Tornado Cash sanctioned
OFAC sanctioned a smart contract. The privacy-vs-regulation fault line cracked wide open.
In August 2022, the US Treasury's OFAC added Tornado Cash — an immutable, autonomous privacy mixer — to its sanctions list. For the first time, the sanctioned entity wasn't a person or a company. It was code running on a public chain.
The hard questions it forced
- Can you sanction software that no one controls and no one can stop?
- Is writing or publishing privacy code a crime?
- What happens to honest users whose legitimate privacy is now "tainted"?
How a mixer breaks the link
A mixer like Tornado pools many identical deposits, then lets each depositor withdraw to a fresh address using a zero-knowledge proof — proving "I deposited" without revealing *which* deposit was theirs. The on-chain link between source and destination is severed by math, not by a trusted operator. That's exactly what makes it both a privacy tool and a laundering tool: the protocol can't tell the two apart, and no one can switch it off.
many depositors ──→ [ pool of equal notes ] ──→ many withdrawals
│ zk proof: "I'm one of them"
↓ (which one? unknowable)
source address ✕ destination addressAnd it went further than the contract: a developer was arrested over writing and maintaining the code, turning an abstract debate — *is publishing software speech?* — into personal legal jeopardy that rattled the entire open-source community.
It split the room. Privacy is a legitimate need; mixers also launder stolen funds. The episode made the regulation-vs-permissionlessness tension concrete and unavoidable, and it's still being litigated — legally and philosophically — today.