Why crypto mixers exist and why regulators target them
Mixer services (tumblers) enhance privacy on public blockchains by obscuring the link between sender and recipient. The same capability is also used by hackers and money launderers. As a result, mixers sit at the heart of a tension between the right to privacy and AML/sanctions enforcement.
The goal of this piece is to clearly and thoroughly explain how mixers work (including Tornado Cash), their use cases and risks, how regulators view them, and, ultimately, where crypto privacy regulation is heading.
What mixers are and how they work
CoinJoin: a joint on‑chain transaction with many inputs and outputs; afterward, it’s generally impossible to unambiguously match which input corresponds to which output.
Smart‑contract mixer: a contract on a network (e.g., Ethereum) where deposit and withdrawal are separated in time and confirmed by a zero‑knowledge proof without revealing the link; in other words, it verifies “knowledge of a secret,” not the actual path of funds.
Custodial service: an operator takes your coins into custody, mixes them, and returns different ones—simpler, but it requires trust in the operator.
Non‑custodial approach: your funds never pass to a third party (e.g., CoinJoin in wallets); nonetheless, poor address hygiene still erodes privacy.
History and evolution: from tumbler services to ZK mixers
| Service/approach | Network | Type | Status | Key tech | Features/risks |
|---|---|---|---|---|---|
| Tornado Cash | Ethereum | Non‑custodial | 🟡 Operational OFAC delisting — March 21, 2025 | zk-SNARK |
|
| Wasabi (CoinJoin) | Bitcoin | Non‑custodial | 🟢 Active | CoinJoinWabiSabi |
|
| Samourai Whirlpool | Bitcoin | Non‑custodial | 🟢 Active | CoinJoin |
|
| ChipMixer | Bitcoin | Custodial | ⛔ Shut down law‑enforcement operation | “Chips” |
|
| Blender.io | Bitcoin | Custodial | ⛔ OFAC sanctions since 2022 | Tumbler |
|
| Sinbad.io | Bitcoin | Custodial | ⛔ Seizure/takedown | Tumbler |
|
| JoinMarket | Bitcoin | Non‑custodial | 🟢 Active | CoinJoin |
|
Tornado Cash: design, sanctions, debates
How Tornado Cash works
Mechanics: fixed‑denomination deposit pools, issuance of “notes” (secrets), then a withdrawal with a ZK proof → an anonymity set is formed.
- First, there’s no custodial operator—the logic resides in the smart contract.
- Second, anonymity increases with the number of same‑denomination deposits.
- Finally, there’s a trade‑off: convenience and strong privacy versus regulatory risk.
✅ Pros
- Strong L1 privacy without trusting an intermediary.
- Cryptographically verifiable model (zk‑SNARK).
- Consequently, limited reliance on infrastructure intermediaries.
❌ Cons
- Compliance risks persist for residents of stricter jurisdictions.
- Outputs may carry a “tag” that worries exchanges/KYC services.
- Operational mistakes (e.g., address reuse, distinctive timing/amount patterns) can weaken privacy.
Key point: Tornado Cash exposed the limits of “banning code” while posing a hard question about the accountability of privacy‑protocol developers.
Important: check the current status in your jurisdiction. In the U.S., Tornado Cash addresses were removed from the SDN list on March 21, 2025; provider compliance screening still applies.
Precedent cases and updates (2024–2025)
Regulatory updates
- March 21, 2025, USA: OFAC removed Tornado Cash addresses from the SDN list (official delisting). Result: sanction risk on protocol addresses in the U.S. was lifted.
- EU 2024–2025: AML package (AMLR/AMLA) adopted: from July 10, 2027, CASPs in the EU may not provide/hold anonymous crypto accounts or services/assets that increase obfuscation (including anonymity‑enhancing coins). In addition, the Travel Rule has been in force in the EU since December 30, 2024.
Court precedents
In short: the regulatory backdrop has softened in the U.S. (OFAC delisting), while in the EU controls tighten via providers (CASPs) and the Travel Rule. Therefore, users still need strict address hygiene and caution when off‑ramping.
