After you sanction mixers, where does criminal crypto activity go?

Tara Annison
9 min readJun 9, 2023
Made with Midjourney

As long as DeFi dApps are exploited, scammers scam, and exchanges get hacked there will be a need for crypto criminals to launder the proceeds of crime so that they can eventually convert it into fiat. After all, cash is still king when it comes to crime.

The go to destination for criminals to try to obfuscate the source and destination of their illicit funds has primarily been mixers — services which allow you to pool your crypto together with a large number of users and mixes it all up — therefore makes linking the ‘deposits’ and ‘withdrawals’ together very challenging (read: mostly impossible).

The mixer of choice used to be Tornado Cash, a decentralised mixer with a user friendly interface and billions of dollars worth of funds passing through the service since its inception in August 2022.

Whilst there are many legitimate users of mixers (which I’ve previously written about here:, crypto compliance firm Elliptic’s analysis shows that at least $1.54billion in proceeds of crime from thefts, hacks and fraud have been laundered through Tornado Cash. Included within this are funds such as the $600m Ronin bridge hack perpetrated by North Korea’s Lazarus group.

However Tornado Cash was sanctioned by OFAC in August 2022 and therefore any individual or entity who interacts with it is in violation of international sanctions laws — a heavy risk for those just seeking its use for privacy preserving reasons. It also means that criminals who make use of it may cover the original nefarious source of their funds but any subsequent activity to try to off-ramp it with an exchange will still show the connection to Tornado Cash. This most likely leads to the account being blocked, a SAR being raised and the potential for further criminal investigations.

We can see that post sanctions the activity on Tornado Cash has certainly dropped significantly but still over half a billion worth of assets have been withdrawn from the service after the OFAC action with over 7,100 unique recipients of funds from it.

But where have the criminals gone now to launder their tainted funds? They certainly haven’t shut up shop and all headed back to fiat criminal enterprises.

Mixer and DEX use

Elliptic research shows that North Korea, and other bad actors, have sought to switch mixers to Sinbad — potentially a rebrand of which was previously sanctioned — and a number of other smaller volume mixers are likely also recipients of their traffic. However with the large volumes of stolen funds associated with North Korean activity, finding mixers with deep enough liquidity to hide their activity may prove challenging.

One area I suspect they have been using previously and are likely looking at closer is decentralised exchanges (DEXs). This is because the total value locked (TVL) in DEXs stands at around $46billion with the deepest liquidity pool on Uniswap being the 0.05% USDC/ETH pool seeing $287.45m TVL and 24hour volumes of $189.91m. That’s a pretty big pile of cash to hide your illicit funds through!

There’s also evidence of bad actors already using DEXs in an effort to swap their dirty money for clean and to try to shake off blockchain analytics firms. In April this year the Wintermute hacker who stole $160m became the largest liquidity provider for the USDT, USDC and DAI 3pool, attempting to use the pool’s deep liquidity to hide their funds in before later removing in the hope that any further compliance checks would simply show the source of funds as ‘Curve Finance’.

Activity of the Yearn Finance exploiter from April this year also shows how they swapped some of the $11.54m worth of funds from their vulnerability exploit through Uniswap.

The November 2022 DeFiAI hack which saw $4.17m stolen from the project saw much of those funds sent to the DEX FixedFloat.

In November 2022, Pando Rings an interest rate protocol suffered a $20m oracle manipulation and exploration of the exploiters activity on etherscan shows millions in USDT and USDC being swapped through 1inch and Sushiswap in a number of multi-asset swaps. The attacker initially looked to convert funds into decentralised stablecoins such as WETH and DAI which is a wise-attacker move since USDT and USDC are both ‘freezable’ assets by their respective mining organisations: . The attacker then sought to move this newly washed funds through the RenBridge and hop across from Ethereum to Bitcoin using renBTC. Showing the multi-layer strategy that criminals will seek to use in order to further obscure the original sort and end destination of funds.

In July 2021, Bondly Protocol was exploited with 373m $BONDLY tokens being minted and then swapped into other tokens on the 1inch DEX before being bridged to Polygon and mixed via Tornado Cash to further hide the source of funds.

It’s therefore clear that the deep liquidity offered by DEXs and their range of liquidity pools with a mix of centralised and decentralised assets is an attractive venue for criminals to wash funds through and try to shake off blockchain analytics insights.

So should we just ‘ban’ DEXs?

