This study evaluates the effectiveness of OFAC sanctions against malicious addresses on permissionless blockchains, focusing on fund obfuscation challenges posed by mixers like Tornado Cash. To address the vulnerability of conventional binary address labeling to dust attacks, we propose a quantified risk-scoring algorithm based on transaction graph impurity, integrating on-chain graph analysis with dynamic fund-flow tracing. The method achieves an average per-block processing time of 0.07 seconds, with 97.61% precision and 74.08% recall—substantially enhancing detection of obfuscated funds. Empirical analysis reveals that 78.33% of post-sanction security incidents still involve Tornado Cash, exposing structural enforcement gaps in decentralized environments. Our core contribution is the first scalable, adversarial-resilient framework for assessing sanction efficacy specifically in mixer-enabled scenarios—providing both theoretical foundations and practical methodologies for on-chain regulatory technology.

Sanctioning blockchain addresses has become a common regulatory response to malicious activities. However, enforcement on permissionless blockchains remains challenging due to complex transaction flows and sophisticated fund-obfuscation techniques. Using cryptocurrency mixing tool Tornado Cash as a case study, we quantitatively assess the effectiveness of U.S. Office of Foreign Assets Control (OFAC) sanctions over a 957-day period, covering 6.79 million Ethereum blocks and 1.07 billion transactions. Our analysis reveals that while OFAC sanctions reduced overall Tornado Cash deposit volume by 71.03% to approximately 2 billion USD, attackers still relied on Tornado Cash in 78.33% of Ethereum-related security incidents, underscoring persistent evasion strategies. We identify three structural limitations in current sanction enforcement practices: (i) the susceptibility of binary sanction classifications to dusting attacks; (ii) fragmented censorship by blockchain producers; and (iii) the complexity of obfuscation services exploited by users. To address these gaps, we introduce a more practical algorithm for scoring and tracking, grounded in quantitative impurity. On average, our algorithm processes Ethereum blocks within 0.07 $pm$ 0.03 seconds and achieves 97.61% precision and 74.08% recall when evaluated on the Bybit exploit. Our findings contribute to ongoing discussions around regulatory effectiveness in Decentralized Finance by providing empirical evidence, clarifying enforcement challenges, and informing future compliance strategies in response to sanctions and blockchain-based security risks.