Tornado Cash Users Can Now Verify Funds Aren’t Linked to Hacks

New Compliance Mechanism for Tornado Cash Users

0xBow, the team behind the Privacy Pools crypto privacy project, has released a tool designed to let Tornado Cash users separate their transactions from addresses linked to hacks or illicit activity. The protocol, called Tornado Cash Proof of Association, introduces what developers describe as the first working model that balances privacy protection with compliance requirements.

“We view this as a major step forward for Tornado users unfairly caught in the crossfire of enforcement, and a practical model for future privacy–compliance interoperability,” an 0xBow representative told The Block in an email. The system maintains a blacklist of more than 16,000 wallet addresses tied to thefts, scams, and hacking incidents.

Investor Takeaway

Addressing Tornado Cash’s Regulatory Legacy

Tornado Cash, built on the ETH blockchain, was sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) in August 2022 for allegedly assisting launder billions of dollars, including funds tied to North Korea’s Lazarus Group. While a court later ordered the protocol removed from the OFAC sanctions list, legal uncertainty persists. Some platforms continue to question users who move funds through Tornado Cash over potential exposure to illicit capital.

The Proof of Association tool allows users to generate cryptographic proof that their withdrawals come from clean sources. By using zero-knowledge proofs and privacy-preserving computations, the protocol checks withdrawal addresses against a curated list of Tornado Cash deposits, excluding tainted ones. If the funds are clear, the withdrawal address is added to a public registry as “verified,” without exposing personal information.

How the System Works

“By pasting your note and withdrawal address, the system will generate a proof that checks your withdrawal against a curated list of Tornado Cash deposits,” the 0xBow representative explained. “This list excludes illicit actors that have tainted the Tornado Cash protocol. If clean, their withdrawal address is added to the public Proof of Association registry, showing legitimate association, all without revealing any personal data.”

The blacklist currently covers more than 16,000 addresses linked to hacks, phishing schemes, and thefts. The system, which draws from open-source investigations and community reports, is designed to evolve dynamically as new on-chain data emerges. This approach offers privacy-preserving verification while assisting legitimate users separate themselves from criminal activity.

Investor Takeaway

Privacy Pools and the Road Ahead

The Proof of Association mechanism builds on concepts first introduced by Privacy Pools, a project launched earlier this year by 0xBow. It applies the idea of an “Association Set Provider”, a framework theorized by ETH co-founder Vitalik Buterin and a group of cryptographers, which allows users to prove legitimate origins for their assets without exposing transaction details.

Privacy Pools lets users anonymize ERC-20 token transfers while avoiding the contamination risks viewn in shared mixers like Tornado Cash. The project aims to provide whitelisted anonymity — enabling users to maintain privacy within defined, verifiable groups instead of global pools open to illicit actors.

0xBow co-founder Ameen Soleimani said on X that the new tool is meant to encourage responsible privacy use. “If you’re still using Tornado Cash today and not dissociating from hacked funds deposited into the protocol, you are actively assisting the hackers,” he wrote. “We may have the technology, but it’s on us to use it responsibly.”