Before the calls to ban DEX’ on the grounds of current and potential criminal use come in too heavy, it’s also worth noting that centralised exchanges are also an avenue of choice for criminals to wash their funds through. These are especially attractive since they offer direct fiat off-ramps to the US dollar and other globally attractive currencies and they see billions in 24hour trading volume.

And whilst most exchanges have Know Your Customer (KYC) procedures in place and a suite of AML (anti money laundering), CTF (counter terrorist financing) and other anti- illicit activity policies and procedures in place there are countless examples where criminals have found gaps in these processes to be able to send, receive and swap their funds through centralised exchanges weather directly or indirectly. This could be due to the exchange being an explicit front for criminal activity such as the infamous BTC-e which was shut down by the FBI in 2017 after being accused of laundering ~$9billion worth of illicit crypto, and having suspicious Russian links as well as being the primary laundering venue for the Mt Gox hack which led to the prolonged crypto winter of 2013/4. However it could also be due to a failure to strongly implement robust compliance procedures or due to the enterprising and deceptive nature of illicit actors who will use fake identity information, efforts as noted above to try to conceal the nefarious source of their funds, and any other tricks possible to access otherwise compliant exchanges.

Analysis from Chainalysis in their 2022 Typologies report supports the thesis that CEXs are a destination of choice for criminals and shows that they make up the primary share for the destination of illicit funds from accounts (both looking at the direct and indirect movement of funds). Criminals may therefore look to race against the clock and move their illicit funds into a CEX, hoping to be able to withdraw before the illicit connections are revealed, or they may look to add a layer of obfuscation or two using a mixer or moving funds through a liquidity pool first however it certainly seems like many are willing to take the risk of asset freezing and instead move quickly onto a CEX to access the fiat off-ramp as soon as possible.

Crystal ball gazing for illicit DEX reactions

If I look into my crystal ball I can see illicit actors looking to use liquidity pools to launder funds through as they offer a decentralised alternative with deep liquidity. This could be for a quick straight swap so they can then off ramp into a CEX or they may look to park illicit funds in the liquidity pool, take the yield and wait until eyes are off them before moving onwards.

If this does happen then the eyes of regulators and potentially OFAC, if it’s found that the Lazarus group and other big sanctioned players, start to use this model of obfuscation so a Tornado Cash style OFAC designation on a liquidity pool or even an entire DEX could be on the cards. The ramifications for this on the industry can’t be understated.

After the Tornado Cash sanctioning, ElBarto_Crypto, an anonymous researcher for data shop Block119, penned the “ six degrees of Tornado Cash.” which showed that almost half the entire Ethereum network was only “two hops” away from an address that had received funds from Tornado Cash. Thereby creating a blast radius of tainted accounts due to the interconnectedness of the blockchain. With the sheer volume of SushiSwap, Curve and PancakeSwap (the top 3 DEXs) and their interconnected nature to other DeFi dApps it’s likely that most Ethereum accounts would therefore be tainted if a DEX was sanctioned. Likewise if a popular liquidity pool faced OFAC action since direct swaps, swaps routed through it, and any associated liquidity activity would all therefore be tainted by association.

How can we prevent a potential OFAC of a systemic DEX or liquidity pool?

DEX protections from illicit activity

The decentralised nature of these services means that anyone, criminal or legitimate user, can use them and the often DAO controlled governance means that updating any significant parts of the code to add compliance-related tooling would require community consensus. Whether the community could or would be driven to make such changes is certainly a question mark. We saw a roll back in approach from the highs of ~80% of blocks on Ethereum being OFAC compliant to now around the 30% mark showing that whilst initial pressure may have made relayers adopt a compliant approach, industry pressure and community sentiment was not in support. It’s likely any action to make a DEX or liquidity pool OFAC compliant could face a similar fate.

However that’s not to say that DEXs have been completely inactive about sanctions compliance — DeFi protocols Aave, Uniswap, Ren, Oasis, and Balancer have all been reported as using a dataset from crypto compliance provider TRM Labs to block any OFAC listed addresses from interacting with their front end apps. This does not stop them interacting with the smart contract themselves but is a step towards restricting dApp access for illicit actors.

There are also players within the crypto community exploring the concept of compliance-focussed DEXs — Mauve by digital identity provider Violet is doing just that.

Time will tell what approaches, if any, the industry leading DEXs take to try to stop illicit actors using them to launder funds and we shall see if the all seeing eye of OFAC turns its attention to them.

Originally published at