Sanctions Evasion on Chain: Why 2025 Became a Turning Point

On-chain sanctions enforcement entered a fundamentally different phase in 2025. The legal ambiguity that had characterised the prior three years -- around mixer designations, the scope of OFAC's authority over smart contracts, and the obligations of protocol developers versus end users -- began resolving into concrete precedent. The enforcement actions, court decisions, and regulatory guidance that landed in 2025 collectively redefined what sanctions compliance means for every participant in the crypto ecosystem, from exchanges to DeFi protocols to individual users.

The data on mixer and bridge usage patterns tells its own story. The assumption that sanctioned actors would simply find new tools when one was designated turned out to be only partially correct. What actually happened was more nuanced, and more instructive.

The Tornado Cash Saga: Resolution and Aftermath​

The Tornado Cash enforcement action, which began with OFAC's August 2022 designation of the smart contract addresses, became the defining test case for on-chain sanctions law. The case worked through the courts for over two years, generating conflicting rulings, intense industry debate, and genuine legal uncertainty.

The Fifth Circuit's November 2024 ruling that immutable smart contracts could not be designated as "property" of a foreign national under IEEPA appeared to narrow OFAC's authority significantly. But the practical impact was more limited than the initial commentary suggested. OFAC responded by refining its designation approach, targeting the specific wallet addresses associated with Tornado Cash's governance and relayer infrastructure rather than the immutable smart contract code itself. The revised designations, issued in March 2025, were structured to survive the Fifth Circuit's reasoning while achieving substantially the same compliance effect.

The practical result for exchanges and DeFi front-ends was minimal change. Most had already implemented screening that flagged transactions with Tornado Cash-associated addresses, and the revised designations simply provided clearer legal footing for continuing to do so. For end users, the message was unambiguous: interacting with designated mixer infrastructure carries sanctions risk regardless of the underlying legal theory.

The broader lesson from the Tornado Cash saga is that OFAC has both the willingness and the adaptability to enforce sanctions on chain. The specific legal mechanisms will continue to evolve, but the direction of travel -- toward comprehensive on-chain sanctions enforcement -- is settled.

OFAC Designation Patterns: What They Signal​

Analysing the pattern of OFAC designations from 2022 through 2025 reveals a clear strategic logic. The designations have moved progressively from targeting individual bad actors (specific sanctioned persons and their known wallets) to targeting infrastructure (mixers, specific DeFi protocols, cross-chain bridges used for evasion) to targeting enablers (service providers, developers, and operators who facilitate sanctions evasion).

The 2025 designations expanded the infrastructure layer significantly. In addition to the revised Tornado Cash designations, OFAC designated several smaller mixing services that had emerged as alternatives, as well as specific cross-chain bridge operator wallets that had been identified as laundering channels for the Lazarus Group.

The signal for the industry is that OFAC is playing whack-a-mole with increasing speed and precision. The lag time between a new evasion tool emerging and being designated has compressed from months to weeks. Chain analytics firms work in close coordination with OFAC and FinCEN, providing the on-chain intelligence that informs designation decisions.

For exchanges and compliance teams, this means that sanctions screening is no longer a static list-matching exercise. It requires real-time monitoring of designation updates, dynamic risk scoring of addresses based on proximity to designated infrastructure, and the organisational capacity to respond quickly when new designations are issued.

Mixer and Tumbler Usage Trends: 2023-2025​

The on-chain data on mixer and tumbler usage over the 2023-2025 period tells a story of adaptation, but not one of unlimited resilience.

Tornado Cash usage dropped sharply following the initial 2022 designation, partially recovered through 2023 as users tested the legal uncertainty, then dropped again through 2024 and 2025 as enforcement consequences became clearer. By Q1 2026, Tornado Cash monthly volume was approximately 15 percent of its pre-designation peak.

Alternative mixers absorbed some of the displaced volume, but not all of it. Services like Railgun, which offered privacy features through different technical mechanisms (shielded pools rather than traditional mixing), saw increased usage through 2024. However, the OFAC designation of Railgun-associated addresses in mid-2025 demonstrated that the enforcement approach was not limited to a single technical implementation.

The aggregate data shows that total mixing volume across all identified mixing services declined approximately 60 percent from the 2022 peak to Q1 2026. This does not mean that 60 percent of sanctioned actors stopped evading sanctions -- it means the tools they use have shifted, and some of that activity has moved to channels that are harder to observe.

