A Study on the Evolution of On-Chain Law Enforcement and Blacklist Systems: Regulatory Truth, Power Boundaries, and Disorder in the Crypto World

Author: Cloud, Analyst at HTX Research

summary

This report systematically reviews the evolution of on-chain enforcement and blacklisting systems from 2022 to 2026, covering five dimensions: the Tornado Cash case, enforcement of regulations related to coin mixers, the rise of the on-chain analytics industry, the divergence of regulatory frameworks in Europe, America, and Asia, and confrontations between state actors. The core conclusion is that the biggest problem with on-chain enforcement over the past four years is not that it is "not strict enough" but that it is "headed in the wrong direction"—continuing to tighten the old path of list-based sanctions will only harm innocent users and genuine decentralized innovation. The true direction for on-chain enforcement should be a three-pronged approach: risk grading, judicial independence, and technological autonomy.

Four key findings: First, the "unpunishability" of decentralized code has been confirmed by a Supreme Court ruling, and the Tornado Cash case marks the beginning of the zero-marginal utility of list-based sanctions . Second, Chainalysis, TRM Labs, and Tether have formed a "public-private partnership for on-chain enforcement," and the lack of independent oversight and appeal mechanisms for "lynching" is the core issue for regulatory discussions in the next stage . Third, the CLARITY Act developer safe harbor and the Roman Storm case are two major variables in the legal foundation of the DeFi industry over the next five years . Fourth, list-based enforcement has become substantially ineffective when facing sovereign adversaries such as North Korea, Russia, and Iran.

I. Introduction

The years 2022 to 2026 have been the most pivotal four years in the history of global crypto asset regulation. On August 8, 2022, OFAC, pursuant to the IEEPA, added 44 smart contract addresses of Tornado Cash to the SDN sanctions list—the first time the US government sanctioned a piece of "code" rather than a "person." The effectiveness of this executive order was subsequently completely undermined by a line of immutable code: Circle froze USDC, GitHub shut down its repository, and Uniswap blocked its frontend, but the underlying contracts remained completely unaffected; Tornado Cash still processed approximately $2.5 billion in transactions during the period the sanctions were in effect. Four years later, on-chain enforcement has evolved from administrative actions in a single jurisdiction to a multi-layered governance system—but the issues of its effective boundaries, legitimacy, and checks and balances are even more prominent than they were four years ago.

II. The Tornado Cash Case: A Living Example of Regulatory Overreach

The Tornado Cash case is the most important on-chain enforcement precedent of the past four years. The industry was shaken after the sanctions were implemented in August 2022: GitHub shut down its code repository, Circle froze USDC addresses that had interacted with Tornado Cash, and Uniswap's frontend blocked related trading pairs—but the underlying contracts remained completely unmoved. The effectiveness of an executive order was completely undermined by a single line of code. OFAC's enforcement assumptions were based on a fundamental misjudgment: that "freezing the frontend" was equivalent to "freezing the protocol." It turned out these were two different things—the sanctions list is a compliance list, not a physical injunction; frontend service providers will cooperate, but blockchain code does not.

On November 26, 2024, the U.S. Fifth Circuit Court of Appeals issued a landmark ruling in Van Loon v. Treasury Department, finding OFAC to have overstepped its authority: immutable smart contracts do not constitute "property" under IEEPA because they cannot be owned or controlled by anyone; they are merely "lines of code." On March 14, 2025, OFAC officially removed Tornado Cash from the SDN list. This nearly three-year-long lawsuit affirmed a principle at the institutional level—regulators cannot infinitely expand their power through "pocket laws" like IEEPA; they must have explicit congressional authorization. The era of "administrative cheapness" in U.S. crypto regulation has ended, and "certainty" itself is the industry's biggest institutional advantage.

But the end is far from over. The prosecution has switched to a "if you can't beat the rules, beat the people" approach— the individual criminal charges against developers Roman Storm and Roman Semenov are still ongoing. A conviction for Storm would set a dangerous precedent: writing code = criminal liability, casting a chilling shadow over the entire open-source developer community. The prosecution's logic has a clear risk of slipping: Tornado Cash was used by North Korean hackers → developers were aware → developers failed to stop it → developers constitute "unintentional" conspiracy. The verdict in the Roman Storm case will determine the legal foundation of the entire DeFi industry.

