Bitcoin Magazine
Data from Tornado Cash Trial Shows a Relatively Low Amount of Criminal Usage of the Protocol
Today, on day six of the Tornado Cash trial, FBI Special Agent Joel DeCapua, testified at the request of the prosecution, who called on the agent because of his experience with and skills in tracing crypto assets. (DeCapua has been tracking crypto and virtual assets for the FBI for 15 years.)
DeCapua highlighted how, during certain periods of time between September 1, 2020 and August 8, 2022 (with segments ranging from one day to a few weeks), as much as 55% percent of the funds that moved through Tornado Cash were those obtained through criminal activity (e.g., hacks).
However, the defense pointed out during their cross examination of DeCapua, that only 10% of the funds that moved through Tornado Cash transactions between September 1, 2020 and August 8, 2022 were obtained via confirmed criminal activity.
Special Agent DeCapua Takes The Stand
DeCapua took the stand at the onset of the trial day.
The prosecution walked him through a list of 16 incidents — hacks of crypto protocols and exchanges, the largest of which being the Ronin Bridge exploit — and had him confirm that some percentage of the funds from these hacks were put through Tornado Cash to wash them. DeCapua and the prosecution highlighted that over $1 billion in stolen funds had moved through Tornado Cash.
The prosecution, with the help of DeCapua, detailed how the stolen funds moved through Tornado Cash, all while the FBI and the hacked entities or protocols had little recourse in stopping the criminals involved.
The prosecution pointed out how from April 22, 2022 to May 19, 2022, 55% of Tornado Cash deposits were funds from the Ronin hack, while spikes in illicitly obtained funds flowing through Tornado Cash also occurred after exploits such as the BitMart hack, the Beanstalk hack and the Harmony Horizon hack.
DeCapua stated that it was always a “banner day” for Tornado Cash whenever hackers washed funds using the protocol.
The Cross-Examination of Special Agent DeCapua
During the defense’s cross examination of DeCapua, he shared that the FBI sometimes employs the services of third party blockchain analytics companies like Chainalysis, which is known to have provided flawed analysis.
The defense also shared Telegram messages with the court in which the legal team at BitMart asked the Tornado Cash team to intervene in efforts to retrieve the funds stolen from the company, to which the Tornado Cash team replied that they couldn’t because the protocol was decentralized.
Soon after, the defense referenced pie charts created by DeCapua, presented by the prosecution, that illustrated the largest amounts of criminal funds that flowed through Tornado Cash during the days or weeks after major crypto hacks.
The defense then made the point that outside of these major upticks in illicitly obtained funds moving through Tornado Cash, the protocol didn’t see much of such activity. They then made the aforementioned point that only 10% of funds that moved through Tornado Cash in the two-year time frame in question were from criminals.
Before concluding the cross-examination, the defense paralleled Tornado Cash to privacy tools like VPNs and WhatsApp, software that both criminals and non-criminals alike use to preserve their privacy.
While DeCapua didn’t disagree with this point, he did offer an odd statement in response to the defense asking him if everyday people use VPNs to preserve their privacy while browsing the internet.
“It would be really strange,” said DeCapua. “I don’t think a regular person would use a VPN in their [everyday] operations.”
The NTU Capital Issue
Toward the beginning of the defense’s cross-examination of DeCapua, they also brought up the possibility that the funds stolen from the first witness who took the stand at the trial, Hanfeng Lin, never moved through Tornado Cash.
These funds were stolen by members of a fraudulent entity called NTU Capital, and the notion that these funds may have never moved through Tornado Cash was first put forward by blockchain sleuth Taylor Monahan, founder of MyEtherWallet and security specialist at MetaMask, over the weekend.
This first witness in Roman’s trial immediately caught my attention bc the victim was a classic Pig Butchering case.
The only issue is….uh…..those scammers don’t use Tornado Cash? And they never have?
So, like, wtf? https://t.co/27MlcXvc0z
— Tay
(@tayvano_) July 18, 2025
The prosecution didn’t object to the defense’s proposal that these funds may never have been washed via Tornado Cash during the cross-examination, but they did push back on it toward the end of the trial day.
They noted that they’d provided supplemental disclosure on the issue the night before (around midnight) and that an IRS agent with a specialization in tracing funds that they planned to have testify would show how the funds stolen from Ms. Lin were, in fact, put through Tornado Cash after “a few hops.”
The defense made the case that Ms. Lin’s testimony should be stricken from the record before stating that they’re considering a mistrial motion.
The trial will resume tomorrow at 9:00 a.m. EST. The prosecution did make not clear whether it will call the IRS agent it referenced to the stand tomorrow or later in the week, though.
This post Data from Tornado Cash Trial Shows a Relatively Low Amount of Criminal Usage of the Protocol first appeared on Bitcoin Magazine and is written by Frank Corva.