OFAC, the DPRK and the Tornado of Cash

Cryptocurrency thefts of less than $5 million rates little more than a mention on Web3 is Going Great.  Cryptocurrency thefts of less than $50 million are only noted in the cryptocurrency press. But a $600 million theft attributed to North Korean (DPRK) government hackers gets attention and U.S. sanctions.

But there is an additional target for the Office of Foreign Asset Control (OFAC): the mixing service Tornado Cash has already received some $100 million of the stolen cryptocurrency Ethereum and is a key feature of almost every major recent cryptocurrency theft. The Tornado Cash system needs to be sanctioned to prevent the DPRK from profiting from the theft.

On March 23, hackers now identified by the FBI as the North Korean government hacking team the “Lazarus Group,” broke into the computers controlling the Ronin Blockchain Bridge. The basic idea of the bridge is that the Ethereum blockchain is simply too congested, expensive, resource intensive and slow to support a significant number of transactions.  

As a result, the developers of the Axie Infinity “Play-to-Earn game” (really, much more of a Ponzi scheme than an actual game) created the “independent” Ronin blockchain to run their game. In order to tie the Ronin blockchain to the Ethereum network they need a bridge—a system that accepts Ethereum deposits and returns equivalent tokens on the Ronin blockchain, and which can also accept those Ronin-based tokens and return normal Ethereum. The North Korean hackers broke into the computers controlling the bridge and used this access to steal all the deposited Ethereum, which has a notional value of over $600 million.

Of course, laundering $600 million is no small task. Fortunately for the DPRK’s hackers, the cryptocurrency community generally believes that financial anonymity is a feature and so have developed mixing services, commercial services that deliberately mingle funds to hide their origins. In the past, the operators of these services have faced arrest and prosecution. So, some in the Ethereum community decided to make a “decentralized” version called Tornado Cash, under the assumption that through decentralization those responsible for developing, operating and profiting from this system won’t be arrested unlike the operators of previous mixing services.

Tornado Cash operates by having a series of pools of Ethereum or other cryptocurrencies controlled by a smart contract, a program deployed on the underlying blockchain. One can deposit a fixed amount, such as 100 Ethereum (approximately $300,000) into the 100 Ethereum pool. The pool represents a collection of Ethereum cryptocurrency on deposit with Tornado Cash’s smart contract measured in units of 100 Ethereum each. This depositing process occurs through a smart contract that then returns a digital receipt. Any individual can then take the receipt at a future date and withdraw that 100 Ethereum minus a small fee for the service. Since 100 Ethereum is a lot there are separate pools for smaller units such as 1 or 10 Ethereum.

The withdrawal process is accomplished using zero-knowledge proofs. The person withdrawing proves to the pool’s contract that they have a valid receipt for a corresponding deposit and that this valid receipt has not yet been used, but it does not provide proof of which deposit it corresponds to. This allows someone to withdraw from the shared pool without linking it to their particular deposit.

The Tornado Cash developers provide a web interface to make the system easier to use but this interface is not an essential feature, a user of Tornado Cash can interact directly with the smart contracts, bypassing any limitations applied by the Tornado Cash website.

There is an additional feature of the Tornado-cash receipt: it can prove the origin of the funds and enable traceability through the pool. After a receipt is redeemed, it can then be used to link the deposit and withdraw, which both show that the deposit was legitimate and if publicized it removes that deposit and withdraw from the set of transactions used to hide all other transactions.  

Until redeemed, the receipt needs to be secret as it enables someone who knows the receipt to execute the withdrawal. But after the withdrawal is complete, the receipt is safe to publish and anyone who has a copy of the receipt can use it to link the deposit and the withdrawal, eliminating the anonymity from the otherwise anonymous withdrawal. So instead of being a unit of Ethereum of unknown provenance that could correspond to any prior deposit, the Ethereum can be traced as having come from a particular deposit into the Tornado Cash pool.

Of course, the large Tornado Cash pool is used for a diverse array of criminal activities (just search “Tornado Cash” on Web3 is Going Great). For example, on April 19, Beanstalk finance (developers of the ‘Magic Beans’ stablecoin) suffered a smart-contract hostile takeover that netted the attackers nearly $80 million in stolen assets. Here, an attacker took advantage of a ‘feature’ in the smart contract to vote themselves all the underlying assets in the liquidity pool. Since some in the cryptocurrency consider it theft, the attacker chose to process his funds through the Tornado Cash mixer, joining the DPRK’s Ethereum already sent in the pool.

