HTX Research：鏈上執法與黑名單制度的演進研究——監管真相、權力邊界與加密世界的失序（2022-2026）

1. Introduction

The period from 2022 to 2026 represents the most transformative four years in the history of global crypto asset regulation. On August 8, 2022, OFAC, citing IEEPA, added 44 smart contract addresses associated with Tornado Cash to its SDN sanctions list—marking the first time the U.S. government sanctioned a piece of "code" rather than a "person." The effect of this executive order was then fundamentally deconstructed by a line of immutable code: while Circle froze USDC, GitHub removed repositories, and Uniswap’s frontend blocked related transactions, the underlying core contracts remained entirely unaffected. During the sanctions enforcement period, Tornado Cash still processed approximately $2.5 billion in transactions. Four years later, on-chain enforcement has evolved from a single jurisdiction's administrative action into a multi-layered governance system—yet the issues of its effective boundaries, legitimacy, and checks and balances are even more pronounced than they were four years ago.

2. The Tornado Cash Case: A Textbook Example of Regulatory Overreach

The Tornado Cash case is the most significant legal precedent in on-chain enforcement over the past four years. After sanctions were imposed in August 2022, the industry experienced severe tremors: GitHub shut down code repositories, Circle froze USDC addresses that had interacted with Tornado Cash, and Uniswap’s frontend blocked related trading pairs—but the underlying contracts were completely unresponsive. The power of an administrative order was dismantled by a single line of code. OFAC's enforcement assumption was based on a fundamental miscalculation: believing that "freezing the frontend" equates to "freezing the protocol." Reality proved these are two different things—the sanctions list is a compliance checklist, not a physical injunction. Frontend service providers will comply, but blockchain code does not need to.

On November 26, 2024, the U.S. Court of Appeals for the Fifth Circuit delivered a landmark ruling in Van Loon v. Treasury Department, determining that OFAC had overstepped its authority: immutable smart contracts do not constitute "property" under IEEPA because they cannot be owned or controlled by anyone; they are merely "lines of code." On March 14, 2025, OFAC officially removed Tornado Cash from the SDN list. This nearly three-year legal battle established a principle at the institutional level—regulators cannot infinitely expand their power using "catch-all" laws like IEEPA without clear congressional authorization. The era of "administrative expediency" in U.S. crypto regulation is over; "certainty" itself has become the greatest institutional dividend for the industry.

However, the final outcome is far from settled. Prosecutors have switched to a "if you can't win on the rules, go after the people" strategy—the individual criminal charges against developers Roman Storm and Roman Semenov are still proceeding. A conviction for Storm would set a dangerous precedent: writing code equals bearing criminal liability, casting a chilling effect over the entire open-source developer community. The prosecution's logic presents a clear risk of the slippery slope argument: Tornado Cash was used by North Korean hackers → the developers were aware → the developers did not stop it → the developers are complicit in a conspiracy to commit a crime. The verdict in Roman Storm's case will determine the legal foundation for the entire DeFi industry.

3. The Full Escalation of Mixer Enforcement: From Individual Prosecution to Systematic Crackdown

The Tornado Cash case changed the enforcement paradigm. The DOJ proved something with the Samourai Wallet case: you can lose the war against the protocol, but you can absolutely win the war against the developers. In April 2024, the DOJ indicted the two founders, and in July 2025, both pleaded guilty in the U.S. District Court for the Southern District of New York, facing up to 5 years in prison. The prosecution's logic was extremely cunning: Samourai was not "pure code," but a "complete service system" including a UI, servers, and a fee model. This distinction—between pure code and a hybrid service system with operator involvement—is the single most critical legal watershed for the next five years. Its implication is clear: as long as someone maintains and charges fees for your protocol, it is not "code" but a "service," and you can be held responsible for its misuse. Once this boundary is judicially confirmed, all DeFi protocol operators will face legal risks.

