
Crypto mixers explained: how tumblers, CoinJoin, and Tornado Cash work, plus their real legal status across the US and EU in 2026.
Author: Akshat Thakur
A crypto mixer is a tool that obscures the link between the sender and receiver of a cryptocurrency transaction by pooling and blending funds from many users. Public blockchains permanently record every transaction. Mixers attempt to make it more difficult for outside observers to determine which sender corresponds to which recipient.
Mixers do not erase blockchain records. Instead, they interrupt direct transaction traceability by redistributing value through shared pools or privacy-preserving mechanisms. The underlying transactions remain visible on the blockchain, but identifying relationships between addresses becomes more difficult.
Crypto mixers generally fall into two categories. Custodial tumblers rely on a third-party operator that receives funds and later returns different coins from a common pool. This model requires users to trust the operator. Non-custodial protocols and techniques allow users to retain control of their assets while privacy protections arise from cryptographic methods or collaborative transaction structures.
Marquee examples include Tornado Cash, which used zero-knowledge technology on Ethereum, and Samourai Wallet, which incorporated CoinJoin-based privacy features for Bitcoin.
The legal landscape remains complex and differs sharply across jurisdictions. In 2026, United States sanctions against Tornado Cash have been lifted following court decisions and regulatory action. However, several mixer operators and developers have faced criminal prosecution.
In the Tornado Cash case, prosecutors argued that the developers facilitated illicit transactions and operated an unlicensed money transmitting business. The defense argued that the immutable smart contracts functioned as autonomous open-source software beyond the developers’ control. In the Samourai Wallet case, prosecutors alleged that the service operated without required licenses, while the defense challenged that interpretation.
The central policy debate concerns financial privacy versus illicit finance. Supporters view mixers as privacy tools for transparent blockchains. Critics argue that the same tools can conceal criminal proceeds. This article provides general information only and does not constitute legal advice. Laws vary by jurisdiction and may change over time.
Public blockchains such as Bitcoin and Ethereum are transparent by design. Every transaction is recorded on a permanent ledger that anyone can inspect. Although users transact through wallet addresses rather than real names, blockchain networks are generally considered pseudonymous, not anonymous.
Pseudonymity means that an address does not automatically reveal its owner. However, transaction histories remain publicly visible and can often be linked together over time. When blockchain activity intersects with regulated exchanges that perform know-your-customer checks, it may become possible to associate on-chain activity with real-world identities.
Chain-analysis firms specialize in this process. They analyze transaction patterns, cluster related addresses, and compare blockchain activity with information obtained from exchanges, businesses, and publicly known wallets. As these analytical techniques have advanced, linking addresses to individuals or organizations has become easier in many cases.
For this reason, some users seek additional privacy protections. Legitimate privacy concerns extend beyond criminal activity. Individuals may prefer not to expose personal spending habits, charitable donations, salaries, medical payments, or family financial arrangements to public scrutiny.
Businesses may also value financial confidentiality. Public visibility into treasury movements, supplier relationships, or strategic transactions can reveal commercially sensitive information. Journalists, researchers, activists, and organizations operating in politically sensitive environments may similarly seek greater privacy.
Transparent financial histories can also create security risks. Publicly visible holdings may attract unwanted attention or increase the likelihood of targeting, particularly in regions with unstable political or legal systems.
Privacy tools, including mixers, attempt to reduce the ease with which blockchain activity can be connected to specific individuals or entities. They do not make transactions invisible. Instead, they increase uncertainty and complicate direct attribution.
At the same time, these tools have also been used to conceal illicit activity. The existence of both legitimate and unlawful uses remains central to ongoing regulatory and policy debates surrounding cryptocurrency privacy.

Crypto mixers use different technical approaches to reduce the traceability of transactions on public blockchains. While their designs vary, each model attempts to weaken the visible relationship between transaction inputs and outputs.
Custodial tumblers represent the most centralized approach. Under this model, a third-party operator receives cryptocurrency from multiple users, combines those assets into a shared pool, and later redistributes funds.
Because the returned assets originate from a common reserve, outside observers may find it more difficult to determine the original transaction path. This structure requires users to trust the operator, creating risks related to fraud, theft, record retention, or regulatory intervention.
CoinJoin uses a different design. Rather than relying on a central intermediary, multiple Bitcoin users collaboratively construct a single transaction.
By combining many participants into one transaction, CoinJoin makes it more difficult for observers to determine which transaction inputs correspond to which outputs. Importantly, participants generally retain control of their private keys throughout the process, meaning no intermediary takes custody of the assets.
