Tornado Cash Deposit Evidence: What Courts Can and Cannot Infer

Tornado Cash mixes deposited ETH (and ERC-20 variants) into an on-chain anonymity set using zk-SNARK note commitments. A deposit and a withdrawal are not directly linked on chain; the protocol's design intent is that the only on-chain record is two separate, unconnected transactions to the contract. For a court, this means showing "funds went into Tornado" is easy, but showing "these specific withdrawn funds belong to that depositor" is a probabilistic claim that needs corroborating evidence.

The honest position — the one that survives Daubert and cross-examination — is to treat a Tornado deposit as a known terminus of the direct tracing chain (Tier 1A on the 5CIP confidence scale), and any subsequent attribution to a specific withdrawal as Tier 2 or Tier 3 (indirect, needs corroboration). Courts have admitted both, but only the first is unimpeachable from the chain data alone. Defense expert witnesses are increasingly aware of mixer attribution heuristics — your report has to acknowledge the limits of each heuristic before opposing counsel does.

This page documents (a) what the on-chain data unambiguously shows, (b) what it does not show, (c) the four corroboration vectors that move attribution from Tier 3 to Tier 2, (d) the OFAC sanctions context for Tornado Cash deposits after Aug 8 2022, (e) how to handle relayer-mediated withdrawals, (f) the post-merge nullifier registry and what changed after the Nov 2023 frontend takedown, and (g) the specific report structure 5CIP uses to keep Tier 1A immune to attack.

The following facts come straight from Ethereum block data and require no inference. Every item here is admissible as Tier 1A with the matching TX hash and a block explorer screenshot.

• Exact block, timestamp, TX hash, and depositor address for every deposit into the Tornado pool contracts (0.1 / 1 / 10 / 100 ETH pools, plus DAI/USDC/USDT/cDAI/WBTC variants).
• The note commitment (nullifier hash) — the 32-byte secret leaf that becomes the proof of right-to-withdraw later. Visible in the Deposit event log under the commitment indexed field.
• Withdrawal TX hashes (separate from deposits) with no on-chain link to the depositor — but with a publicly visible recipient address, fee, and refund.
• The relayer address if a relayer fronted gas (which is the default for opsec-aware users since the withdrawer's address has no ETH to pay gas without revealing themselves).
• Pool size at deposit time — i.e., how many other deposits exist in the same denomination, undrawn, at the moment of deposit. This is the anonymity set ceiling.
• Sanctioned status — pool contract addresses appear on OFAC SDN list since Aug 8 2022. Any deposit after that date by a US person, or any deposit involving US sanctioned funds, is itself a sanctions violation independently of the underlying theft predicate.

• Which withdrawal corresponds to which deposit (this is the entire point of the protocol — the zk proof only proves "I know a valid nullifier", not which one).
• The ultimate beneficial owner of the withdrawn funds (the recipient address in the withdrawal TX may be a fresh wallet, a CEX deposit address, or a bridge contract).
• Whether deposits 30 minutes apart were the same person consolidating, or unrelated users with coincident timing.
• Whether the depositor and withdrawer are even the same person — note commitments are tradeable off-chain (a depositor can sell the note to another party for cash or other crypto).
• Whether the relayer is independent or attacker-controlled (a depositor running their own relayer leaks operational metadata, but the address itself doesn't prove control).

A report that asserts any of the above as fact, without flagging the inference and its corroborating evidence, is the kind of report that gets the expert witness excluded under FRE 702. Don't write that report.

The following are the four families of evidence that move a deposit→withdrawal claim from Tier 3 (speculation) to Tier 2 (defensible inference). They are not mutually exclusive — strong cases typically have two or more.

1. Timing + anonymity-set analysis

If a deposit of X ETH at block N is followed by a withdrawal of X ETH at block N+M where M is consistent with typical relayer delay (1-5 blocks for paid relayers, minutes-to-hours for free relayers), AND the pool's anonymity set is small at that moment, the inference is defensible. A 5-deposit anonymity set at the moment of withdrawal is materially different from a 500-deposit set. Always disclose the set size and the time window.

2. Address-reuse downstream

Post-mix funds landing in a wallet that has prior interaction with the depositor's known on-chain footprint — same ENS domain, same Uniswap LP positions, same NFT collections, prior counterparty relationships. This is the most common Tier 2 vector in recent cases.

