Tornado Cash

🔴 High Risk

Tornado Cash, a cryptocurrency mixing service launched in 2019, has become a focal point in the intersection of decentralized finance and illicit activities. While designed to enhance privacy by obscuring transaction trails, it was exploited extensively for money laundering, notably by the North Korean state-sponsored Lazarus Group. This misuse exposed significant challenges in regulating anonymous crypto mixers, highlighting vulnerabilities that criminal actors leverage to circumvent sanctions and launder billions of dollars worldwide. The ensuing legal actions against Tornado Cash’s founders mark a critical moment in combating cybercrime and enforcing financial regulations in the digital age.

Tornado Cash is a cryptocurrency mixing service created in 2019 to anonymize crypto transactions by obfuscating their trail on public blockchains. The founders, Roman Storm and Roman Semenov, knowingly operated the platform despite being aware that criminals, including the North Korean state-sponsored Lazarus Group, were laundering stolen cryptocurrency through it. The service facilitated laundering of over $7 billion in virtual currency, with hundreds of millions attributed to the Lazarus Group’s cyber thefts. Tornado Cash failed to implement required AML and KYC controls, effectively enabling criminals to move illicit funds undetected. The U.S. government imposed sanctions on Tornado Cash and its founders, indicted them for money laundering and sanctions evasion, and convicted one founder in 2025. This case highlights critical risks and regulatory enforcement challenges posed by decentralized finance mixing services in cybercrime and international sanctions contexts. It serves as a landmark for prosecuting crypto-based money laundering connected to nation-state threat actors.

Countries Involved

United States, North Korea

Initially reported and sanctioned in 2022; ongoing investigations and prosecutions have continued through 2023 and 2025.

Ethereum (ETH), other virtual currencies mixed on Tornado Cash

Money laundering, sanctions evasion, operation of an unlicensed money transmitting business, aiding cybercriminal activities including state-sponsored hacking.

Tornado Cash co-founders Roman Storm (U.S. resident) and Roman Semenov (Russian national), North Korean Lazarus Group (state-sponsored cybercriminal organization), U.S. Department of Justice (DOJ), U.S. Treasury’s Office of Foreign Assets Control (OFAC), FBI, IRS Criminal Investigation, among others.

No direct involvement of Political Exposed Persons (PEPs) is noted in available information.

Tornado Cash operated as a cryptocurrency mixer service that anonymizes transactions by breaking the on-chain transaction history, making it difficult to trace the movement of funds. This mixing service pooled together large amounts of cryptocurrency from various sources and redistributed them, obscuring the origin and destination of the funds. Despite public assurances, Tornado Cash failed to implement effective controls like Know Your Customer (KYC) registration or Anti-Money Laundering (AML) compliance measures, allowing criminals to deposit and withdraw funds without identity verification. The founders were aware of criminal use, including by the Lazarus Group, and even made internal changes that publicly appeared to comply with sanctions but were knowingly ineffective to stop laundering activities. The service facilitated laundering of billions of dollars, including over $455 million stolen by the North Korean Lazarus Group.

Tornado Cash facilitated laundering of more than $7 billion worth of virtual currency overall since 2019, including approximately $455 million stolen by the Lazarus Group. The DOJ indictment highlights over $1 billion in virtual currency moved by the founders on behalf of criminal actors, with hundreds of millions specifically linked to Lazarus Group activities.

Tornado Cash’s algorithm and mixing protocols effectively severed the blockchain transaction trail by pooling currencies and redistributing them in a manner that makes it nearly impossible to link the funds to their original source. U.S. enforcement agencies investigated and tracked these funds through efforts combining blockchain analytics and traditional investigative techniques. This confirmed that hundreds of millions of dollars of stolen cryptocurrency from North Korean hackers passed through Tornado Cash. The founders’ internal communications revealed their full awareness of laundering activities and sanction violations. These actions helped the Lazarus Group convert illicit crypto proceeds into apparently clean assets and further network their cybercrime operations.

In 2022, the U.S. Treasury’s OFAC sanctioned Tornado Cash, classifying the service as a sanctions-evading virtual currency mixer. DOJ indicted the founders for money laundering, sanctions evasion, and operating without license as a money transmitting business. The FBI and IRS Criminal Investigation were heavily involved in uncovering the criminal use of Tornado Cash. One founder, Roman Storm, was convicted in August 2025 for knowingly transmitting criminal proceeds through the platform, confirming the government’s commitment to prosecuting decentralized finance services facilitating illicit finance. Recently in 2025, there was a reported lifting of some sanctions against Tornado Cash, but the core indictment and convictions remain key precedents. The enforcement actions have drawn attention to AML and sanction risks in decentralized finance platforms and crypto mixers.

FBI News on Tornado Cash indictment and laundering
U.S. Treasury OFAC Sanctions Statement
DOJ press release on Roman Semenov sanctions
Details on enforcement and legal analysis

Tornado Cash
Case Title / Operation Name:
Tornado Cash Money Laundering Case
Country(s) Involved:
Korea, North (North Korea), United States
Platform / Exchange Used:
Tornado Cash (Cryptocurrency Mixing Service)
Cryptocurrency Involved:

Ethereum (ETH), other virtual currencies mixed on Tornado Cash

Volume Laundered (USD est.):
Over $7 billion overall, including approx. $455 million stolen by North Korean Lazarus Group
Wallet Addresses / TxIDs :
Multiple wallet addresses and transaction hashes analyzed by law enforcement; specific addresses related to Lazarus Group laundering identified in DOJ indictments (not publicly enumerated here)
Method of Laundering:

Mixing / Tumblers: Using Tornado Cash’s cryptocurrency mixer service to anonymize transactions by breaking on-chain links, facilitating layering and obfuscating origin and destination of illicit funds without KYC/AML controls

Source of Funds:

Stolen cryptocurrency from state-sponsored cyber theft, primarily from North Korean Lazarus Group hacking campaigns, including ransomware and exchange hacks

Associated Shell Companies:

No publicly known shell companies directly linked; mainly decentralized platform without traditional corporate structures

PEPs or Individuals Involved:

Tornado Cash co-founders Roman Storm (U.S.) and Roman Semenov (Russia); North Korean Lazarus Group (state-sponsored cybercriminal actors); no direct Political Exposed Persons (PEPs) involved

Law Enforcement / Regulatory Action:
U.S. Treasury OFAC sanctions in 2022; DOJ indictment of founders for money laundering and sanctions evasion; FBI and IRS-CI investigations; 2025 conviction of co-founder Roman Storm; ongoing legal precedents in decentralized finance AML enforcement
Year of Occurrence:
2019 (launch of Tornado Cash); 2022 (key sanctions and public exposure); 2023–2025 (ongoing investigations and convictions)
Ongoing Case:
Ongoing
AML Network Risk Rating:
🔴 High Risk
Quick Links:
Popular Pages:
Disclaimer & Legal:
Facebook-f Twitter Youtube
© 2025 AML Network. – All Rights Reserved.