The most significant shift has been toward cross-chain bridging as a de facto privacy mechanism. By moving funds across multiple chains through a series of bridges, users can create sufficient complexity in the transaction trail to frustrate all but the most determined forensic analysis. This is not true privacy -- the trail still exists on each chain -- but it raises the analytical cost significantly.

Cross-Chain Bridge Exploitation​

Cross-chain bridges emerged as the primary sanctions evasion infrastructure in 2025, not because they were designed for privacy but because the complexity they introduce into fund flows creates practical obstacles for enforcement.

The mechanics are straightforward. A sanctioned actor moves funds from Ethereum to Solana through Bridge A, from Solana to Avalanche through Bridge B, converts to stablecoins, bridges to an EVM-compatible L2, and eventually deposits at an exchange through a freshly generated address. Each bridge hop creates a break in the transaction trail that requires the analyst to identify the corresponding transaction on the destination chain -- a process that is technically possible but resource-intensive at scale.

The Lazarus Group's on-chain patterns, documented extensively by Chainalysis and Elliptic, show increasing bridge usage through 2025. The group's operations evolved from relatively straightforward mixer usage (primarily Tornado Cash and Sinbad, before Sinbad's designation) to complex multi-chain paths involving four or more bridge hops. The analytical overhead of tracing these paths is significant, and the delay between the initial theft and the final offramp has increased as a result.

OFAC's response has been to target specific bridge operator wallets and relay addresses rather than bridge protocols themselves -- a distinction that mirrors the revised Tornado Cash approach. Whether this will prove sufficient to deter bridge-based evasion remains to be seen.

The Lazarus Group: On-Chain Patterns​

North Korea's Lazarus Group remains the most significant state-sponsored sanctions evasion operation in crypto. Through 2023 and early 2024, the group followed a recognisable pattern: exploit or social engineering attack, rapid consolidation, mixing through Tornado Cash or Sinbad, and offramp through complicit or negligent exchanges.

By late 2024, the pattern evolved -- holding funds in intermediate wallets for days before moving them, splitting into smaller transactions below automated flagging thresholds, and routing through DEXs with weaker screening. The 2025 evolution introduced systematic cross-chain complexity, privacy-preserving stablecoins as intermediate holding points, and exploitation of timing gaps in chain analytics coverage.

Despite these adaptations, a significant portion of Lazarus-attributed funds has been frozen or recovered through coordination between chain analytics firms, exchanges, and law enforcement. The recovery rate improved through 2025.

The Compliance Burden on Exchanges​

For regulated exchanges, the 2025 enforcement landscape created compliance obligations that are significantly more demanding than what existed even two years prior.

Sanctions screening for crypto transactions now requires real-time analysis that goes beyond simple address list matching. Exchanges must assess the provenance of incoming funds -- the degree of separation from designated addresses, the presence of mixer or bridge hops in the transaction history, and the risk profile of the sending address based on behavioural heuristics.

This requires substantial investment in chain analytics tooling. The major providers -- Chainalysis, Elliptic, and TRM Labs -- offer real-time transaction screening products, but these tools are only as effective as their coverage and update frequency. Exchanges that rely on a single provider risk gaps in coverage, particularly for newer chains and emerging evasion techniques.

The enforcement expectation, as communicated through FinCEN guidance and OFAC advisories, is that exchanges will implement "risk-based" screening that adapts to evolving evasion techniques. In practice, this means compliance teams need to understand on-chain fund flows at a technical level, not just check addresses against a list.

The staffing implications are significant. Mid-tier exchanges now need dedicated blockchain analysts, sanctions specialists, and supporting technology infrastructure. The cost creates a competitive advantage for larger exchanges that can absorb it.

Our Exchange Watch coverage tracks how exchanges are meeting -- or failing to meet -- these evolving compliance standards.

Privacy vs Sanctions Compliance: The Legal Grey Area​

The tension between financial privacy and sanctions compliance is the central unresolved question in on-chain enforcement. The positions are genuinely irreconcilable at the extremes: absolute financial privacy makes sanctions enforcement impossible, and absolute sanctions enforcement eliminates financial privacy.

The practical question is where the line falls for lawful users of privacy-preserving tools. The Tornado Cash litigation partially addressed this, but the legal landscape remains unsettled. Using a mixer is not itself illegal, but using a mixer to evade sanctions is. The difficulty is that the on-chain transaction looks the same in both cases.

The 2025 FinCEN guidance attempted to provide clarity by distinguishing between "privacy-enhancing transactions" that serve legitimate purposes and "obfuscation techniques" that are indicative of sanctions evasion. The distinction rests on context -- the user's identity, the source and destination of funds, and the overall transaction pattern -- rather than the technology itself.