Globally, enforcement continues to intensify. In November 2023, OFAC sanctioned Sinbad.io; in March 2025, the German BKA, along with the U.S., Netherlands, and Finland, targeted Garantex; in February 2025, the EU sanctioned Garantex for the first time. Ironically, the stricter the mixer enforcement, the more efficient North Korea's money laundering becomes—the $1.5 billion Bybit hack in 2025 set a record for the largest single theft in crypto history, bringing North Korea's cumulative theft to $6.75 billion. Another landmark event in 2025 was OFAC's attempt at "retroactive accountability" targeting Tornado Cash's historical users: the DOJ began subpoenaing early users, indicating regulators are exploring a new path of "targeting users" rather than "targeting the protocol."

4. The Rise of the On-Chain Analytics Industry and Blacklisting Infrastructure

The true power center of on-chain enforcement lies not within governments, but within four major blockchain analytics platforms. Between 2022 and 2026, Chainalysis, TRM Labs, Elliptic, and Merkle Science transitioned from "address labeling tools" to "extensions of quasi-judicial power." Once an address is labeled "high-risk," exchanges freeze the account, and USDT issuers freeze the assets, all with almost no avenue for appeal. Chainalysis covers over 27 blockchains, its Reactor tool is used by over 1,500 agencies including the FBI, DOJ, and IRS, holding approximately 45% of the global law enforcement market share. Its knowledge graph links over 1 billion addresses to more than 134,000 real-world entities—effectively creating an "on-chain ID card" system. Who owns an address is not determined by blockchain mathematics, but by Chainalysis' algorithms. TRM Labs monitors over 75% of global crypto transaction volume.

The Beacon Network, launched in 2025, represents the next evolutionary stage of on-chain compliance infrastructure. As the industry's first real-time information-sharing platform, Beacon Network connects core participants like Tether, TRON, and the T3 Financial Crime Unit into a single data layer, potentially compressing the freeze-burn window from hours to minutes. However, the expansion of power without external oversight is the most significant institutional flaw today—on-chain analytics companies act as both "evidence collectors" and "fact-finders." Their labeling conclusions directly determine whether an address is frozen or a person is denied service, yet there is no independent appeals channel.

The most concerning aspect involves stablecoin issuers. Tether's USDT smart contract includes three built-in functions: addBlackList/removeBlackList/destroyBlackFunds, effectively embedding the power of a "central bank" into a commercial company's contract. In 2025, Tether added 4,163 addresses to its blacklist, froze $1.26 billion, and permanently destroyed $698 million; 96.4% of addresses on the blacklist were never removed that year. This is not "compliance"; it is "quasi-judicial power." The TRON network's multi-signature wallet freeze has a 44-minute delay window—this "system vulnerability" acts as a "lifeline window" for ordinary users. But when stablecoin issuers upgrade their multi-signature architecture, the "controllability" of on-chain assets will become closer to traditional bank accounts—posing a fundamental challenge to the "decentralization" narrative of the crypto industry.

5. Accelerated Construction of Global Regulatory Frameworks: From Fragmentation to Systematization

Over the past four years, the biggest loser in the global crypto regulatory framework is the United States, and the biggest winner is Europe. This difference is not just about legislative efficiency, but fundamentally about regulatory philosophy. Europe established a complete system with MiCA (passed in May 2023, implemented in phases from 2024, fully effective in 2025): CASP licenses, stablecoin reserve disclosures, extension of FATF Travel Rule, and AMLA (operational in 2025, directly supervising high-risk CASPs from 2028). The true significance of MiCA lies not in its strictness, but in the "certainty" it provides—institutional capital can be allocated based on clear rules, and fiat-pegged stablecoins can operate within a compliant track.

The U.S., meanwhile, has spent four years consumed by political polarization. In July 2025, the House passed the CLARITY Act (296-134), establishing jurisdiction boundaries between the SEC and CFTC, safe harbor provisions for DeFi developers, and the legal status of self-custody wallets—but as of April 2026, it remains stalled in the Senate Banking Committee. The bipartisan disagreement isn't "whether to regulate," but "who should regulate"—which precisely exposes the biggest problem with U.S. crypto regulation: politics. From 2024 to 2026, the SEC's series of lawsuits against Coinbase, Robinhood, and Uniswap consumed significant regulatory resources. The SEC partially lost the Ripple case and was forced to withdraw multiple charges in the Coinbase lawsuit. This "fight and lose" enforcement pattern has created unprecedented legal uncertainty for the U.S. crypto industry.

