For years, crypto mixers sat in a legal gray area that terrified regulators and excited privacy advocates. Then came August 2022, when the U.S. government pulled the rug out from under the industry by sanctioning Tornado Cash. It was a shockwave. Suddenly, using a piece of code could get you fined or jailed. But here is the twist most people miss: the story didn’t end there. By March 2025, the rules had flipped again. The smart contracts themselves were delisted, but the developers remained on the hit list. If you are trying to navigate this mess today, you need to understand exactly what changed, why it matters, and where the real risks lie.
What Exactly Is a Crypto Mixer?
To understand the controversy, you first have to understand the tool. A crypto mixer, also known as a tumbler, is a service that breaks the link between your deposit address and your withdrawal address. On blockchains like Ethereum, every transaction is public. Anyone can trace your funds from wallet A to wallet B. Mixers solve this by pooling funds together and shuffling them around before sending them out to new addresses.
Tornado Cash took this concept and baked it into immutable smart contracts. Unlike traditional mixers run by companies with customer support and databases, Tornado Cash was non-custodial. No one held your keys. No one could freeze your funds. Once deployed, the code ran autonomously on the Ethereum network. This design made it incredibly robust for privacy but also a nightmare for regulators who are used to shutting down servers and arresting CEOs.
The core value proposition was simple: financial privacy. Just as you don’t publish your bank statements online, many users wanted to keep their crypto holdings private. However, this same anonymity shielded bad actors. According to data from Chainalysis, roughly 30% of the $7.6 billion processed through Tornado Cash since its 2019 launch came from illicit sources. That statistic became the fuel for the regulatory firestorm.
The 2022 Sanction Shock
On August 8, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) added Tornado Cash to its Specially Designated Nationals and Blocked Persons (SDN) List. This was unprecedented. Previously, sanctions targeted individuals, countries, or specific entities. Here, they targeted software.
The justification was clear to Washington. Tornado Cash had facilitated the laundering of billions of dollars. Notable hacks linked to the protocol included:
- $455 million stolen by North Korea’s Lazarus Group from the Axie Infinity hack.
- $96 million from the Harmony Bridge Heist in June 2022.
- $7.8 million from the Nomad Heist later that year.
By placing the smart contracts on the SDN List, OFAC effectively banned any U.S. person from interacting with those specific Ethereum addresses. This created immediate chaos. Developers who had contributed code to the project faced arrest warrants. Users who simply withdrew their own funds found themselves potentially violating federal law. The message was blunt: if you touch these addresses, you risk severe penalties.
The Legal Battle: Can You Sanction Code?
The sanctions triggered a massive legal challenge. Critics argued that you cannot sanction immutable code. Code does not have a bank account. It cannot be frozen. It simply exists on the blockchain. The case went to court, culminating in a landmark ruling by the U.S. Fifth Circuit Court of Appeals in November 2024.
In Van Loon v. Department of Treasury, the court agreed with the plaintiffs. The judges ruled that OFAC had exceeded its authority under the International Emergency Economic Powers Act (IEEPA). The key finding? Smart contracts do not qualify as "property" or "interests in property." Therefore, the government could not legally seize or block them in the way it blocks assets owned by sanctioned nations.
This decision was a seismic shift. It suggested that while the government could punish humans, it could not outlaw the tools they built, especially if those tools were decentralized and autonomous. The Fifth Circuit remanded the case back to the District Court, instructing them to grant summary judgment in favor of the plaintiffs regarding the smart contracts.
The 2025 Delisting: A Partial Victory
Fast forward to March 21, 2025. Following the appellate court’s pressure, the U.S. Treasury Department officially lifted sanctions against Tornado Cash’s smart contracts. For many in the crypto space, this felt like a vindication. It meant that Americans could once again interact with the protocol without fear of civil penalties from OFAC.
However, do not celebrate too early. The Treasury was strategic. They removed the sanctions from the code, but they kept them firmly on the creators. Roman Semenov, one of the co-founders, remains on the SDN List. The Department of Justice (DOJ) continues to pursue criminal charges against him and his co-founder, Roman Storm. Storm faces three conspiracy charges: money laundering, operating an unlicensed money transmitting business, and violating IEEPA.
This dual-track approach reveals the government’s current strategy. They acknowledge they cannot regulate immutable code directly, so they focus entirely on human accountability. If you use the protocol, you might be safe from OFAC fines, but if you help maintain, promote, or develop it, you are still in the crosshairs of the DOJ.