III. A Comprehensive Upgrade in Enforcement Against Coin Mixers: From Individual Prosecution to Systemic Crackdown

The Tornado Cash case changed the paradigm of law enforcement. The DOJ proved one thing in the Samourai Wallet case: you can lose the war against a protocol, but you can absolutely win the war against developers. In April 2024, the DOJ filed a lawsuit against the two founders, and in July 2025, they pleaded guilty in the Southern District of New York, facing a maximum sentence of five years in prison. The prosecution's logic was extremely cunning: Samourai was not "pure code," but a "complete service system" including UI, servers, and a charging model. This distinction—pure code versus a hybrid service system with operators involved—is the most critical legal watershed for the next five years. Its subtext is: as long as your protocol is maintained and people are charging for it, it is not "code" but a "service," and you are responsible for its abuse. Once this boundary is legally confirmed, all operators of DeFi protocols will face legal risks.

Enforcement efforts continue to intensify globally. In November 2023, OFAC sanctioned Sinbad.io; in March 2025, Germany's BKA, in conjunction with the US, Netherlands, and Finland, targeted Garantex; and in February 2025, the EU added Garantex to its sanctions list for the first time. Ironically, the stricter the enforcement against cryptocurrency mixers, the more efficient North Korea's money laundering becomes—Bybit's $1.5 billion theft in 2025 set a record for the largest single theft in crypto history, bringing North Korea's total stolen assets to $6.75 billion. Another significant event in 2025 was OFAC's attempt to "retroactively hold" Tornado Cash's former users accountable: the DOJ began subpoenaing early users, indicating that regulators are exploring a new path of "targeting users" rather than "targeting protocols."

IV. The Rise of On-Chain Analytics Industry and Blacklist Infrastructure

The true center of power for on-chain law enforcement lies not with governments, but with four major blockchain analytics platforms. Between 2022 and 2026 , Chainalysis, TRM Labs, Elliptic, and Merkle Science have completed a leap from "address labeling tools" to "quasi-judicial extensions of power." If an address is marked as "high-risk," exchanges will freeze the account, and USDT issuers will freeze assets, with virtually no recourse. Chainalysis covers over 27 blockchains, its Reactor tool is used by over 1,500 agencies including the FBI, DOJ, and IRS, accounting for approximately 45% of global law enforcement. Its knowledge graph links over 1 billion addresses with over 134,000 real entities—effectively becoming an "on-chain ID card" system. Who owns an address is not determined by blockchain mathematics, but by the Chainalysis algorithm. TRM Labs monitors over 75% of global crypto transaction volume.

Launched in 2025, Beacon Network represents the next stage of evolution in on-chain compliance infrastructure. As the industry's first real-time information sharing platform, Beacon Network connects key participants such as Tether, TRON, and the T3 Financial Crimes Unit to the same data layer, theoretically reducing the freeze-destroy window from hours to minutes. However, the lack of external oversight for the expansion of power is the biggest loophole in the current system—on-chain analytics companies act as both "evidence collectors" and "fact-checkers," their marking conclusions directly determining whether an address is frozen or an individual is denied service, without any independent appeal channels.

The most alarming aspect is the issuers of stablecoins. Tether's USDT smart contract has three built-in functions: addBlackList, removeBlackList, and destroyBlackFunds, essentially stuffing "central bank" functionality into a commercial company's contract. In 2025, Tether blacklisted 4,163 addresses, freezing $1.26 billion and permanently destroying $698 million; 96.4% of the blacklisted addresses were never removed that year. This isn't "compliance," it's "quasi-judicial power." The Tron network's multi-signature wallet freeze has a 44-minute delay window—this "system vulnerability" is a "lifeline" for ordinary users. However, when stablecoin issuers upgrade their multi-signature architecture, the "controllability" of on-chain assets will become closer to that of traditional bank accounts—a fundamental challenge to the "decentralization" narrative of the crypto industry.

V. Accelerated Development of a Global Regulatory Framework: From Fragmentation to Systematization

The biggest loser in the global crypto regulatory framework over the past four years has been the United States, while the biggest winner has been Europe. This is not just a difference in legislative efficiency, but also a difference in regulatory philosophy. Europe has established a complete system with MiCA (passed in May 2023, implemented in phases in 2024, and fully implemented in 2025): CASP licenses, stablecoin reserve disclosure, extension of the FATF travel rules, and AMLA (operating in 2025, with direct regulation of high-risk CASPs from 2028). The true significance of MiCA lies not in how strict it is, but in the "certainty" it provides—institutional funds can be allocated based on clear rules, and fiat-pegged stablecoins can operate within a compliant framework.