The Asia-Pacific region is diverging but trending towards standardization. The Hong Kong Monetary Authority (HKMA) is advancing stablecoin issuer regulation in 2026; Singapore retains the MAS Major Payment Institution license pathway for institutional-grade digital assets; Japan has included stablecoins under regulation by amending the Payment Services Act; South Korea has enacted the Virtual Asset User Protection Act. The global influence of the FATF is particularly noteworthy—its March 2026 report, "Stablecoins and Non-Custodial Wallets: A Focus on P2P Transactions," explicitly warns that non-custodial wallets and P2P transactions are the weakest links in the global anti-money laundering system. In the next two to three years, DeFi and non-custodial wallets will face a new wave of compliance pressure.

6. Sanctions Evasion and the Challenge of State Actors

Chainalysis' 2026 report reveals an uncomfortable truth for all on-chain enforcement tools: in 2025, activity from sanctioned entities accounted for 68% of all illegal crypto transaction volume. This means today's on-chain enforcement is primarily not fighting hackers and scammers, but three sovereign states—North Korea, Russia, and Iran.

North Korea stole $2 billion in 2025, bringing its cumulative total to $6.75 billion. The $1.5 billion Bybit hack in February set a record. North Korea's methods have evolved from exploiting code vulnerabilities to infiltrating crypto companies' IT positions by impersonating recruiters—this is no longer "crypto crime," but "state-level cyber warfare." Russia's strategy is the most systematic: the A7A5 ruble-pegged stablecoin processed $93.3 billion in transactions within its first four months, essentially building a parallel crypto payment infrastructure to SWIFT. After Garantex was jointly sanctioned, it maintained operations through technical means. OFSI advises companies to trace "3 to 5 transaction hops" to identify sanctions exposure risk—this is an official admission that list-based sanctions are ineffective against state-level adversaries. Iran has laundered over $2 billion, financed illegal oil sales, and procured weapons through proxy militant groups. Ultimately, when the adversary is a sovereign state, OFAC's SDN list, Chainalysis' labeling system, and Tether's smart contract blacklist are mere "treatments for symptoms, not root causes." List-based enforcement against state-level opponents is essentially an industrialized version of a "cat and mouse game," and the mouse will always run faster than the cat.

7. Industry Attitudes and the Privacy Rights Debate: Compliance Consensus vs. Fundamental Disagreement

The deepening of on-chain enforcement has caused a profound split within the crypto industry. Top exchanges like Coinbase and Kraken embrace compliance, using OFAC compliance, KYT screening, and reserve disclosures as competitive advantages; decentralized protocols like Uniswap and Curve adopt a "code is neutral" stance, arguing the protocol layer should not bear compliance obligations; privacy protocols like Tornado Cash and Aztec fundamentally question the legitimacy of on-chain enforcement. This split is not simply "compliance vs. anti-compliance," but a direct collision between the logic of "centralized finance" and the native logic of "decentralization."

The fundamental disagreements revolve around three core questions: First, where is the boundary between on-chain privacy rights and financial regulatory power? MiCA requires all CASPs to perform KYC, effectively cutting off most privacy needs at the entry point, but DeFi frontends and self-custody wallets remain in a grey area. Second, does protocol "neutrality" constitute a legal liability exemption? The Tornado Cash case provided a "partial negative" answer: immutable code cannot be sanctioned, but a "service" with operators can be pursued. Third, how is the "quasi-judicial power" of stablecoin issuers to be supervised? Tether froze $1.26 billion in a single year, with 96.4% of addresses never being unfrozen. This de facto permanent destruction lacks any independent audit or appeals mechanism. These three issues will become core topics of dialogue between regulators and the industry from 2026 to 2028.