3. VASP subpoena returns

Where the withdrawer used a KYC-bearing on-ramp (CEX, fiat off-ramp, NFT marketplace with KYC) afterwards. The subpoena returns customer KYC tied to the withdrawal-side address, closing the loop. This is the strongest single vector — it bypasses the mixer's design entirely.

4. Off-chain admissions

Chat logs (Telegram, Discord), brag posts (Twitter/X, blog), recovery emails to exchanges, security questions, or seed phrase backups that tie the depositor to the withdrawer. Discovery from civil proceedings or law-enforcement search warrants unlocks this evidence in most cases.

Tornado Cash pool contracts were added to OFAC's SDN list on Aug 8 2022. This created a parallel legal track that is sometimes more useful than the underlying theft predicate:

• Any US-nexus transaction with the sanctioned pool contracts is itself a violation, independent of whether the underlying funds were stolen.
• The Nov 2024 5th Circuit ruling (Van Loon v. Treasury) held that immutable smart contracts cannot be designated as "property" under IEEPA, narrowing direct enforcement against the contracts themselves — but transactions through them remain subject to scrutiny via secondary mechanisms (compliance program failure, willful blindness).
• VASPs that processed post-mix withdrawals are subject to BSA/AML examination; subpoenas to them often produce stronger KYC returns than subpoenas issued for the underlying theft.
• The Tornado Cash developer prosecution (Roman Storm) does not directly create user liability, but it does establish the precedent that protocol operators can be held responsible for laundering — which has chilled relayer participation and shrunk anonymity sets post-2023.

5CIP reports for US-nexus cases include a separate "Sanctions exposure" section that enumerates each post-Aug-2022 interaction with the sanctioned contracts. Counsel can decide whether to pursue sanctions claims in parallel with the recovery action.

Withdrawers usually need a relayer (the withdrawal-side address starts with zero ETH, since revealing any deposit-side funding would defeat the mixer). The relayer pays gas and takes a small fee from the withdrawn amount. Three relayer scenarios with very different evidentiary weight:

• Public commercial relayer (e.g., the old tornado-relayer.com infrastructure pre-takedown). High traffic, weak attribution signal — many unrelated users share the relayer.
• Low-volume custom relayer — attacker stood up their own relayer to avoid trusting third parties. The relayer address itself is funded from somewhere, and that funding path is on-chain and tracable. This is a strong corroboration vector when present.
• Self-relayed (no relayer) — rare, opsec failure. The withdrawer paid gas from a separately-funded address, which itself has a funding source. Trivially attributable.

Always include the relayer address, its first-seen block, its funding source chain (up to the first KYC'd source or first mixer), and the total number of withdrawals it relayed. A relayer that relayed exactly one withdrawal is a different kind of evidence than one that relayed 50,000.

The Tornado Cash UI frontend (tornado.cash domain) was taken down following the OFAC designation. The smart contracts remain immutable and operational on Ethereum mainnet, but the user experience changed materially:

• Users now interact via mirrored frontends (often on IPFS), CLI tools, or directly via the contract ABI in their wallet.
• Relayer participation dropped sharply — fewer relayers means smaller effective anonymity, longer delays, and more identifiable patterns (the few remaining relayers each handle a higher share of total volume).
• Deposit volume per pool dropped 80%+ from pre-sanction peaks (per Dune Analytics dashboards). Anonymity sets within a useful time window are now in the dozens, not hundreds.
• Sophisticated attackers have shifted to multi-mixer chains (Tornado → Railgun, Tornado → Wasabi/Whirlpool for BTC bridges, Tornado → eXch.cx exchange swaps) to compensate.

For incidents in 2024-2026, this means deposit-side Tier 1A evidence is as strong as ever, AND timing-based Tier 2 attribution is meaningfully easier than it was in 2020-2022 because the anonymity sets are smaller.