Zero-knowledge pool mixers rely on cryptographic proofs instead of centralized operators or collaborative transaction assembly. Tornado Cash provides a well-known example of this model on Ethereum.
These systems use zero-knowledge proofs to demonstrate that a participant is entitled to interact with a shared pool without revealing which specific deposit belongs to that participant. The cryptographic proof verifies legitimacy while concealing the underlying transaction relationship.
The three approaches differ primarily in where they place trust. Custodial tumblers depend on operators. CoinJoin distributes coordination among participants while preserving self-custody. Zero-knowledge pools shift privacy protections toward cryptographic guarantees embedded within smart contracts.
None of these designs guarantees complete anonymity. Public blockchains continue to record transaction activity, and investigators may combine blockchain data with external information sources. As a result, privacy protections exist on a spectrum rather than as an absolute condition.

CoinJoin emerged as one of Bitcoin’s best-known privacy techniques. Instead of relying on a central custodian, it allows multiple users to participate in a single transaction, making it more difficult for outside observers to determine which inputs correspond to which outputs. Over time, wallets such as Wasabi Wallet and Samourai Wallet helped bring CoinJoin into mainstream Bitcoin privacy discussions.
Both projects relied on coordinators that helped organize collaborative transactions. Although users generally retained control of their keys, the coordinators became important pieces of infrastructure. By the early 2020s, Wasabi and Samourai had become the most prominent Bitcoin privacy wallets.
Regulatory enforcement reshaped that landscape in 2024.
On April 24, 2024, U.S. authorities arrested Samourai Wallet co-founders Keonne Rodriguez and William Lonergan Hill. Prosecutors charged them with conspiracy to commit money laundering and conspiracy to operate an unlicensed money transmitting business.
Authorities alleged that Samourai processed billions of dollars in transactions, including substantial criminal proceeds. Defense supporters argued that Samourai was non-custodial software designed to enhance financial privacy rather than a money transmitting business.
In July 2025, both founders pleaded guilty to conspiracy to operate an unlicensed money transmitting business and were later sentenced to prison.
Wasabi followed a different path. In April 2024, zkSNACKS, the company behind Wasabi’s CoinJoin coordinator, announced that U.S. residents would no longer be able to use its coordination services. The company subsequently discontinued the coordinator entirely, effectively ending the wallet’s integrated CoinJoin feature.
These developments significantly constrained Bitcoin mixing. The two most widely used coordination services either shut down or became subject to criminal enforcement.
Privacy activity did not disappear, but it fragmented across smaller projects and experimental alternatives. Compared with the period before 2024, Bitcoin mixing today operates in a far more restricted legal and operational environment.
For a broader overview of privacy-focused wallets, see the Best Web3 Privacy Wallets guide.
Tornado Cash launched on Ethereum in 2019 as a non-custodial, open-source privacy protocol built around zero-knowledge cryptography. Unlike custodial tumblers, it relied on autonomous smart contracts rather than a central operator. The protocol quickly became one of the most widely used privacy tools in decentralized finance.
The project’s legal significance emerged on August 8, 2022, when the U.S. Treasury’s Office of Foreign Assets Control, or OFAC, sanctioned Tornado Cash.
Treasury officials alleged that the protocol had been used extensively by North Korea’s Lazarus Group and other criminal actors to launder stolen cryptocurrency. The sanctions prohibited U.S. persons from interacting with designated addresses associated with the protocol.
The action immediately triggered controversy because OFAC had traditionally sanctioned people, companies, and property. Tornado Cash represented something different. Much of the protocol consisted of immutable smart contracts that continued operating without ongoing developer control.
Legal challenges followed. In November 2024, the Fifth Circuit Court of Appeals ruled that immutable Tornado Cash smart contracts did not constitute sanctionable property under existing law.
The court concluded that OFAC had exceeded its statutory authority when applying sanctions to those autonomous contracts. Following the ruling, the Treasury Department removed Tornado Cash from the sanctions list in March 2025.
The dispute extended far beyond one protocol. At its core was a fundamental legal question: can autonomous code running on a public blockchain itself be sanctioned?
Supporters of the sanctions argued that privacy protocols can facilitate large-scale illicit finance and should not remain beyond regulatory reach. Critics responded that sanctioning immutable software threatens open-source development and risks treating code itself as prohibited property.
The Tornado Cash litigation therefore became a defining case for blockchain privacy, open-source software, and the future limits of sanctions law.