For individual users, the practical guidance is cautious. Any interaction with designated addresses or protocols carries risk, regardless of intent. Using privacy tools that have been designated or that are associated with known evasion activity creates compliance exposure even if the user's own purpose is legitimate. The legal framework does not yet provide a safe harbour for lawful privacy use when the tools themselves are designated.

As we noted in our AI impersonation analysis, the tooling landscape for both surveillance and evasion continues to evolve rapidly. The privacy-compliance tension will only intensify.

What Changed in 2025: The Turning Point​

Several specific developments in 2025 collectively constitute the turning point in on-chain sanctions enforcement.

The revised Tornado Cash designations (March 2025) demonstrated that OFAC would adapt its legal approach to survive court challenges while maintaining enforcement pressure. The designation framework that emerged is more durable and more broadly applicable than the original 2022 approach.

The bridge operator designations (June-August 2025) extended the enforcement perimeter beyond purpose-built privacy tools to the broader infrastructure layer. This signalled that any service or protocol that facilitates sanctions evasion -- whether designed for that purpose or not -- is within OFAC's targeting scope.

The FinCEN compliance guidance (September 2025) set explicit expectations for exchange screening that go beyond address matching. The guidance created a de facto standard for risk-based transaction monitoring that is now the baseline compliance expectation.

The Lazarus Group attribution actions (ongoing through 2025) demonstrated improving attribution capability and faster coordination between intelligence agencies, chain analytics firms, and exchanges. The lag between theft and fund freeze shortened measurably.

The international coordination framework established through the Financial Action Task Force's updated Virtual Asset guidance (October 2025) created common expectations across jurisdictions for sanctions screening of crypto transactions. While implementation varies, the existence of a shared framework reduces the ability of sanctioned actors to exploit jurisdictional arbitrage.

Collectively, these developments moved on-chain sanctions enforcement from an experimental and contested domain to an established compliance regime with clear expectations, tested legal mechanisms, and improving technical capability.

Frequently Asked Questions​

Is using a mixer automatically a sanctions violation?

No. Using a mixer is not itself illegal in most jurisdictions. However, using a mixer that has been specifically designated by OFAC -- such as Tornado Cash or Sinbad -- constitutes interaction with designated property and carries sanctions risk regardless of the user's intent. Even using non-designated mixers can create compliance complications, as the mixed funds may be flagged by chain analytics tools and trigger enhanced scrutiny at exchanges or other regulated touchpoints.

How do chain analytics firms track funds through mixers and bridges?

Chain analytics firms use a combination of heuristics, clustering analysis, and proprietary techniques. For mixers, common approaches include timing analysis (correlating deposit and withdrawal amounts and times), denomination analysis, and tracking the behaviour of known addresses before and after mixing. For bridges, firms maintain cross-chain mapping databases that link source and destination transactions. The effectiveness varies by tool and chain, and sophisticated actors can increase the difficulty of tracing by introducing delays, splitting amounts, and using multiple hops.

What happened with the Tornado Cash legal case?

The Tornado Cash enforcement saga involved multiple legal proceedings. The Fifth Circuit ruled in November 2024 that the original OFAC designation of immutable smart contracts exceeded OFAC's statutory authority. OFAC responded by issuing revised designations in March 2025 targeting governance wallets and relayer infrastructure rather than the immutable contract code. These revised designations have not been successfully challenged. Separately, criminal proceedings against Tornado Cash developers proceeded on the basis that the developers actively facilitated sanctions evasion, rather than that the code itself was sanctioned.

Can I use privacy tools without sanctions risk?

It depends on the specific tool and jurisdiction. Non-designated privacy tools that are not associated with known evasion activity carry lower risk, but any privacy-enhancing transaction may trigger enhanced scrutiny from chain analytics screening. The safest approach for compliance-conscious users is to avoid any tool that has been designated or that is known to be heavily used for evasion, and to be prepared to explain the provenance of funds that have passed through any privacy-enhancing mechanism. The legal framework does not yet provide a clear safe harbour for legitimate privacy use.

Why is 2025 considered the turning point rather than 2022?

The 2022 Tornado Cash designation was the opening action, but it was followed by years of legal uncertainty, contested enforcement, and unclear compliance expectations. By the end of 2025, the legal challenges had been substantially resolved, OFAC had demonstrated an adaptable designation strategy, FinCEN had issued explicit compliance guidance, international coordination frameworks were in place, and the chain analytics capability supporting enforcement had improved significantly. The distinction is between the beginning of enforcement (2022) and the establishment of a durable enforcement regime (2025).