Key insights
- Two Tornado Cash proxy servers were researched, and over their lifetime, 181,164 transactions were carried out, with 7.73% of them directly linked to cybercrime, equating to approximately 13,043 transactions, and the total amount of laundered funds was 144,635 ETH.
- Hackers accounted for 77.73% of the bad actors, followed by scammers at 16.43%, suspended exchanges at 4.51%, and risky services at 1.69%.
- The Tornado Cash team supports users’ right to privacy but recognizes that it can be used for unlawful activities, and it’s suggested that its design could be tweaked to maximize lawful use while minimizing the risk of money laundering and terrorist financing.
- The Compliance tool currently offered by Tornado Cash allows users to view the chain of transactions, but hackers are not interested in displaying this information, and it’s suggested that a similar tool for law enforcement agencies could be created by Tornado Cash to trace transactions in the event of a reported hack or suspicious transaction while maintaining a balance between confidentiality and legality.
The increasing frequency of major hacks in the crypto world, such as the Ronin Bridge attack, made us wonder if bad actors could use Tornado Cash or other mixing services collectively to help each other.
To answer this question, we must understand that Tornado Cash has different smart contracts for mixing different amounts. Wallets for 1 ETH can hardly be used by hackers (although at a certain stage of the money laundering process, they may well be), but they are also utilized by ordinary users to increase the anonymity of their transactions. A 100 ETH wallet can only accept this amount for mixing, given that not many people can use this service.
We have researched 2 Tornado Cash proxy servers with the addresses 0x905b63Fff465B9fFBF41DeA908CEb12478ec7601 and 0x722122dF12D4e14e13Ac3b6895a86e84145b6967, respectively.
Over the entire period of their existence, 181,164 transactions were carried out via these smart contracts. Using GL monitoring and GL vision, the GL Protocol team was able to directly trace the connection between specific cybercrimes and Tornado Cash in 7.73% of all these transactions, meaning about 13,043 transactions were carried out by bad actors. The total amount of laundered funds as a result of these transactions was 144635 ETH.
If we consider the categories of these bad actors, we will see that 77.73% are hackers, 16.43% are scammers, about 4.51% are suspended exchanges, and only 1.69% are risky services that use Tornado Cash for their own purposes. Among the sources we were able to identify, the most prominent were Bitmart’s Hacker, KuСoin Hacker, and Compounder-related Hacks. Therefore, we can assume that bad actors, understanding how the system of Tornado Cash works and taking into account each other’s interests, can cooperate to launder funds obtained by fraudulent means.
There’s an ongoing debate about whether ordinary, law-abiding — but privacy-conscious — citizens are in some sense culpable for facilitating such mixing efforts. Of course, permissionless privacy tools can be used by anyone, by design.
There is always a conflict between privacy and security. Even crypto enthusiasts who use privacy coins asked us to trace some coins when they were stolen.
On one hand, Tornado Cash allows people to maintain their privacy while being able to prove the sources of funds. This is good. But on the other hand, it’s a perfect tool for criminals who would never use the Compliance feature offered by Tornado Cash.
Keeping in mind that Tornado Cash has different smart contracts, we will focus on the smart contract for 1 ETH. One of the typical steps in the laundering of illegal proceeds is splitting: “Dirty” assets are divided into many small streams in order to pass exchange limits without KYC checks, which complicates tracking and blocking. Since there are many other potential users of this smart contract, law-abiding citizens can unintentionally become accomplices of hackers who use it to split up stolen funds.
The Tornado Cash team itself supports users’ right to privacy, stating in their blog, “The Founding Principle of Tornado Cash is that Privacy is a Human Right.” And it is worth noting that this right may be applied to lawful activities. For example, blockchain developers may want to hide the movement of their personal funds (the distribution of their tokens) because they do not want to scare the market (current holders and potential buyers of that token) with FUD. Or developers may want to sell their teams’ distribution tokens for personal financial reasons, or perhaps use them to inject liquidity into another blockchain project they are working on separately.
In general, however, there are far more reasons why cyber criminals might want to use a mixing service than developers who legitimately want to obfuscate the movement of their personal funds.
But how could their design be tweaked to maximize their lawful use for legitimate privacy reasons while minimizing the risk of ML/TF? This is an important question to answer.
For example, Tornado Cash’s Compliance tool allows users to view the chain of transactions. But hackers are not interested in displaying this information. Perhaps Tornado Cash and services like it will create a similar tool for law enforcement agencies, which could be a temporary or permanent way to trace transactions in the event of a publicly reported hack or a suspicious transaction. This tool wouldn’t apply to external blockchain analytics but would provide new opportunities for law enforcement. Such an approach will maintain a balance between the confidentiality that Tornado Cash and similar services strive for and the legality that law enforcement agencies require.