Somewhere Over the Tornado
Tornado Cash is one of the most popular "mixers," enabling anonymous crypto transfers. Where does the money go?
TornadoCash is a controversial decentralized protocol used to hide links between wallets on the blockchain. In theory, TornadoCash provides totally anonymous transfers, using a simple process:
Accept transfers of Ethereum (or USDC, DAI, etc.)
Mixes it all together
Throws it out to withdrawing wallets
While ostensibly a “privacy service,” in practice TornadoCash is frequently used to launder proceeds from crime. Notable examples include the recent $625 million Axie Infinity hack, a large hack of Opensea customers, and routine use by the infamous Michael Patryn (0xsifu) of QuadrigaCX and Wonderland fame. It is worth noting that crypto mixers are considered illegal in the United States and other jurisdictions.
TornadoCash sees an enormous amount of volume, with hundreds of wallets interacting on both ends of the mixer each month. While it is not currently possible to track funds through TornadoCash, it is possible to follow all of the funds that go into, or out of, the mixer. We became interested in examining where the money goes once it comes out of the Tornado.
To understand where the money goes, we examined transfers out of the “TornadoCash 100 Eth” contract, which is used to withdraw funds in 100 Ether chunks from the mixer to “clean” wallets. Over the 28-day period we examined (3/9/22 - 4/6/22), 91,300 Eth ($292 million at most recent price) were transferred out. To simplify our analysis, we focused on wallets that had four or more withdrawals from TornadoCash over the period. Fifty-five wallets had >=4 transfers, accounting for slightly more than half of the total withdrawals (46,300 Eth).
Next, we examined the downstream activity of these wallets to see where the transferred Ethereum ended up. Based on this activity, we observed 6 main categories of activity:
Swaps
Approximately 23% of the Ether transferred out of TornadoCash over the last month ended up being used in swap activity on decentralized exchanges (DEX). The most popular DEX was the 1inch platform, accounting for ~90% of the total swaps:
In the majority of cases, each wallet used the same tactic, swapping Ether to obtain wrapped Bitcoin. In particular, the “renBTC” wrapped Bitcoin token was particularly popular. After purchasing renBTC, the wallets then burned those tokens, ostensibly to receive Bitcoin in a new wallet. Essentially, this tactic enables swapping funds from the Ethereum blockchain to a different blockchain, further obfuscating the origin of those funds.
Avalanche Bridge
After swaps, transfers of Ethereum to the Avalanche bridge were the second-largest category, accounting for 22% of the Ether we tracked. In every below instance, the wallet received Ether from TornadoCash, swapped it for Wrapped Ether, then transferred it to Avalanche. Again, this is another approach to moving funds off-chain to prevent further tracking:
“Stashed”
Approximately 21% of the Ether transferred we tracked out of TornadoCash is still sitting in wallets on the Ethereum chain:
Group A
“Group A” refers to two wallets that were the largest- and second-largest recipients of Ether from TornadoCash. Both wallets swapped funds from Ether to Tether (USDT), then transferred the USDT out to a shared downstream wallet:
From there, the funds were transferred out to a number of different wallets. Notably, $3.1 million USDT ended up at the FTX exchange, with an additional $2.9 million to Binance.
Other CEX Transfers
These were not the only wallets to send funds to centralized exchanges (CEX). In addition to Group A, seven other wallets sent a total of 5100 Ether to Binance, Gate.io, HitBTC, and AscendEx. The three wallets that sent transfers to Binance were linked in the same manner as Group A, suggesting they are controlled by the same individual or group:
The rest
The remaining 7% of funds we tracked ended up in some interesting places. 1,000 Eth was transferred from two wallets to this wallet. Unfortunately, we were unable to determine who controls this wallet given its high level of activity. Another 398 Eth was sent to this wallet, which then proceeded to buy a “Bored Ape Yacht Club” NFT as well as several “Mutant Ape Yacht Club” NFTs. Another 800 Eth was transferred to the “liquity” DeFi protocol.
If mixing is illegal…
Our analysis demonstrates that at least 45% of the funds we tracked from TornadoCash were subsequently moved off-chain. While we can’t be certain of the intentions, it seems plausible this is a further effort to prevent analysts (and law enforcement) from tracking these funds. The amounts here are not small- we estimate that at least 10% of Ether transfers into Avalanche during this 28-day period came from the wallets we identified. Based on daily trading volumes, it appears that TornadoCash funds are a significant portion of the daily activity on the 1Inch DEX as well.
Even more egregiously, centralized exchanges allowed over $20 million in transfers of TornadoCash-washed funds in this period, just from the subset of wallets we evaluated. How can an exchange claim to perform KYC/AML procedures when accepting funds from a mixer?
Our analysis of TornadoCash transfers shows that mixers are only one step in the process for laundering crypto assets. Moving funds between different blockchains is another approach and DEXs, CEXs, and protocols like Avalanche are all complicit in this activity. With law enforcement agencies already probing mixers like TornadoCash, we believe these protocols and firms will not be far behind.
another great write-up, thanks