The US, meanwhile, has spent four years embroiled in political polarization. In July 2025, the House of Representatives passed the Clarity Act on Digital Asset Markets by a vote of 294 to 134, establishing the division of jurisdiction between the SEC and CFTC, the safe harbor provisions for DeFi developers, and the legal status of self-custodied wallets—but it remained stalled before the Senate Banking Committee as of April 2026. The partisan divide is not about "whether to regulate," but rather "who should regulate"—which precisely exposes the biggest problem with US crypto regulation: politics. From 2024 to 2026, the SEC's series of lawsuits against Coinbase, Robinhood, and Uniswap will consume significant regulatory resources: the SEC partially lost in the Ripple case and was forced to withdraw several charges in the Coinbase case. This "fighting and losing" enforcement model has exacerbated the legal uncertainty in the US crypto industry to an unprecedented degree.

While the Asia-Pacific region is fragmented, it is generally trending towards standardization. The Hong Kong Monetary Authority (HKMA) is advancing regulation of stablecoin issuers in 2026; Singapore retains the MAS (Major Payment Services) channel for institutional digital assets; Japan has amended its Payment Services Act to include stablecoins under its regulation; and South Korea has enacted the Virtual Asset User Protection Act. The FATF's global influence is most noteworthy—its March 2026 report, "Stablecoins and Non-Custodial Wallets: P2P Trading," explicitly warns that non-custodial wallets and P2P trading are the weakest links in the global anti-money laundering system. In the next two to three years, DeFi and non-custodial wallets will face a new round of compliance pressure.

VI. Sanctions evasion and the challenges posed by state actors

Chainalysis' 2026 report reveals an embarrassing fact for all on-chain law enforcement tools: sanctioned entities will account for 68% of all illicit crypto transactions in 2025. This means that today's on-chain law enforcement is primarily fighting not hackers and fraudsters, but three sovereign nations—North Korea, Russia, and Iran.

North Korea is projected to steal $2 billion by 2025, bringing its total to $6.75 billion. The $1.5 billion theft from Bybit in February set a record. North Korea's methods have evolved from exploiting code vulnerabilities to impersonating recruiters to infiltrate IT positions at crypto companies—this is no longer "cryptocrime," but "state-level cyber warfare." Russia's strategy is the most systematic: its A7A5 ruble-pegged stablecoin processed $93.3 billion in transactions within four months of its launch, effectively building a crypto payment infrastructure parallel to SWIFT; Garantex continued operations through technical means even after being sanctioned. OFSI recommends companies track "3 to 5 transaction hops" to identify sanction exposure risks—essentially acknowledging the ineffectiveness of list-based sanctions against state-level adversaries. Iran has laundered over $2 billion in money, engaged in illicit oil sales, and purchased weapons through proxy armed groups. Ultimately, when the adversary is a sovereign nation, OFAC's SDN list, Chainalysis's tagging system, and Tether's smart contract blacklist are all "band-aid solutions." List-based enforcement, when facing state-level adversaries, is essentially an industrialized version of a "cat and mouse game," where the mouse always outruns the cat.

VII. Industry Attitudes and the Battle for Privacy Rights: Compliance Consensus and Fundamental Disagreements

The deepening of on-chain enforcement has triggered a profound division within the crypto industry. Leading exchanges like Coinbase and Kraken embrace compliance, using OFAC compliance, KYT screening, and reserve disclosure as competitive barriers; decentralized protocols such as Uniswap and Curve adopt a "code-neutral" stance, arguing that the protocol layer should not bear compliance obligations; while privacy protocols like Tornado Cash and Aztec fundamentally question the legitimacy of on-chain enforcement. This division is not a simple "compliance camp vs. anti-compliance camp," but rather a direct clash between "centralized finance logic" and "the native logic of decentralization."

The fundamental disagreement surrounding on-chain enforcement centers on three key issues : First, where does the boundary lie between on-chain privacy rights and financial regulatory authority? MiCA's requirement for all CASPs to undergo KYC effectively cuts off most privacy needs at the entry point, but DeFi front-ends and self-custodied wallets remain in a gray area . Second, does the "neutrality" of a protocol constitute an exemption from legal liability? The Tornado Cash case provides a partially negative answer: immutable code is not subject to sanctions, but "services" operated by certain entities can be held accountable . Third, how can the "quasi-judicial power" of stablecoin issuers be supervised? Tether froze $1.26 billion throughout the year, with 96.4% of addresses remaining unfrozen; this de facto permanent destruction lacks any independent audit or appeal mechanism. These three issues will be central topics of discussion between regulators and the industry between 2026 and 2028.

