On-chain Forensics & Compliance
Evasion Under Blockchain Sanctions
Sanctioning blockchain addresses is now a common regulatory response to malicious activity. But enforcement on permissionless blockchains is messy: real-world funds move through long, branching transaction graphs and increasingly sophisticated obfuscation services.
In our paper, we use Tornado Cash as a case study to quantify the practical impact of U.S. OFAC sanctions over a 957-day period (covering 6.79M Ethereum blocks and 1.07B transactions). The core message is nuanced: sanctions change behavior substantially, but they do not eliminate illicit reliance on mixers.
- Sanctions reduced mixer usage, but not to zero. We observe a 71.03% drop in Tornado Cash deposit volume (to ~ $2B), yet attackers still relied on Tornado Cash in 78.33% of Ethereum-related security incidents.
- Three structural limitations show up in practice. Binary “sanctioned / not sanctioned” labels are brittle under dusting, block producer censorship is fragmented, and obfuscation services create complex flow patterns that are hard to reason about with simple heuristics.
- A practical scoring approach for tracking. We introduce an algorithm grounded in quantitative impurity to score and track flows. In our evaluation on the Bybit exploit, it reaches 97.61% precision and 74.08% recall, while processing blocks in 0.07 ± 0.03s on average.
Practical takeaways
If you are building monitoring, compliance, or incident response for on-chain systems, consider:
- Prefer graded risk scoring over binary labels; it’s more robust to dusting and “partial taint” edge cases.
- Treat block-level censorship as heterogeneous; assumptions about uniform enforcement often break.
- Build investigation tooling around speed: the time window between discovery and cash-out is often short.
Need help tracing stolen funds, understanding complex transaction flows, or building monitoring pipelines? Contact us at [email protected].