Outline

On August 8, 2022, U.S. Department of the Treasury sanctioned virtual currency mixer Tornado Cash, due to its involvement in money laundering activities.

In this report, we are taking a look at why Tornado Cash has been sanctioned and its user activities while it was active.

Addresses That Are Still Using Tornado

In order to find out the unique addresses that are still using Tornado Cash, we filtered our those addresses that interacted with this service after August 9, 2022, which was a day after the sanctions’ announcement on August 8, 2022.

We can see that 157 unique addresses interacted with Tornado Cash even after the sanctions.

Addresses With Most Interactions

Next, we want to know who were the addresses with the most number of transactions. The following table and the figure shows the addresses that have interacted with Tornado Cash at least 50 times since 2019.

Our observations:

• The address with highest number of interactions, performed 11,188 transactions using Tornado Cash.
• The number of interactions gradually reduces from top to bottom. This means there is small gap between them, and it is hard to pick a significant outlier.
• The top 10 addresses are responsible for about 37% of the transactions (among addresses with at least 50 transactions using Tornado Cash).

References

[1] U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash [2] Cyber-related Designation | Tornado Cash Blocked Addresses [3] eurospider | What is a cryptocurrency mixer? [4] AlJazeera | US announces sanctions against currency mixer Tornado Cash

What is Tornado Cash?

Tornado Cash is a virtual currency mixer or tumbler. A mixer is a service that mixes different streams of potentially identifiable cryptocurrency. This improves the anonymity of transactions, as it makes tokens harder to trace. The token owner transfers the money to the mixing service, which mixes it with that of other users and transfers the mixed currency to the desired address, meaning there is no connection between the original transaction and this address. The transaction amounts can be chosen at random so that the transaction is made up of many small partial payments spread over a longer period of time. The mixing service usually charges a fee of between 0.25 and 3% of the amount to be mixed [3].

Why was Tornado Cash Targeted by U.S. Government?

Since its creation in 2019, Tornado Cash was used to launder more than 7 billion dollars worth of cryptocurrencies, involving:

• Money stolen by the Lazarus Group, a hacking group backed by Democratic People’s Republic of Korea
• Malicious cyber actors’ funds derived from the Harmony Bridge Heist
• Funds derived from Nomad Heist

Brian E. Nelson, the Under Secretary of the Treasury for Terrorism and Financial Intelligence said: “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks. Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”

Why Might an Address Interact with the Service?

There are different reasons as in why would an address interact with Tornado Cash and it depends whether an address has a malicious intent or not.

• If an address does not have a malicious intent, it might interact with a cryptocurrency mixer, e.g. Tornado Cash, to preserve its full anonymity, since though we cannot easily detect who controls an address, we can track its in-flow and out-flows. But a mixer prevents public from gather such information.
• But for an address with malicious intents, such as money laundering or criminal intents, Tornado Cash can be used to clean the track of dirty money. In North Korea case, it has been suspected that the money collected from Tornado Cash has been used in the missile programs.

Conclusions

• We have found that Tornado Cash were used as a medium to launder money.
• 157 addresses kept using Tornado Cash, even after the announcement of sanctions.
• Stable coins, specially DAI and cDAI were among the most transferred tokens.

Contact Information

You can find me at:

Discord: simplyfarzad#9366

Twitter: @SimplyFarzad

User Behavior Analysis

Now, we want to group users based on their frequency of transactions and the tokens they interacted with and analyze their behaviors.

Users’ Behavior Based on Number of Transactions

The figure on the right shows the distribution of users based on their number of interactions/transactions they had with the Tornado Cash.

We can see that almost all users, 99.1% of them, performed less than 50 transactions on Tornado Cash. Very limited number of addresses had more than 1000 transactions on Tornado Cash.

Users’ Behavior Based on Volume of Tokens

Next, we want to know how did the addresses leverage different tokens on Tornado Cash (we removed the invalid volumes).

Our observations:

• We can see that cDAI and DAI are the most transferred tokens on Tornado Cash with a high gap.
• cDAI and DAI are responsible for 2.917 billion dollars that were transferred on Tornado Cash.
• Of 10 tokens, 5 are stable coins, namely DAI, cDAI, USDC, cUSDC and USDT.

The second figure shows the distribution of tokens vs. the number of transactions, unique senders and unique receivers.

Our observations:

• DAI had the most number of transactions, and equal number of sender and receivers.
• cDAI, though with a high volume, had a really low number of transactions and senders and receivers. This can signal malicious activity.
• WETH has a high number of transactions and senders but low number of receivers, sort of like a sink.
• WBTC, USDT and USDC also had a high numbe