November 18, 2024

Casten Urges Treasury to Address Use of Crypto Mixers to Hide Illicit Activity

Washington, D.C. — Today, U.S. Congressman Sean Casten led six of his colleagues on the House Financial Services Committee in urging the Biden Administration to address the illicit uses of cryptocurrency mixing services, like Tornado Cash, which present serious national security risks. 

“On August 8, 2022, the Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash for helping to launder more than $7 billion worth of cryptocurrency, including hundreds of millions stolen by North Korean-linked hackers. Despite sanctions, 

Tornado Cash has remained online and continues to function as decentralized smart contracts,” the lawmakers wrote. “...It is ever important that regulators remain vigilant about North Korea’s use of cryptocurrency to develop nuclear weapons and the role of cryptocurrency in financing terrorist attacks around the world—similarly, Congress must consider ways to respond to such tactics.”

In general, mixers are used to obscure otherwise transparent cryptocurrency transactions on the blockchain, where various users will deposit funds to a mixer address, and the mixer acts as a pool. Users who have contributed to the pool can then generate a new address and withdraw their funds without revealing the link between the depositor and withdrawal addresses. 

In August 2022, OFAC directly sanctioned Tornado Cash pools for helping to launder more than $7 billion worth of cryptocurrency, including hundreds of millions stolen by North Korean-linked hackers.  However, the computer code that underpins the Tornado Cash service is still accessible. In the first half of this year alone, Tornado Cash accepted more than $1.8 billion in deposits. 

In addition to Rep. Casten, the letter was signed by Reps. Stephen Lynch, Joyce Beatty, Bill Foster, Brad Sherman, David Scott, and Emanuel Cleaver.

A copy of the letter can be found here. Text of the letter can be found below.

Dear Secretary Yellen and Acting Under Secretary Smith:

We write to request additional information about the ongoing use of the cryptocurrency mixing service Tornado Cash after sanctions were imposed in 2022. On August 8, 2022, the Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash for helping to launder more than $7 billion worth of cryptocurrency, including hundreds of millions stolen by North Korean-linked hackers.1 Despite sanctions, Tornado Cash has remained online and continues to function as decentralized smart contracts.

Tornado Cash operates on the Ethereum blockchain and was initially advertised in 2019 as a “mixer” that “allows you to send Ethereum 100% anonymously using ground-breaking, non-custodial technology based on strong cryptography!”2 Mixers are generally used to obscure otherwise transparent cryptocurrency transactions on the blockchain, where various users will deposit funds to a mixer address, and the mixer acts as a pool. Users who have contributed to the pool can then generate a new address and withdraw their funds without revealing the link between the depositor and withdrawal addresses.3 Similarly, Tornado Cash co-founders Roman Storm and Roman Semenov pitched the service to potential investors in 2020, saying that it “break[s] the on-chain link between recipient and destination address...there is no way to link the withdrawal to the deposit, ensuring complete privacy.”4 It is easy to see why cryptocurrency mixers would be extremely attractive to money launders, terrorists, sanctions evaders, drug and human traffickers, child abusers, cybercriminals, and other illicit actors.

In March 2022, the Ronin Network, which is tied to the online non-fungible token-based video game Axie Infinity and enables users to move funds between the network and the Ethereum blockchain, was breached.5 The Lazarus Group, a North Korean cybercrime group sanctioned by the OFAC in 2019, stole $620 million worth of cryptocurrency.6 Within days of the attack, the hackers started depositing the proceeds into Tornado Cash. In April 2022, the OFAC designated an Ethereum wallet address, which was at that time holding most of the proceeds from the hack, as blocked property of the Lazarus Group. In response, the Tornado Cash co-founders announced a screen to prohibit deposits directly from the OFAC-designated address; however, as Mr. Storm acknowledged in an encrypted message, the screen was “easy to evade” in the absence of any effective anti-money laundering (AML) or know-your-customer (KYC) procedures. Therefore, the Lazarus Group was able to transfer the stolen funds from the OFAC-designated wallet for a “brief pit stop at a fresh, unsanctioned wallet,” before transacting with Tornado Cash.7 The purpose of this screen was to mislead the public that Tornado Cash was compliant with U.S. sanctions while continuing to allow for and profit from these transactions, according to the Justice Department.

In total, North Korean threat actors funneled $455 million from the Ronin heist through Tornado Cash between April 4, 2022, and May 19, 2022.9 Tornado Cash was subsequently used by illicit actors to launder more than $100 million in cryptocurrency from two separate attacks in June and August 2022, leading the Treasury Department to impose direct sanctions on the Tornado Cash protocol on August 8, 2022.10 In a statement, former Treasury Under Secretary for Terrorism and Financial Intelligence Brian Nelson said that, despite public assurances otherwise, Tornado Cash had “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”11 Like financial institutions, cryptocurrency mixers are required to comply with Bank Secrecy Act (BSA) requirements, including maintaining an effective AML program.

