Whenever someone carries out a cryptocurrency transaction, proof of that transaction is encoded into the currency itself. This digital ledger, known as the blockchain, lets crypto users verify the legitimacy—or lack thereof—of transactions by viewing a record of the cryptocurrency wallets that virtual tokens originated from and moved to. However, the blockchain doesn’t name the owners of the cryptocurrency wallets involved in transactions.
Cryptocurrency mixers like Tornado Cash further enhance the level of anonymity by muddying these transaction histories.
To better understand the way a cryptocurrency mixer works, imagine a bank that’s open 24/7. When you use the bank, instead of getting an account of your own, you’re able to make a deposit into one massive, shared account.
Because your money isn’t kept separately from everyone else’s, when you deposit funds, you receive a code that can be used to get it back out later. You can keep that code to yourself or share it with someone you know so that they can pick up the money instead. The choice is yours, but, in either case, the transaction can be carried out anonymously.
The bank tracks how much money enters and leaves the shared account to ensure that no one’s funds get stolen—because the bank would be liable. But it doesn’t track who put in or removed money from the shared account, when they did so, or why.
This is a dramatized example of how a law-abiding citizen could theoretically use a cryptocurrency mixer—which acts as a shared storage unit for virtual currency—to move their tokens in an anonymous, decentralized way.
“It kind of breaks that chain in the transaction history, which is really how you trace cryptocurrency within the blockchain as you see how it moves from wallet to wallet to wallet,” explained Assistant Special Agent in Charge Paul Roberts, who leads the FBI New York Field Office’s Complex Financial Crimes Branch.
Know Your Customer (KYC) and Bank Secrecy Act (or BSA) rules enforced by the Treasury Department’s Financial Crimes Enforcement Network require that cryptocurrency mixers know who exactly is using their services and how, Roberts noted. He likened these rules to the identification requirements and mandatory forms associated with opening a new bank account.
However, Tornado Cash ignored these rules, and the company’s posture allowed criminal actors and organizations like the Lazarus Group to launder money through the service.
“Tornado Cash should have been registered as a money services business and should have been requiring people who are using their service to register those forms,” Roberts said. A criminal syndicate wouldn’t likely admit to opening an account with nefarious intentions, but required paperwork could have at least raised a red flag about the account holder’s identity, Roberts added. And, in theory, Storm and Semenov could have stopped the money laundering before it started.
To further complicate matters, even though the Lazarus Group wasn’t required to complete paperwork to use Tornado Cash, Storm and Semenov still knew they were using their service—and allowed them to do so.
“[Storm and Semenov] implemented a change in the service so that they could make a public announcement that they were compliant with sanctions, but in their private chats, they agreed that this change would be ineffective,” the Justice Department wrote. “They then continued to operate the Tornado Cash service and facilitate hundreds of millions of dollars in further sanctions-violating transactions, helping the Lazarus Group to transfer criminal proceeds from a cryptocurrency wallet that had been designated by the Office of Foreign Assets Control as blocked property.”
These actions collectively led to their indictment on charges related to money laundering, defying sanctions, and operating an unlicensed company.