• Do NOT claim direct attribution from deposit to withdrawal without disclosing the underlying inference model (timing window, set size, address-reuse signal).
• Do NOT use a vendor's aggregate "risk score" as the only evidence of mixer involvement — the underlying deposit/withdrawal TX hashes must appear in the report.
• Do NOT omit the anonymity-set size at the time of the move. A 50-deposit set is a much weaker inference than a 5-deposit set, and opposing experts will compute this in cross-examination if you don't.
• Do NOT conflate "deposit by attacker" with "withdrawal received by attacker" without labeling the second as Tier 2.
• Do NOT cite the Aug 2022 OFAC designation as if it retroactively criminalizes earlier deposits. The legal posture is different for pre-Aug-2022 vs post-Aug-2022 interactions.
• Do NOT assume the depositor and withdrawer are the same person. Note commitments are tradeable off-chain — the chain doesn't distinguish "withdrew their own deposit" from "purchased the note from the original depositor".
• Do NOT use the phrase "money was washed" in the report. Use "moved through a mixing protocol" — the former is conclusion, the latter is fact.

5CIP packages every Tornado-touched case using a fixed three-part structure that courts and opposing experts have responded well to:

Part A — Tier 1A direct chain (unimpeachable)

• Stolen funds → attacker control wallet → Tornado deposit. Every hop has TX hash, timestamp, block, block-explorer screenshot.
• Terminates at the deposit. Does not claim anything about withdrawals.
• This is the part opposing counsel cannot impeach. They can argue about the predicate theft, but the on-chain movement is what it is.

Part B — Tier 2 attribution analysis (defensible inference)

• Candidate withdrawals enumerated with pool, denomination, block, recipient address.
• Each candidate scored against the four corroboration vectors (timing, address-reuse, VASP, off-chain).
• Anonymity-set size at each candidate's moment, with a Monte Carlo or combinatorial probability estimate of false-attribution.
• Plain-language conclusion ranking the candidates: "most likely", "possible", "discarded".

Part C — Subpoena targets and recovery vectors

• VASPs the Tier 2 candidates touched after withdrawal (with the exact addresses, TX hashes, and date ranges to put in the subpoena).
• Tether/Circle freeze targets for any USDT/USDC consolidated post-mix.
• Sanctions-exposure summary for US-nexus enforcement parallel track.

Opposing counsel can attack Part B. They cannot impeach Part A. Part C gives counsel actionable recovery vectors that don't depend on the mixer attribution succeeding.

We will tell you up front if any of the following apply, and refund the engagement minus actual chain-analysis costs:

• Deposit was into a pool with a sustained large anonymity set at the time (hundreds of undrawn deposits), making timing-correlation useless without other corroboration.
• Withdrawals fan out into multiple second-stage mixers or cross-chain bridges to monero / privacy chains where attribution effectively ends.
• No KYC'd on-ramp ever touched the withdrawal-side addresses (closed-loop crypto economy with no fiat exit point — recovery vectors are effectively zero even if attribution succeeds).
• Predicate theft happened more than 3 years ago and exchange KYC records have aged out under VASP retention policies.
• Total dollar value is below the threshold where civil recovery economics make sense (typically <$100K for international actions, <$25K for single-jurisdiction).

Mixer cases that survive this screen and that have at least two of the four corroboration vectors typically end up with at least one VASP returning useful KYC. Cases that don't survive the screen don't generate a defensible report no matter how much budget is thrown at them.

The published Bo Shen case (CJ-2022-1110-BS) is the canonical example of how the three-part structure plays out when only partial mixer attribution succeeds:

• Stolen ETH → attacker wallet → Tornado Cash 100 ETH pool: 40 deposits, Tier 1A, every TX hash in the report.
• Tier 2 attribution: 18 of the 40 deposits were correlated to specific withdrawal candidates using timing + downstream address-reuse + a single VASP subpoena return. 22 remain unattributed.
• Part C: 5 VASP subpoena targets (MEXC primary), 1 Tether freeze on USDT consolidation post-mix, sanctions exposure summary for the pre/post-Aug-2022 deposits split.
• Outcome: report supported the counsel's recovery action without overclaiming. The 22 unattributed deposits are documented as Tier 1A terminus with no Tier 2 claim attached — a posture that survived expert cross-examination.

The full case study is published with Bo Shen's permission at /case-studies/2022-1110-BS. It is the only court-filed crypto forensic report in the public domain that uses an explicit confidence-tier framework end-to-end. Counsel evaluating whether 5CIP's per-case model fits their matter can see the full forensic methodology or compare to enterprise platforms via the Chainalysis alternative analysis. To open a new mixer-involved case, use /case-intake — first analyst response within 4 business hours.