The criminal prosecution of Tornado Cash developer Roman Storm became one of the most closely watched legal cases in cryptocurrency. At issue was not only Storm’s conduct, but also a broader question: can developers of non-custodial, open-source privacy tools be held criminally liable for how third parties use their software?
Federal prosecutors charged Storm in 2023 with conspiracy to commit money laundering, conspiracy to violate sanctions laws, and conspiracy to operate an unlicensed money transmitting business.
Prosecutors argued that Storm and his co-developers knowingly continued to support and promote Tornado Cash despite understanding that criminals, including North Korea’s Lazarus Group, were using the protocol to launder stolen funds. They also alleged that the developers failed to implement anti-money laundering controls required under U.S. law.
Storm’s defense presented a different picture. Defense lawyers argued that Tornado Cash consisted primarily of immutable, non-custodial smart contracts that operated autonomously after deployment.
They maintained that publishing open-source software does not amount to operating a money transmitting business and warned that criminal liability for downstream user conduct could chill software development and free expression.
In August 2025, a federal jury convicted Storm on one count of conspiracy to operate an unlicensed money transmitting business. Jurors failed to reach a verdict on the money laundering charge and found him not guilty on the sanctions count, producing a partial mistrial. Prosecutors later sought to retry the unresolved charge, while Storm’s legal team pursued post-trial motions challenging the conviction.
A related case unfolded in the Netherlands, where Tornado Cash developer Alexey Pertsev was convicted in 2024 for money laundering offenses connected to the protocol.
Crypto advocates, including Vitalik Buterin, have argued that holding developers responsible for third-party conduct threatens privacy innovation and open-source development. Regulators and prosecutors counter that developers who knowingly facilitate illicit finance cannot avoid responsibility simply because software is decentralized.
This material is provided for general information only. It is not legal advice. Laws vary by jurisdiction and continue to evolve. Consult qualified legal professionals for advice specific to your circumstances.
Crypto mixers sit at the center of one of the most difficult debates in digital finance because both sides of the argument are supported by evidence.
On one hand, mixers can protect legitimate financial privacy. Public blockchains permanently expose transaction histories, wallet balances, and payment patterns.
Ordinary users may not want employers, competitors, business partners, or strangers to view their financial activity. Journalists, activists, researchers, and individuals living under restrictive regimes may also seek additional privacy and security.
On the other hand, mixers have been used to conceal criminal proceeds. Investigators have linked mixing services to ransomware operations, exchange hacks, fraud schemes, and money laundering networks.
U.S. authorities have repeatedly alleged that North Korea’s Lazarus Group used privacy tools, including Tornado Cash, to move funds stolen from cryptocurrency platforms.
The tension is structural rather than ideological. The same technology that protects lawful privacy can also obscure illicit transactions. Most mixer designs do not distinguish between legitimate and unlawful intent.
Some newer privacy protocols attempt to address this problem through compliance-aware features. Railgun, for example, introduced a Proof of Innocence system designed to screen deposits against publicly identified illicit activity.
Users can later demonstrate that their funds did not originate from known sanctioned or criminal sources without revealing their broader transaction history. The approach seeks to preserve privacy while limiting clearly illicit use.
These designs introduce trade-offs. Screening mechanisms depend on external data sources and compliance standards, which may vary across jurisdictions. Additional verification requirements may also reduce the level of privacy available to users.
The dual-use problem therefore remains unresolved. Mixers respond to genuine privacy needs on transparent blockchains, yet they can also facilitate financial crime. Policymakers, developers, and users continue to debate where the appropriate balance should lie.

The legal treatment of cryptocurrency mixers differs substantially across jurisdictions. Regulatory frameworks continue to evolve, and several important questions remain unresolved.
In the United States, the legal environment changed significantly after the Treasury Department removed Tornado Cash from the sanctions list in March 2025 following the Fifth Circuit’s ruling that immutable smart contracts are not sanctionable property under existing law. U.S. authorities have also acknowledged that privacy tools may serve legitimate purposes.
However, enforcement against operators has continued. Federal prosecutors successfully pursued cases against the founders of Samourai Wallet, who pleaded guilty to conspiracy to operate an unlicensed money transmitting business.
The criminal case against Tornado Cash developer Roman Storm further illustrates ongoing uncertainty. While Storm was convicted on one count related to unlicensed money transmission, broader questions surrounding developer liability remain unresolved as post-trial proceedings continue.