The Treasury Department has sanctioned two other mixers—Blender and Sinbad—for helping North Korean hackers move millions in stolen cryptocurrency.13 Sinbad was also used to obfuscate transactions linked to drug trafficking, the purchase of child sexual abuse materials, and other illicit sales on darknet marketplaces.14 Blender and Sinbad were both centralized or custodial mixers, meaning their operators had complete control over the flow of funds.15 Blender has ceased operations and Sinbad was seized by U.S. authorities.16 In contrast, Tornado Cash is decentralized and utilizes smart contracts that can’t be taken offline in the same way. Tornado Cash’s U.S.-based website was pulled down, though its smart contracts can run indefinitely, and anyone can technically use Tornado Cash at any time.17 The user-friendly website made it easier to utilize the service, though “sophisticated” users can still directly access its smart contracts, according to the Justice Department.

Cryptocurrency mixers present serious national security risks and are used by a variety of illicit actors, including North Korea, Hamas, and the Palestinian Islamic Jihad (PIJ).19 As the Treasury Department has noted, due to the pressure of U.S. and United Nations sanctions, North Korea has resorted to illicit activities, including cyber-enabled heists from cryptocurrency exchanges and financial institutions, to generate revenue for its unlawful weapons of mass destruction and ballistic missile programs.20 Since 2017, North Korean hackers have stolen more than $3.6 billion in cryptocurrency, according to UN sanctions experts.21 Even more alarming, White House Deputy National Security Adviser Anne Neuberger estimated last May that half of North Korea’s nuclear program is funded by cryptocurrency theft and cyberattacks.22 It is ever important that regulators remain vigilant about North Korea’s use of cryptocurrency to develop nuclear weapons and the role of cryptocurrency in financing terrorist attacks around the world—similarly, Congress must consider ways to respond to such tactics.

Increased regulatory attention on mixers has given rise to other methods to conceal the flow of funds, such as the use of privacy coins and “chain hopping” techniques. It has been reported that the overall volume passing through Tornado Cash decreased by 85 percent following the OFAC sanctions.23 However, mixers have seen a “resurgence” in 2024, according to blockchain analytics firm Flipside Crypto.24 For example, in March 2024, the Lazarus Group moved $147.5 million in cryptocurrency through Tornado Cash that was stolen from a hack of the HTX cryptocurrency exchange last November.25 Overall, in the first half of this year, Tornado Cash accepted more than $1.8 billion in deposits, which represents a 45 percent increase compared to all of 2023.26 This problem shows zero signs of going away anytime soon.

In August 2022, then-Under Secretary Nelson affirmed that “Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”27 To that end, we request that you answer the following questions and brief our staff by December 2, 2024:

  1. Please provide estimates of the amount of activity, illicit and legitimate, that has passed through Tornado Cash since August 8, 2022.
    1. Please provide estimates of the amount of illicit activity that has passed through cryptocurrency mixers year-over-year.
    2. Please provide an assessment of the role that cryptocurrency mixers play in financing the proliferation objectives of North Korea and other national security threats.
  1. Do the August 2022 sanctions apply to funds that have passed through Tornado Cash multiple transactions back in the chain of transaction history?
  2. Has the Financial Crimes and Enforcement Network (FinCEN) observed an increase in the number of Suspicious Activity Reports (SARs) filed related to Tornado Cash transactions since August 8, 2022?
    1. If so, please provide specific statistics about reports filed that are tied to:
      1. Sanctions evasion
      2. Terrorist financing
      3. Human trafficking
      4. Drug trafficking
      5. Child Sexual Abuse Material (CSAM)
      6. Darknet marketplaces
    2. What processes are in place to refer such reports to OFAC for sanctions violation enforcement?
  1. Is the Treasury Department taking action against persons subject to U.S. jurisdiction that have deposited or accepted mixed funds, directly or indirectly, from Tornado Cash?
    1. If so, how?
  1. Is the Treasury Department taking action against cryptocurrency exchanges for accepting mixed funds,directly or indirectly, from Tornado Cash?
    1. If so, how?
  1. Will the Treasury Department consider imposing secondary sanctions on non-U.S. persons and cryptocurrency exchanges based outside of the U.S. for interacting with mixed funds from Tornado Cash?
  2. When does the FinCEN expect to finalize the Notice of Proposed Rulemaking (NPRM), pursuant to Section 311 of the USA Patriot Act, to require financial institutions to implement certain recordkeeping requirements related to transactions involving cryptocurrency mixers?
    1. Did the FinCEN observe a decrease in transactions involving cryptocurrency mixers following the issuance of the NPRM?
  1. Does the Treasury Department have the tools necessary to enforce full compliance with U.S. sanctions on Tornado Cash?

Thank you for your attention to this important national security matter. We look forward to your response.

Sincerely,

# # #