Comparison: Sanctioned vs. Delisted Status
| Aspect | August 2022 - Nov 2024 | March 2025 - Present |
|---|---|---|
| Smart Contract Status | Sanctioned (Blocked) | Delisted (Unblocked) |
| Developer Status | Sanctioned | Still Sanctioned / Prosecuted |
| User Risk (U.S.) | High (Civil & Criminal) | Moderate (Criminal via DOJ) |
| Legal Basis | IEEPA Property Clause | Post-Van Loon Ruling |
What Does This Mean for Privacy Tools?
The Tornado Cash saga has set a precedent that will echo through the entire decentralized finance (DeFi) sector. It proves that traditional financial sanctions are ill-equipped for blockchain technology. You cannot shut down a server that doesn’t exist. You cannot freeze code that runs on thousands of nodes worldwide.
However, it also warns developers. While the code may be protected, the people behind it are not. The distinction between "building a neutral tool" and "facilitating crime" is thinning. Regulators are now focusing on intent and involvement. If you are building privacy-enhancing technologies, you need rigorous compliance frameworks. You cannot claim ignorance if your tool is predominantly used for illicit activity.
For users, the landscape is more nuanced than ever. Using a mixer is no longer automatically a federal offense in the same way it was in 2023. But mixing funds that are clearly linked to hacks or terrorist financing is still illegal. The burden of proof has shifted slightly, but the risk remains high. Always assume that your transactions are visible to analysts. Privacy tools obscure links, but they do not erase history.
Key Takeaways for Navigating the New Normal
- Code is not property: The courts have established that immutable smart contracts cannot be sanctioned as assets. This protects the infrastructure but not the operators.
- Human liability persists: Developers and promoters remain fully liable under criminal law. Do not confuse regulatory delisting with legal immunity.
- Compliance is complex: Exchanges and wallets must still screen for interactions with previously sanctioned addresses, even if the status has changed. Historical data matters.
- Privacy is not anonymity: Advanced chain analysis tools can still trace flows through mixers. Assume nothing is truly hidden from sophisticated investigators.
The Tornado Cash case is a cautionary tale about the clash between old-world laws and new-world technology. It shows that while regulation can adapt, it often struggles to keep pace with innovation. As we move further into 2026, expect more cases testing the boundaries of developer liability and user privacy. Stay informed, stay cautious, and always consult legal experts before engaging with high-risk protocols.
Is it legal for US citizens to use Tornado Cash now?
As of March 2025, the smart contracts of Tornado Cash are no longer on the OFAC SDN List, meaning direct interaction with the code is not a civil violation of sanctions law. However, criminal charges against developers remain active. Using the service to launder money or evade taxes is still illegal. Consult a lawyer for personal advice.
Why did the Fifth Circuit Court rule against OFAC?
The court ruled that immutable smart contracts do not constitute "property" or "interests in property" under the International Emergency Economic Powers Act (IEEPA). Since OFAC's power derives from controlling property, they lacked the legal authority to sanction the code itself.
Are Roman Semenov and Roman Storm still sanctioned?
Yes. While the smart contracts were delisted, the individuals behind Tornado Cash remain on the SDN List. Roman Storm faces ongoing criminal prosecution by the Department of Justice for conspiracy to money launder and other charges.
How do crypto mixers work technically?
Mixers use zero-knowledge proofs or pooling mechanisms to break the on-chain link between sender and receiver. Users deposit funds into a contract, and later withdraw to a different address. The mixer ensures the output cannot be easily traced back to the specific input, preserving privacy.
Will other DeFi protocols face similar sanctions?
It is possible, but the Tornado Cash precedent makes it harder. Regulators may focus more on centralized points of failure or human operators rather than sanctioning immutable code directly. Protocols with governance tokens or admin keys may be more vulnerable to traditional sanctions.
