Mixers, Privacy, and the Limits of Pseudonymity in DeFi
Every transaction on a public blockchain is permanently recorded and visible to anyone. Wallet addresses are pseudonymous — they are strings of alphanumeric characters with no obligatory link to a real identity — but pseudonymity is not anonymity. Governments and blockchain analytics firms have developed increasingly sophisticated methods for tracing transaction chains and linking addresses to individuals. Mixers exist to complicate that process.
A mixer is an application that breaks the chain of custody between a sender’s wallet and a recipient’s. In a basic smart-contract-based mixer, a user deposits funds from one address into a contract pool, then withdraws the same amount to a different address. The connection between deposit and withdrawal is obscured — the output wallet has no traceable relationship to the input wallet. To improve effectiveness, mixers typically require deposits in standardized denominations and depend on a sufficient number of concurrent users to create a large enough pool that individual transactions cannot be easily disentangled.
Smart-contract-based mixers occupy a specific position in the defi taxonomy. Unlike custodial mixers, which are operated by a company that takes temporary control of funds, decentralized mixers hold no private keys and require no operator to process withdrawals. Once deployed to a blockchain, such contracts are generally immutable and can run indefinitely without further human involvement. This architecture is precisely what makes them legally and technically difficult to regulate through conventional means.
The Treasury Department’s Office of Foreign Assets Control sanctioned Tornado Cash, the most prominent decentralized mixer, in August 2022, designating its smart contract addresses along with associated wallets. That sanction was removed in March 2025, with Treasury citing “evolving technology and legal environments.” A Fifth Circuit court decision examining the legality of sanctioning an immutable smart contract contributed to the reversal. The case surfaces a fundamental question that no regulatory framework has yet resolved: whether a piece of self-executing code that neither takes custody of funds nor requires human action to process transactions can be legally treated as an entity capable of violating financial regulations.
FinCEN’s 2019 guidance on cryptocurrency business models addressed decentralized applications explicitly, stating that when such apps perform money transmission, the definition of money transmitter applies to the application, its owners, or both. That interpretation has not been consistently enforced, particularly under the current administration, which in April 2025 directed prosecutors to deprioritize regulatory violations in digital asset cases absent evidence of willful, knowing noncompliance.
The market structure legislation moving through Congress in the 119th Congress generally excludes decentralized applications from registration requirements, with language in both House and Senate drafts that would seemingly codify the exemption of mixers from money transmitter classification. The Senate Judiciary Committee, in a January 2026 letter to the Senate Banking Committee, raised explicit concern that such an exemption would create an enforcement gap attractive to illicit actors seeking to obscure transactions.
The tension at the center of the mixer debate is irresolvable through technical means alone. Blockchain analytics can identify addresses associated with known illicit activity and track fund flows. Zero-knowledge proof systems can potentially verify that a transactor is not sanctioned without revealing their identity. Neither solution fully satisfies the BSA framework, which requires financial institutions to know who their customers are — a requirement that the permissionless architecture of defi is specifically designed to make unnecessary. That design choice is also the policy problem.