Tornado Cash has banned Lazarus, the North Korean hacking group the FBI says is behind last month’s $600 million hack on Axie Infinity’s Ronin bridge, from using its Ethereum mixing service.
The state-sponsored hacking group, which the U.S. government also holds responsible for the 2017 WannaCry ransomware campaign, is one of 24 addresses banned by the service, which obscures the provenance of Ethereum transactions..
The mixing service announced on April 15 that it blocks addresses sanctioned by the U.S. Office of Foreign Assets Control (OFAC). Tornado Cash accesses the sanctions list through an oracle created last month by blockchain tracking company Chainalysis.
The sanctions list also includes addresses controlled by a Russian ransomware group, an exchange that the U.S. Treasury says helped ransomware groups launder money, and a number of Russian nationals, The Defiant determined after cross-referencing data from Chainlink’s oracle with the OFAC sanction list.
Garantex, an Estonian crypto exchange whose weak anti-money laundering controls attracted high-risk Russian clients, also made the list. So did South Front, a Russian mouthpiece that publishes bogus military analysis, and SecondEye, a Pakistani e-commerce business whose founders the U.S. Department of Justice charged with sold fake IDs.
Maddie Kennedy, head of communications at Chainalysis, told The Defiant that Chainalysis uses its own research to add “other addresses we have identified as associated with sanctioned actors beyond what was included on the SDN list.”
The company alerts its customers, such as crypto exchanges and government agencies, when Tornado Cash indirectly exposes them to sanctioned addresses.
Tornado Cash’s announcement attracted criticism from privacy advocates who believe that blacklisting addresses undermines a technology celebrated for advancing finanical freedom, particularly from government control.
“Maintaining financial privacy is essential to preserving our freedom, however, it should not come at the cost of non-compliance,” tweeted Tornado Cash on April 15.
“[Financial freedom] should absolutely come at the cost of non-compliance,” tweeted Bruno Skvorc, founder of NFT startup RMRK. “Time to deploy a tornado fork to avoid sanctions,” tweeted another commenter. Tornado Cash could not be reached for comment.
To be clear, Tornado Cash doesn’t prevent blacklisted addresses from interacting with its smart contracts. Instead, it stops those on OFAC’s sanctions list from interacting with Tornado Cash through its website.
The compliance measures “seems par for the course with DeFi regulations, Freddie Raynolds, a pseudonymous DeFi commentator, told The Defiant. Last July, Uniswap blacklisted certain tokens from its front-end.
While traders couldn’t access the tokens through Uniswap’s website, they could still swap the banned tokens through decentralized exchange aggregators or Etherscan.
So, with any luck, an upstart Ethereum developer could fork Tornado Cash’s front end before Lazarus gets around to its next crypto heist.