- Tornado Cash said last week that it had blocked the Ronin hackers’ address
- The Lazarus group had washed over $70 million worth of ETH before Tornado Cash blocked them
- However, the group can still use the smart contract associated with the function
Tornado Cash, the Ethereum mixing service favored by crypto hackers, announced on Friday that the addresses associated with the Ronin hackers had been blacklisted as per the US Treasury’s Office of Foreign Assets Control (OFAC), but in reality the move is barely more than a token gesture that will make little real world difference. This is because the hackers can still call the smart contract behind the mixer in order to obscure its funds, while the banning of addresses days after the event smacks of closing the stable door once the horse has bolted.
$70 Million Laundered Before OFAC Ban
The hackers of the Ronin bridge, thought to be the North Korean state-sponsored Lazarus group, began moving some of the 173,600 ETH stolen ETH through Tornado Cash soon after the hack was revealed at the end of March, with tens of millions making their way through the ‘privacy protocol’ in the weeks after the hack was revealed.
It wasn’t until some $70 million had been washed that OFAC listed the Ethereum address associated with the hackers to its list of sanctioned addresses, at which point Tornado Cash announced it stopped the address from “accessing the dapp”, adding that “Maintaining financial privacy is essential to preserving our freedom, however, it should not come at the cost of non-compliance.”
Tornado Cash uses @chainalysis oracle contract to block OFAC sanctioned addresses from accessing the dapp.
Maintaining financial privacy is essential to preserving our freedom, however, it should not come at the cost of non-compliance.https://t.co/tzZe7bVjZt— 🌪️ Tornado.cash 🌪️ (@TornadoCash) April 15, 2022
The irony that a company that claims to be committed to compliance took so long to add the hackers’ address to its blacklist when it knew full well where the funds were coming from shows how it was simply paying lip service to the authorities rather than actually giving a damn about preventing stolen funds from making their way to an oppressive regime bent on creating nuclear weapons.
Tornado Cash will of course point to the fact that it acted when the address became official, but the beauty of blockchain technology of course is it is abundantly clear to anyone who actually wants to look that the funds were originating from the Ronin hack.
Tornado Cash Back Door Left Open
If this late stage play isn’t enough to call foul on Tornado Cash’s supposed desire to support compliance, the fact that those with knowledge of such matters (which includes globally recognized hackers) can still access the smart contract associated with it in order to launder their stolen ETH should also be realized – Tornado Cash has barred the hackers from accessing the dApp, not accessing the protocol, which as one Twitter user pointed out is still just as easy for those who know how:
dont worry guys, your favorite hackers will still be able to wash the money they have stolen from you using the smartcontract directly. This just affects the website frontend, contract is permisionless
— anowboat (@anowboat) April 15, 2022
It remains to be seen how Tornado Cash will act if the ETH is moved to another address and then resubmitted to the platform, although its supposed wall of compliance will crumble at the first attempt.
