U.S. Treasury Acknowledges Mixer Privacy Rights — With Strings Attached

Treasury's Mixer Pivot: A Privacy Win or a Trojan Horse?

For the first time in years, the U.S. Treasury Department has formally acknowledged what the Bitcoin and crypto privacy community has long argued: that mixing services can serve entirely lawful purposes. On the surface, this looks like a significant ideological shift from the agency that sanctioned Tornado Cash in 2022 and moved to brand international mixers as money-laundering infrastructure in 2023. But reading the fine print of the 32-page report submitted to Congress under the GENIUS Act tells a more complicated — and sobering — story. Regulatory recognition of legitimate use does not equal regulatory permission to use freely.

The distinction matters enormously. Governments routinely acknowledge the legitimacy of tools while simultaneously constructing frameworks to control, surveil, and ultimately constrain them. This report may be less a victory lap for privacy advocates and more a preparatory brief for the next phase of crypto oversight.

The Facts

The Treasury's report, submitted to Congress as part of the implementation process for the GENIUS Act stablecoin legislation, dedicates meaningful space to the role of crypto mixers in the digital asset ecosystem ^[2]. Notably, it concedes that law-abiding individuals may use mixing services to shield sensitive financial information — including details about personal wealth, business transactions, and charitable contributions — from permanent, public blockchain records ^[1]. As digital asset adoption grows for everyday payments, the report adds, users may naturally seek greater control over the visibility of their financial habits ^[1].

This language represents a meaningful recalibration from Treasury's earlier posture ^[2]. Yet the same document devotes considerable attention to the criminal exploitation of mixers, citing North Korea-linked cybercriminals who stole at least $2.8 billion in digital assets between January 2024 and September 2025 — including a $1.5 billion breach of the Bybit exchange — and routinely employed mixers to break transaction tracing chains ^[2]. Treasury's own data indicates that since May 2020, over $37.4 billion in withdrawals from more than 50 cross-chain bridges were denominated in the two largest stablecoins, with roughly $1.6 billion of that traceable back to mixing services, over $900 million of which flowed through a single bridge linked to DPRK activity ^[2].

The report draws a regulatory line between custodial and non-custodial mixers ^[2]. Custodial services are already classified as Money Services Businesses (MSBs) under FinCEN rules and are therefore obligated to collect and maintain identity records, transaction data, and user behavioral patterns — available to authorities upon request ^[1]. Crucially, Treasury stopped short of recommending new restrictions on non-custodial mixers and declined to finalize FinCEN's 2023 proposed recordkeeping rule, instead deferring to a 2025 Presidential Working Group recommendation calling for careful evaluation of the balance between privacy interests and illicit finance risks ^[2].

However, the report simultaneously proposes new tools of financial control: a digital asset-specific "hold law" that would grant financial institutions temporary safe harbor to freeze suspicious assets during investigations, and a potential expansion of Section 311 of the USA PATRIOT Act to extend Treasury's authority over certain digital asset transfers that fall outside traditional correspondent banking ^[2]. The department also expressed interest in working with Congress to create incentive structures for developing digital identity tools — a move that privacy advocates view as a surveillance infrastructure project dressed in innovation language ^[1].

Analysis & Context

To understand what this moment actually represents, it helps to recall the trajectory of U.S. government engagement with crypto privacy. The 2022 sanctioning of Tornado Cash — an open-source, non-custodial protocol — was unprecedented. It was the first time OFAC had sanctioned immutable smart contract code rather than a person or organization. A federal appeals court ultimately found that action exceeded OFAC's statutory authority, and the sanctions were lifted in March 2025 ^[2]. Yet that same month, Tornado Cash co-founder Roman Storm was convicted of operating an unlicensed money transmitter — even as the Department of Justice signaled it would adopt a narrower approach to prosecuting developers who build privacy tools without criminal intent ^[2]. Meanwhile, the developers behind Samourai Wallet, a non-custodial Bitcoin privacy tool, were sentenced to five and four years in prison respectively — despite never controlling user funds at any point ^[1]. The current policy landscape is, in a word, contradictory.

Privacy journalist and activist L0la L33tz captured the core problem precisely: the phrase "lawful users of digital assets" presupposes the existence of a mechanism to categorize users as lawful or unlawful in the first place ^[1]. That mechanism — whatever form it takes — is itself a surveillance apparatus. Legitimate use, in this framing, is not a default right but a status granted after scrutiny. That is the inverse of the civil liberties framework most Bitcoin advocates operate from, where privacy is assumed until criminality is proven.

For Bitcoin specifically, the implications are significant. Bitcoin's transparent ledger — a feature, not a bug, for auditability and trustlessness — creates genuine privacy trade-offs for users that are unlike anything in traditional finance. A person paying with cash leaves no permanent, publicly auditable record. A Bitcoin transaction does. Mixing services exist precisely to restore parity with baseline financial privacy expectations. Treasury's acknowledgment of this reality is intellectually honest. But pairing that acknowledgment with proposals for digital identity infrastructure, expanded PATRIOT Act authority, and AI-powered on-chain surveillance ^[1] suggests the ultimate goal is a monitored ecosystem where privacy is permitted only within sanctioned corridors — not a genuine commitment to financial self-sovereignty.

Key Takeaways

• Acknowledgment is not protection. Treasury's recognition that mixers serve legitimate privacy purposes is a rhetorical shift, not a legal shield — the report simultaneously advances surveillance tools, digital identity mandates, and expanded PATRIOT Act authority.
• Non-custodial services remain in legal limbo. While Treasury declined to finalize the 2023 FinCEN recordkeeping rule for non-custodial mixers, the legal exposure for developers building such tools remains dangerously unresolved, as the Samourai and Tornado Cash cases demonstrate.
• The custodial/non-custodial distinction is critical. Users of custodial mixing services should understand they are interacting with registered MSBs that are legally obligated to collect, store, and potentially disclose identity and transaction data to authorities.
• The CLARITY Act will be decisive. How Congress ultimately defines liability for non-custodial protocol developers will determine whether privacy tool development can legally continue in the United States — and the current draft is already drawing comparisons to the surveillance expansion of the post-9/11 PATRIOT Act era.
• Bitcoin users should monitor the broader regulatory pattern. The U.S. framework being built around digital asset privacy will influence regulatory approaches globally, including in the EU where current rules are already more restrictive — making this a pivotal moment for the future of on-chain financial privacy worldwide.