Skip to main content

Second Quarter 2023, 
Vol. 105, No. 2
Posted 2023-04-10

Tornado Cash and Blockchain Privacy: A Primer for Economists and Policymakers

by Matthias Nadler and Fabian Schär


This article explores non-custodial crypto asset mixers such as Tornado Cash. We analyze what types of mixers exist and how they work. We discuss opportunities and risks and offer an approach, based on voluntary disclosure, that would allow financial market regulators to combat money laundering and illicit activities, while allowing honest users to interact with privacy-enhancing protocols. We explain how crypto asset mixers play an important role on public blockchains and that privacy may be difficult to attain without them.

Fabian Schär is a professor for distributed ledger technologies and fintech at the University of Basel and the managing director of the Center for Innovative Finance at the Faculty of Business and Economics, University of Basel. Matthias Nadler is a PhD candidate at the Faculty of Business and Economics, University of Basel. The authors thank Tobias Bitterli, George Fortier, Andrea Glarner, Mitchell Goldberg, Emma Littlejohn, Remo Nyffenegger, Katrin Schuler, Dario Thürkauf, and the editors and referees of the Review.


It is difficult to retain privacy on a public blockchain. In contrast to popular belief, permissionless blockchains are completely transparent. All confirmed transactions are publicly observable and stored as part of the blockchain's history. The users' identities are only protected through the use of addresses that act as pseudonyms. This setup allows public blockchains to operate without any intermediaries and creates a system where everyone can mathematically verify the legitimacy and integrity of transactions as well as the current state of the ledger; but the setup raises severe privacy concerns. 

If someone obtains information that allows them to link a blockchain address to an entity, they may effectively observe that entity's entire transaction history and associated activity. Even if the entity uses multiple addresses, any link between these addresses may expose the fact that they belong to the same person. Moreover, the immutable and public nature of the data creates a setting where the data accrues over time and will always be available for analysis. The algorithms and tools to analyze the data will become more sophisticated, off-chain data more abundant, and computational constraints less relevant. 

To preserve some privacy, many users rely on so-called crypto asset mixers (sometimes also referred to as tumblers or privacy-enhancing protocols). Other ideas for achieving (partial) privacy on public blockchains exist, but crypto asset mixers are currently the most widely used approach. Simply put, the goal of a crypto asset mixer is as follows: Various entities deposit the same amount of a specific crypto asset to a mixer address. The mixer acts as a pool. Anyone who has contributed to the pool may then generate a new address and withdraw their funds without revealing the link between the depositor and withdrawal addresses. To be precise: Third parties can still observe the addresses that have deposited to and withdrawn from the pool, but given a large enough anonymity set (see Section 4.2), those third parties cannot link a specific depositor address to a specific withdrawal address. Thus, crypto asset mixers break the visible link between transactions. 

To provide a simple example, let us assume that Alice has sent a crypto asset to Bob. Bob now knows Alice's public address and may potentially observe her account for other activity. To hide her future activity from Bob, Alice could deposit funds to a crypto asset mixer. In this mixer, the funds are pooled with deposits from Carl and Dave who have also deposited funds in equal denominations. When Alice later uses a different address to withdraw from the pool, Bob will not be able to tell whether the new account belongs to Alice, Carl, or Dave. 

Given the high degree of transparency on public ledgers, there certainly is a legitimate privacy use case for crypto asset mixers. However, there is also strong evidence that crypto asset mixers are being used for money laundering and to hide traces of illicit activities. On various occasions, funds resulting from hacks have been deposited to Tornado Cash. Some of these hacks were allegedly conducted by the North Korean hacker group Lazarus. Estimates by crypto analytics firms suggest that almost 30% of the funds deposited to Tornado Cash have originated from illicit activities.3 These circumstances have led to a lot of regulatory scrutiny.

On August 8, 2022, the U.S. Treasury's Office of Foreign Asset Control (OFAC) placed the Tornado Cash smart contracts on the Specially Designated Nationals and Blocked Persons (SDN) sanctions list, effectively making it illegal for U.S. citizens to interact with the Tornado Cash protocol. The OFAC has added custodial addresses (including custodial mixing services) to the SDN before, but this Tornado Cash sanction is the first time a non-custodial protocol has been targeted. 

The goal of this article is to provide an interdisciplinary introduction to non-custodial crypto asset mixers, to create a foundation for economists and policymakers, and to enable further research at the intersection of privacy and illicit activity. We use Tornado Cash as an example to show how non-­custodial crypto asset mixers work. We collect and present data that may be useful for researchers and policymakers, point toward new regulatory challenges, and present potential solutions to some of the problems. 

Crypto assets in general is a highly interdisciplinary topic. The related topic of non-custodial crypto asset mixers is especially complex, and it is not possible to adequately discuss its challenges and opportunities without some technical background. Since this article is targeted mainly at economists and policymakers, we introduce some of the technical core concepts used in non-custodial crypto asset mixers in the next section. This allows readers without a technical background to understand how the protocol works and follow the analysis and discussion more easily.

Read the full article.