Other mixers and approaches: Wasabi, Whirlpool, ChipMixer, Blender, Sinbad
Wasabi / Whirlpool (CoinJoin)
Non‑custodial wallets with CoinJoin: you don’t hand coins to an operator; instead, you coordinate with other participants to create joint transactions.
- First, Wasabi (WabiSabi) supports arbitrary amounts and round‑based mixing.
- Second, Whirlpool uses fixed‑denomination pools and multiple remixes.
✅ Pros
- Non‑custodial model: funds remain under the user’s control.
- Deep Tor integration and hardware‑wallet support.
- Mature UX and broad availability.
❌ Cons
- A coordinator in some designs introduces UTXO‑censorship risk.
- Requires liquidity and time for mixing rounds.
- Fees remain, as does the risk of privacy mistakes.
Key point: CoinJoin remains a practical compromise for BTC privacy if, first, you maintain address hygiene and, second, you avoid merging “clean” and “tainted” UTXOs.
ChipMixer / Blender / Sinbad (tumbler)
Classic custodial “blenders”: an operator takes deposits, mixes them, and returns funds to new addresses.
- On the one hand, they can deliver strong obfuscation of flows.
- On the other hand, their exposure to law enforcement is high.
✅ Pros
- Fast and simple for end users.
- Potentially very deep mixing with large pools.
❌ Cons
- Risk of losing funds during raids and closures.
- Operators may keep logs or cooperate with investigators.
- High provenance “toxicity” from a compliance perspective.
Key point: the era of centralized mixers is fading—legal risks often outweigh convenience.
Regulation: USA, EU, and key cases
Key terms and frameworks
OFAC / SDN: the U.S. Treasury’s sanctions office and its Specially Designated Nationals list. On March 21, 2025, Tornado Cash was removed from the SDN.
IEEPA: the U.S. International Emergency Economic Powers Act; OFAC imposes sanctions under it. In Van Loon, the appellate court held that immutable smart contracts are not “property” under IEEPA.
Section 311 (FinCEN): a special measure for a “class of transactions of primary money‑laundering concern.” In October 2023, FinCEN proposed classing CVC mixing as such a class (NPRM), adding reporting obligations for financial institutions.
AMLR / AMLA (EU): the EU’s new AML regulation and authority. Starting July 10, 2027, CASPs may not provide/hold anonymous crypto accounts or services/assets that increase obfuscation (including privacy‑coins).
Travel Rule (EU): a rule requiring originator/beneficiary data for crypto‑asset transfers handled by providers (CASPs). In the EU it has applied since December 30, 2024, under Regulation (EU) 2023/1113.
USA: sanctions, FinCEN, and criminal cases
First, after Tornado Cash’s delisting, sanction risk decreased specifically for interactions with protocol addresses. Second, criminal risks for specific individuals remain (see developer cases). Finally, FinCEN’s Section 311 initiative increases reporting obligations for banks and payment companies regarding CVC mixing.
EU: AMLR/AMLA and the Travel Rule
On the one hand, the EU focuses on providers (CASPs) and transfer metadata (Travel Rule). On the other hand, self‑custody wallets are not banned. As a result, users primarily encounter controls at licensed on‑/off‑ramps.
UK: risk‑based supervision
With the Travel Rule and the FCA’s approach, the emphasis shifts to source‑of‑funds checks and behavioral analytics. The technical privacy tools themselves are not directly prohibited.
Big picture
- USA: sanctions lists are being adjusted; cases proceed against operators and developers; ultimately, FinCEN emphasizes reporting for financial institutions.
- EU: CASP bans on anonymous accounts and “anonymity‑enhancing coins” by July 10, 2027; the Travel Rule is already in force.
- Trend: focus shifts from “code” to front ends, infrastructure, and accountable persons/DAO governance.
