with which North Korea can launder hundreds of millions of dollars for its world-threatening nuclear missile program? The answer is, of course, purely subjective, but looking at it objectively, it has to be no.