The European Union has adopted a different approach. The Markets in Crypto-Assets Regulation, or MiCA, establishes licensing and conduct requirements for crypto-asset service providers. In addition, the EU’s Anti-Money Laundering Regulation introduces stricter rules for regulated firms.
Key provisions scheduled to take effect around 2027 prohibit regulated providers from maintaining anonymous crypto accounts and significantly restrict anonymity-enhancing services within supervised environments.
Outside the United States and European Union, approaches vary widely. Some jurisdictions like India have prohibited privacy coins or restricted their availability on licensed exchanges. Others apply existing anti-money laundering laws to mixers and privacy services without imposing explicit bans. Regulatory treatment continues to change as governments reassess privacy technologies.
Importantly, the legal status of a protocol, a service operator, and an individual user may differ. A tool that remains accessible at a technical level may still expose operators or users to legal obligations depending on local law.
This section describes current legal frameworks for informational purposes only. It is not legal advice. Laws differ by jurisdiction and change frequently. Readers should consult qualified legal professionals regarding their specific circumstances.
Public discussion about cryptocurrency mixers often treats software, service providers, and users as if they were legally identical. In practice, these activities carry different legal implications.
The first category involves writing or publishing open-source code. The Tornado Cash litigation highlighted this distinction. In 2024, the Fifth Circuit ruled that immutable smart contracts could not be sanctioned as property under existing law. The decision strengthened arguments that autonomous code and software publication should not automatically be treated as regulated financial activity.
The second category involves operating a service. Recent enforcement actions have focused heavily on this area. U.S. prosecutors alleged that Samourai Wallet’s founders operated an unlicensed money transmitting business and facilitated illicit transactions through coordinated services.
The founders later pleaded guilty to conspiracy to operate an unlicensed money transmitting business. Similarly, Roman Storm was convicted on one count related to operating an unlicensed money transmitting business, although other charges remain unresolved.
Authorities generally argue that actively maintaining, promoting, coordinating, or profiting from a service can create legal obligations independent of the underlying software. Defense teams in these cases have disputed that interpretation, particularly where services rely on non-custodial or autonomous technology.
The third category concerns individual users. In the United States, simply using a mixer is not automatically a criminal offense. However, using any financial tool to launder criminal proceeds, finance unlawful activity, or evade sanctions can violate existing laws. Other jurisdictions may apply different standards.
Distinguishing between these categories helps explain why court decisions and enforcement actions often reach different outcomes. Questions surrounding software publication have received certain judicial protections, while operating services has attracted substantial regulatory scrutiny.
This discussion is intended solely to explain current legal distinctions. It does not constitute legal advice. Laws vary across jurisdictions and continue to evolve. Readers should consult qualified legal counsel regarding their own circumstances.
Several important questions remain unanswered in the legal and technical evolution of cryptocurrency mixers.
One of the most closely watched developments is the continuing Roman Storm case. The outcome of further proceedings could help clarify how far criminal liability extends for developers of non-custodial, open-source privacy software. Courts have yet to establish clear boundaries between publishing code, maintaining a protocol, and operating a financial service.
Regulatory developments in Europe will also attract attention. The European Union’s new anti-money laundering framework will begin introducing stricter requirements for regulated crypto providers from 2027. How aggressively national authorities enforce restrictions related to anonymity-enhancing services and privacy tools remains uncertain.
In the United States, observers are watching whether the Treasury Department’s post-Tornado Cash approach endures. The lifting of sanctions following the Fifth Circuit ruling marked a significant shift, but future administrations and regulators may interpret privacy technologies differently.
Technology itself continues to evolve. Compliance-aware privacy designs, including systems that incorporate screening or selective disclosure mechanisms, are emerging as a possible middle path between complete transparency and unrestricted privacy. Whether these models gain meaningful adoption remains an open question.
The broader legal landscape remains unsettled. Courts, regulators, developers, and policymakers are still defining how existing financial laws apply to decentralized privacy technologies. New technical designs may create additional legal questions rather than resolve existing ones.
The most important takeaway is straightforward. The law surrounding cryptocurrency mixers is still being written. Rules differ significantly across jurisdictions and continue to change.
This article provides general information only and does not constitute legal advice. Readers should consult qualified legal professionals regarding their specific circumstances.
All the opinions in this article are that of the author and in no way are financial advice. Our Crypto Talk and the author always suggest you do your own research in crypto and to never take anything as financial advice that you read on the internet. Check our Terms and conditions for more info.