8. On-Chain Labeling Platforms, Processes, and Multi-Stakeholder Ecosystem Dynamics

The technical foundation of on-chain enforcement relies on the labeling capabilities of blockchain analytics platforms. Chainalysis' Reactor, TRM Labs' TRM Forensics, and Elliptic's Navigator constitute the standard tool stack for global law enforcement agencies. The labeling process typically involves four steps: address clustering, fund tracing, risk scoring, and cross-chain tracking. The chain reaction after an address is labeled "high-risk" follows this path: on-chain analytics platform labels it → USDT/USDC issuer freezes it → exchange KYC account frozen → OTC platform denies service → bank account refuses associated funds. This entire chain is completed within hours, spanning both traditional finance and the crypto financial system.

The core contradiction in this multi-stakeholder ecosystem lies in the severe imbalance between the "quasi-judicial power" of on-chain analytics companies and the "right to defense" of those labeled. Chainalysis has associated over 1 billion addresses with real-world entities, but the algorithmic logic, confidence levels, and error rates of these associations are rarely made public. Tether and TRON executed freezes on 4,163 addresses but have no public "unfreezing appeals" process. Exchange KYT systems will reject funds from contaminated addresses, but users cannot query why they were labeled or find an appeals path. This reality of "opaque labeling, no notification of freeze, no avenue for unfreezing" hides potential torts against ordinary users beneath the "compliance veneer" of on-chain enforcement.

9. Future Outlook: Four Paradigm Shifts in Regulation

Based on a systematic review of on-chain enforcement and blacklisting systems from 2022 to 2026, four fundamental paradigm shifts in the regulatory approach can be identified. The first shift is from list-based sanctions to risk-tiered management. The Tornado Cash case proved that "one-size-fits-all" sanctions against decentralized protocols face both legal challenges and technical realities. Future regulation will rely more on dynamic risk assessment based on multi-dimensional data. Chainalysis and TRM Labs already support hundreds of risk parameters; this trend is irreversible.

The second shift is from a single jurisdiction to multilateral coordination. The Garantex case and the Bybit incident exposed the limits of unilateral sanctions. The establishment of AMLA, FATF's strengthening, the launch of Beacon Network, and the Basel Committee's review of bank crypto asset exposure all point towards multilateral cooperation becoming the norm. However, multilateral coordination faces real-world challenges: significant differences in national legal traditions, such as the EU's "precautionary principle" conflicting with the US's "market failure" logic; cross-border law enforcement and evidence gathering require months or even years of mutual legal assistance procedures. The direction of this paradigm shift is correct, but the specific pace of implementation will be much slower than market expectations.

The third shift is from pursuing protocols to pursuing individuals. The Samourai Wallet case and the Roman Storm trial have established a new paradigm: the focus of enforcement has shifted from sanctioning the protocol itself to prosecuting the personal liability of developers and operators. The CLARITY Act attempts to delineate liability boundaries through developer safe harbor provisions, but its final form depends on the interactive evolution of the legislative process and the outcome of the Storm trial.

The fourth shift is from confrontation to co-governance. The success of Beacon Network demonstrates the unique efficiency advantage of public-private cooperation—blockchain transparency combined with the professional capabilities of on-chain analytics companies equals faster fund tracing than in traditional finance. However, when stablecoin issuers possess the ability to unilaterally freeze user assets, how should the boundaries of power and accountability mechanisms be designed? Enforcement resembling "vigilante justice" without independent oversight and appeals mechanisms is an unavoidable core issue in the next phase of regulatory discussion.

Finally, here are stratified operational recommendations: For individual users, try to avoid direct interaction with mixers; do not approve unlimited allowances on unknown DEXs; prioritize European exchanges with MiCA licenses as your primary entry point; prefer bank transfers for fiat on-ramps; distribute on-chain assets across hardware wallets and several trusted custodial institutions to reduce the risk of total loss from a single freezing event. For institutional investors, establish an on-chain asset KYT compliance framework; include sanctions exposure risk in investment due diligence checklists; choose stablecoins with complete audit reports and reserve disclosures; conduct periodic "address cleanliness" reviews of held addresses to avoid inadvertently receiving contaminated funds. For DeFi developers, proactively study the legal logic of the Samourai and Tornado Cash cases; introduce a layered architecture of "compliance interface" and "unregulated user" during the protocol design phase; monitor the final version of the CLARITY Act's developer safe harbor provisions.