Yash Lodha
May 23, 2026 AT 17:45the shadows are lengthening over the digital realm and i can smell the rot beneath the surface of this so called victory for privacy advocates
they tell you the code is free but they do not tell you that the eyes in the sky are still watching every transaction with a hunger that never sleeps
i have seen the patterns before when governments pretend to loosen their grip only to tighten it around your throat later
this delisting is a trap designed to lull you into a false sense of security while they build a more sophisticated cage
do you really think they let go of power willingly
the smart contracts may be unblocked but the algorithms tracking your behavior are evolving faster than you can blink
i stay offline mostly because i know the truth about what happens when you trust the system
they want you to use the mixer so they can study how you try to hide
it is all part of the grand design to map every single one of us
be careful out there because the walls have ears and the servers have memories
Jesse Alston
May 24, 2026 AT 23:14Hey everyone 👋 Just wanted to chime in with some practical advice since this topic gets pretty technical
The key takeaway here is that while the civil risk from OFAC has decreased, the criminal risk via the DOJ remains very real for developers 🚨
If you are just a regular user trying to protect your financial privacy, the landscape is definitely less hostile than it was in 2023 😌
However, please remember that using mixers to launder funds from hacks or illegal activities is still a federal crime 🔒
I recommend keeping detailed records of your transactions just in case you need to prove the source of your funds later on 📝
It is always better to be safe than sorry in this space 💪
Let me know if anyone needs help understanding the difference between civil and criminal liability in this context 🤝
Sarah C
May 25, 2026 AT 20:05I appreciate the clarity in this post regarding the distinction between the code and the creators
It helps to understand that the legal framework is adapting rather than collapsing entirely
We should continue to support tools that offer genuine privacy without facilitating illicit activity
This balanced approach allows for innovation while maintaining necessary safeguards
Thank you for sharing these insights as it helps reduce anxiety in the community
Kimberly Herbstritt
May 26, 2026 AT 17:29Actually I think people are celebrating too early here
The fact that the developers are still targeted means the government hasn't given up at all
They just realized they couldn't sanction the code so they went after the humans instead
This is basically the same outcome just with a different legal mechanism
Privacy is still under attack regardless of which entity is doing the attacking
Sharada Vakkund
May 27, 2026 AT 07:01Let's discuss this together because it affects all of us who value financial autonomy
The shift from sanctioning code to sanctioning individuals is a crucial precedent
We need to educate ourselves on how to use these tools responsibly
Community knowledge sharing is essential during times like these
Who else has been following the Van Loon case closely
I believe we can navigate this new normal if we stay informed and united
Sudarshan Anbazhagan
May 27, 2026 AT 13:15one must consider the profound implications of this judicial decision on the broader spectrum of decentralized finance protocols which have long operated in a regulatory vacuum that many experts argue was unsustainable from the outset
the court's ruling that smart contracts are not property is a significant legal nuance that separates the tool from the operator yet this separation does not absolve users of their moral or legal responsibilities when engaging with such systems
it is imperative that individuals understand that the absence of direct sanctions on the code does not equate to a blanket permission slip for any activity conducted through these channels especially those that might indirectly facilitate money laundering or other illicit financial operations
the ongoing prosecution of the founders serves as a stark reminder that human agency remains the focal point of regulatory enforcement even when the technology itself is deemed immutable and beyond direct governmental control
therefore caution and thorough due diligence are not merely advisable but absolutely essential for anyone participating in this ecosystem moving forward
John Gonzalez Bentham
May 29, 2026 AT 09:22typo alert but seriously this whole thing is bs
they say the code is free but they still jail the devs
its a sham
privacy is dead anyway
why bother mixing if they can just trace you anyway
the system is rigged no matter what the courts say
people are stupid for thinking this changes anything
Ellie Riddell
May 30, 2026 AT 01:58how quaint that we think removing a label from a list changes the nature of the beast
the code runs either way whether sanctioned or not
what changed is nothing except the paperwork
you are still watched you are still traced and you are still complicit if you choose to participate
philosophically speaking freedom is an illusion when the observer is omnipresent
so go ahead use the mixer feel free but don't pretend you are invisible
the irony is palpable
Destiny Kilby
May 31, 2026 AT 02:22i find the situation quite troubling despite the legal victories mentioned
the persistence of charges against the developers suggests a continued hostility towards privacy tools
users should remain vigilant as the legal landscape continues to shift unpredictably
it is important to consult with legal professionals before making any decisions
the emotional toll of this uncertainty is significant for many in the community
Jerry CUNNINGHAM SR
June 2, 2026 AT 01:00It is important to maintain a respectful dialogue about these complex legal issues
The distinction between civil and criminal liability is nuanced and requires careful consideration
We should encourage compliance with existing laws while advocating for reasonable privacy protections
Open communication helps bridge the gap between regulators and the crypto community
Let us work together to ensure a fair and transparent environment for all participants
Ashley Rodriguez
June 2, 2026 AT 02:18i read the whole article and it seems like a lot of things have changed but also not really changed at the same time which is confusing
the code is okay now but the people are not okay which makes me wonder if i should use it or not
i guess it depends on what you are trying to achieve with your privacy needs
some people might feel safer now while others might feel more exposed depending on their perspective
it is a complicated situation for sure and probably best to ask a lawyer before doing anything major
Bridget Coogle
June 2, 2026 AT 06:54stay positive everyone
this is progress
we won a battle
keep fighting for privacy
do not give up hope
Zara Zaman
June 3, 2026 AT 10:31this is a disaster for national security
allowing these tools to operate freely invites criminals to exploit our financial systems
the government did right by targeting the developers initially
now they are backtracking and weakening our defenses
we need stricter controls not fewer
foreign actors will take advantage of this loophole
protect our country first