VIII. On-chain marking platforms, processes, and multi-party ecosystem competition

The technological foundation for on-chain law enforcement rests on the labeling capabilities of blockchain analytics platforms. Chainalysis's Reactor, TRM Labs' TRM Forensics, and Elliptic's Navigator constitute the standard toolchain for global law enforcement agencies. The labeling process typically includes four steps: address clustering, fund tracing, risk scoring, and cross-chain tracking. The chain reaction path after an address is labeled "high-risk" is: on-chain analytics platform labeling → USDT/USDC issuer freezing → exchange KYC account freezing → OTC platform denial of service → bank account refusing to accept related funds—the entire chain is completed within hours, spanning both traditional and crypto-financial systems.

The core contradiction in this multi-party ecosystem game lies in the severe imbalance between the "quasi-judicial power" of on-chain analytics companies and the "right to appeal" of those flagged. Chainalysis has linked over 1 billion addresses, but the algorithmic logic, confidence level, and error rate of these links are almost entirely kept secret; Tether and TRON have frozen 4,163 addresses, but there is no publicly available "unfreezing appeal" process; exchanges' KYT systems refuse to accept funds from tainted addresses, but users cannot find out the reasons for their flagging or the appeal process. This reality of "opaque flagging, no notification of freezes, and no channel for unfreezing" means that the "compliance cloak" of on-chain enforcement conceals actual infringements on ordinary users.

IX. Future Outlook: Four Major Shifts in Regulatory Paradigm

Based on a systematic review of the evolution of on-chain enforcement and blacklisting systems from 2022 to 2026, four fundamental shifts in the regulatory paradigm can be identified. The first shift is from list-based sanctions to risk-based tiered management. The Tornado Cash case has demonstrated that "one-size-fits-all" sanctions against decentralized protocols face both legal challenges and are not technologically feasible. Future regulation will rely more on dynamic risk assessments based on multi-dimensional data; Chainalysis and TRM Labs already support hundreds of risk parameters, and this trend is irreversible.

The second shift is from single jurisdiction to multilateral coordination. The Garantex case and the Bybit incident exposed the limitations of unilateral sanctions. The establishment of AMLA, the strengthening of FATF, the launch of Beacon Network, and the Basel Committee's renewed review of banks' exposure to crypto assets—multilateral cooperation will become standard practice. However, multilateral coordination faces real challenges: significant differences in national legal traditions, the EU's "precautionary principle" and the US's "market failure" logic are difficult to reconcile; cross-border law enforcement and evidence collection require judicial assistance procedures that can take months or even years. This paradigm shift is in the right direction, but its implementation will be much slower than the market expects.

The third shift is from holding agreements accountable to holding individuals responsible. The Samourai Wallet case and the Roman Storm trial established a new paradigm: the focus of enforcement has shifted from sanctioning the agreements themselves to pursuing the individual liability of developers and operators. The CLARITY Act attempts to define the boundaries of liability through the developer safe harbor provision, but its final form depends on the interaction and evolution of the legislative process and the outcome of the Storm trial.

The fourth shift is from confrontation to co-governance. The success of Beacon Network demonstrates the unique efficiency advantages of public-private partnerships—blockchain transparency + the professional capabilities of on-chain analytics companies = faster fund tracking than traditional finance. However, when stablecoin issuers have the ability to unilaterally freeze user assets, how should the boundaries of power and accountability mechanisms be designed? "Vigilante" enforcement, lacking independent oversight and appeal mechanisms, is a core issue that cannot be avoided in the next phase of regulatory discussions.

Finally, the following tiered operation recommendations are provided: For individual users, avoid direct interaction with mixers as much as possible; do not approve unlimited licenses on unknown DEXs; prioritize European exchanges with MiCA licenses as the primary entry point; prioritize bank transfers for fiat currency entry; distribute on-chain assets across hardware wallets and multiple trusted custodians to reduce the risk of total loss due to a single freeze event. For institutional investors, establish an on-chain asset KYT compliance framework; include sanctions exposure risks in the due diligence checklist for investment decisions; choose stablecoins with complete audit reports and reserve disclosures; conduct regular "address cleanliness" reviews of holding addresses to avoid unintentionally receiving contaminated funds. For DeFi developers, proactively study the judgment logic of the Samourai and Tornado Cash cases; introduce a tiered architecture of "compliant interface" and "unregulated users" during the protocol design phase; pay attention to the final version of the CLARITY Act developer safe harbor provisions.