Introduction

• What is Tornado Cash and what’s the purpose?

  Due to nature of the blockchain, the transactions recorded on Bitcoin and Ethereum are transparently available to anyone who wants to see them, which can be both a strength and a weakness of blockchain technology. Of course, this does not necessarily mean that a user's personal information is available to everyone; the encryption nature of public addresses ensures that users' privacy is still maintained. But if a user contacts someone with his public address, the second person can follow his transactions only by having the user's public address. Now, to solve this "problem", various solutions and protocols have been created focusing on privacy. Still, none of them have been as successful as a platform that mixes transactions. A transaction mixer combines the funds of multiple users and their transactions: each transaction is "mixed" before reaching its intended destination. Once this commingling process occurs, it becomes much more difficult for anyone to track whose money and how much.

  Tornado Cash aims to solve the privacy problem of transparent blockchains through private transactions. In this platform, the transactions and their values ​​are mixed, and in the end, it is not clear what amount and from which address was sent.

image resource

• Why did the US government sanction Tornado Cash?

  As we mentioned, the purpose of Tornado Cash is to create a platform to protect users' privacy on a transparent medium. We all know that technology can be used both positively and abused. The blockchain platform and its clear example, bitcoin, and Ethereum, can have advantages that most of us are familiar with. On the other hand, it can be abused by criminals, who can use it to launder their dirty money and erase their footprints. On the other hand, the platform whose purpose is to protect users' privacy is not excused from this rule. So that criminals, organizations, and countries under sanctions by the international community can also use a platform like Tornado Cash to erase their traces, which is their public addresses. According to U.S. government reports, Tornado Cash has laundered nearly $7 billion since its inception in 2019. This includes over $455 million stolen by the Lazarus Group, a Democratic People's Republic of Korea (DPRK) state-sponsored hacking group sanctioned by the U.S. in 2019, in the largest known virtual currency heist to date. Tornado Cash was subsequently used to launder more than $96 million of malicious cyber actors' funds derived from June 24, 2022, Harmony Bridge Heist, and at least $7.8 million from August 2, 2022, Nomad Heist. Therefore, cyber thieves have abused this platform in many ways for their benefit.

image resource

• Why might an address interact with the service?

  Users use platforms such as Tornado Cash to protect their privacy and erase their traces in the transparent blockchain medium. They deposit their property to Tornado Cash Mixer and send it to their desired destinations with another address(es).

Methodology

In this report, our goal is to discuss the behavior of addresses that interacted the most with the Tornado Cash platform. To check them, we first use Table flipside_prod_db.crosschain.address_labelsand get all the addresses related to this platform. Then, using the data in Table ethereum.core.fact_transactions, we will find the address of the users who have used this platform, and then we will discuss their behavior using the results and graphs below.

• Number of addresses that are still using Tornado Cash despite the sanctions
• Number of transactions and number of addresses that have been using Tornado Cash since August 1st
• Correlation of Number of addresses with ETH volume
• Number of distinct addresses Vs average ETH deposited per address
• Addresses with the most number of transactions to Tornado Cash
• Addresses with the most USD Volume that sent to Tornado Cash
• Classification of number of addresses based on the volume(in USD) they sent to Tornado Cash
• Classification of number of addresses based on the number of transactions they sent to Tornado Cash

image source

Analysis

The news of banning Tornado Kas was announced on Monday, August 8, and since that date, 810 addresses are still using this platform.

In the left chart, you can see the number of transactions and also the number of addresses that have made transactions on Tornado since August 1, which is about a week before the sanctions were imposed. No data was recorded on August 8 at 17:00 and the platform was probably down for an hour. If we look at the graph of the number of transactions, we can see that the number of transactions, as well as the number of active addresses, have increased and then faced a sharp drop.

• The above graph shows the correlation between the number of active addresses, the volume of transactions, and the date. As you can see, the volume of transactions has generally decreased, but on the other hand, the number of transactions has been accompanied by a relative increase, which has been accompanied by the announcement of the sanctions since August 8. It seems that cybercriminals have used this platform less for fear of being blacklisted.
• The graph below shows the relationship between the number of active addresses and the average amount of ETH per user as of August 1. On the first and second days of August, the volume of deposits to this platform was high, until on August 2nd at 03:00, each user deposited an average of 160 ETH, but gradually this volume decreased in general. So that after August 8, the amount of deposit has decreased in proportion.

In the opposite table, the top 1000 addresses that have made the most transactions on Tornado Cash are shown.

• The top 10 addresses in terms of the number of transactions are also shown in the donut chart above. As you can see, the difference between the addresses is not much in terms of the number of transactions and it can be said that they all belong to the Whale category.
• Also, the graph below shows the top 10 addresses in terms of the number of transactions for the time period after August 1, which is the only address0x3a1d526d09b7e59fd88de4726f68a8246ddc2742 that is common to the previous results in the TOP 10.

You can see the complete list of active addresses in terms of the number of transactions after August 1 in the table on the right.

In the table on the left, the addresses are sorted according to the volume they have deposited to the platform. As you can see, the first address has deposited about 87.6 million dollars to Tornado Cash, which is a big number. If we look at the TOP 10 and compare them with the table in which we sorted the addresses in terms of the number of transactions, we come to the conclusion that the addresses with a high volume of transactions did not necessarily have a high number of transactions.

In the right chart, we have made a classification, so how many addresses have made transactions of a certain volume? As the graph shows, most of the users had their transaction volume between 0 and 100 dollars. In the second place, the largest number of users belongs to the category whose transaction volume is between 10,000 and 100,000 dollars. Users with a transaction volume of 1,000 to 10,000 dollars are ranked third. Only 84 addresses had a transaction volume higher than 10 million dollars and 1181 addresses had a transaction volume between 1 million and 10 million dollars.

The left graph also divides the number of users based on the number of transactions, as you can see, most users have made less than 100 transactions, only 2 users have made more than 10,000 transactions and 6 users have made between 5,000 and 10,000 transactions.

Conclusion

According to the graphs that were presented, it seems that cyber secretaries and sanctioned organizations used this platform to erase their footprints. The volume of transferred transactions for some addresses is very high and the number of related transactions is also high, which shows that a good platform has been provided for abuse, which requires better legislation. The announcement of the ban has also caused the volume of transactions to decrease to some extent because users have used this platform less for fear of being blacklisted.