Regional summary
| Region | Status of mixers / Tornado Cash | Trend 2025→2027 | What users should do |
|---|---|---|---|
| USA US | Sanctions lifted (delisting on March 21, 2025). Criminal cases against founders are separate. |
FinCEN is advancing the Section 311 special measure on CVC mixing (NPRM October 2023). Finalization in progress. |
Segregate addresses and add time gaps; avoid direct links to KYC immediately after a mixer. |
| EU EEA | AMLR: CASPs barred from anonymous crypto accounts and services/assets that increase obfuscation (including privacy‑coins). Travel Rule in force since December 30, 2024. |
AMLR applies from July 10, 2027. | Plan off‑ramping: privacy coins/anonymous mode won’t pass via CASPs. |
| UK UK | Travel Rule in force since September 1, 2023; risk‑based FCA oversight. Targeted cases/chain analysis. |
Convergence with FATF, sustained pressure on providers. | Practice address hygiene; segregate UTXOs/addresses; avoid direct deposits after mixers. |
What this means in practice
Why people use them: privacy vs. abuse
Legitimate scenarios
- Protection of financial privacy for individuals and companies.
- Security—avoiding exposure of a main wallet’s balance and history.
- Anonymous donations and activity under repressive regimes.
Key point: privacy is a normal need; its absence on public ledgers creates real risks for users.
Abuses
- Laundering of proceeds after hacks or fraud, and sanctions evasion.
- “Washing” proceeds from darknet markets and ransomware.
- Concealing traces of corruption and illicit supply chains.
Important: mixing doesn’t guarantee full anonymity: address‑hygiene mistakes, timing/amount patterns, and exiting to KYC platforms—all of these raise the probability of deanonymization.
Compliance practicum: quick address hygiene
A minimal set of steps that reduces the traceability “taint” of transactions and the risk of questions from exchanges or banks.
- Segregate “clean” funds from funds that touched mixers or privacy coins (use different addresses/wallets).
- Introduce time delays; avoid unique amounts or patterns that make you stand out from the pool.
- Don’t merge UTXOs with different histories into a single output; avoid address reuse.
- After a mixer, don’t withdraw straight to a KYC exchange; add an intermediate hop (and not to your main account).
- Keep a mini “dossier” on fund flows (tx links/screenshots)—this speeds up responses to compliance requests.
Alternatives to mixers: privacy coins, LN, ZK approaches
Monero (XMR): privacy “by default” (ring signatures, stealth addresses, RingCT); therefore, it’s harder for an observer to match senders and amounts.
Zcash (ZEC): optional privacy via zk‑SNARKs (shielded z‑addr); however, not everyone uses the shielded pool.
Lightning Network: off‑chain payments and onion routing increase privacy for BTC usage; fees are generally lower than on‑chain.
Privacy Pools: ZK proofs of funds’ “cleanliness” without revealing the path—an attempt to reconcile privacy and AML; this opens space for “anonymous compliance.”
Measuring privacy in practice
- Anonymity set: how many same‑type deposits or withdrawals “cover” your transaction.
- Linkability: the probability of linking input and output via amounts, timing, or behavior.
- Entropy: how evenly likely different matching candidates are for your transaction.
Possible regulatory paths and balancing interests
- Technological neutrality: target crimes, not tools.
- Developer responsibility: a fine line between publishing code and facilitating laundering.
- Licensing mixers: practically infeasible without destroying privacy.
- Direct bans: effective against custodial services but deter legitimate users.
- Invest in analytics: the better the clearance rate, the less need for bans.
- ZK compromises: selective disclosure and proofs of “cleanliness” without deanonymization.
A systemic answer should emerge from a dialogue between industry and regulators. Bans alone deter legitimate users and don’t eliminate the root causes of crime; nevertheless, abuse can’t be ignored. Balance is achievable by combining targeted enforcement, technologically neutral rules, and the deployment of zero‑knowledge–based “anonymous compliance.”
Key point: privacy is not the enemy of the law. The aim is a financial system that simultaneously respects individual rights and ensures security.