As of early May, the DPRK has already transferred 37,000 Ethereum, or roughly $100 million, to Tornado Cash. Since the Tornado Cash 100 pool has a current balance of 172,000 Ethereum, the DPRK’s stolen loot now represents 20 percent of the balance held by this smart contract.

And although the Tornado Cash operators have changed their easy to use web interface to prevent further deposits, there is nothing that prevents the DPRK from bypassing the web interface to add more Ethereum. The smart contract itself deliberately provides no mechanism by which it can prevent the inclusion of known dirty money and, by design, can’t tell the source of funds being withdrawn.  

So the “sanctions compliant” activity performed by the operators of Tornado Cash by changing their web site is really window dressing, a way of claiming to limit money laundering in a way that actually can’t limit the use for money laundering. The web redesign can only make it more annoying for an individual to add known dirty money to the pool but it can’t actually prevent the deposit nor control the withdrawals.

It is also clear that, in practice, Tornado Cash is not enforcing sanctions. Take for example this wallet.  This wallet was funded, to the tune of 18,256 Ethereum (roughly $50 million) on April 19 from the sanctioned DPRK wallet. On April 28 and 29, the Ethereum was moved on to Tornado Cash! So on April 28, 12 days after OFAC issued its sanctions, Tornado Cash accepted known dirty Ethereum from the DPRK. Whether this was processed directly by the smart contract or through the web interface is unknown.

But an important feature of Tornado Cash’s anonymity model is anonymity only works in a crowd. In technical terms this is called the “Anonymity set,” the number of possible options that an “anonymous” entity could actually be. If the DPRK’s stolen assets were the only Ethereum in the pool then Tornado Cash would offer no anonymity. So every other participant in Tornado Cash, by adding to the anonymity set, is acting to hide not only themselves but for all other participants’ money, including the DPRK’s stolen assets.

OFAC should consider a creative sanction against Tornado Cash, particularly the 100 Ethereum wallet.  This wallet itself should be listed as a sanctioned entity because it is known to be hiding a large amount of the DPRK’s stolen cryptocurrency. Tornado Cash itself has no way to prevent the DPRK from withdrawing from the pool anonymously, and can not prevent further deposits by the DPRK which bypasses the web interface.

All others who participate in this pool are acting to help hide the DPRK’s ill-gotten gains since they are all contributing to the anonymity set in which the DPRK is hiding. Any withdraws by Tornado Cash users after March 23 are thus contaminated by the DPRK unless the withdrawer publicly discloses the receipt.

Public disclosure of the Tornado Cash receipt allows the user to prove that not only is their cryptocurrency not from the DPRK’s theft but that the DPRK’s cryptocurrency is no longer mixed and hidden using their cryptocurrency. The practical effect of analyzing the mixed Ethereum would be as if the deposit never happened, removing it from the anonymity set. This would then enable distinguishing the DPRK’s withdrawals from other withdrawals.

Any legitimate users of Tornado Cash should have no problem meeting this requirement. After all, they were seeking a form of financial privacy—the ability to anonymously move units of $300,000—which the normal financial system deliberately does not tolerate. Tornado Cash was designed so that an honest user of Tornado Cash, when questioned, could show that it was honest Ethereum by presenting the receipt.

All the other criminals can still withdraw just at the cost of eliminating themselves from the anonymity set. So instead of being able to say “Here is 100 Ethereum, it is probably criminal but you don’t know what crime it was from” it is instead “Here is 100 Ethereum from this particular event.”

OFAC’s sanctioning of this mixing service directly will not only disrupt the DPRK’s criminal activities but the larger ecosystem of criminals that use Tornado Cash to launder ill-gotten gains. So by making it clear that Tornado Cash 100 Ethereum itself is a sanctioned entity, and that all withdrawals after March 23 must be considered contaminated by the DPRK’s money unless proven otherwise, this will seriously disrupt the DPRK’s ability to extract their funds. The additional disruption of many other criminals would just be an excellent case of collateral damage.