It takes about 10 minutes to deploy the existing tornado.cash smart contract to a new address, and can be done with freshly-mined ether. Some kid in Russia could do it and the U.S. government would never know who he is nor have jurisdiction to touch him. There are no need for employees, servers, domains, whatever. Once it's upon on the blockchain again, its existence serves as a schelling point for people to use it.
This is much more like a pandemic than a war. In a war you know who your enemy is, you can see them making preparations and organizing forces, and you can counter them with your own moves. In a pandemic, somebody sneezes in Wuhan and 10 million people die. Any attempts to regulate folks who might've touched dirty things just piss people off.
You generally need a sufficient volume of traffic for a mixer to be effective.
A nobody spinning up their own copy of the contract may have trouble attracting the volume. If this becomes a significant issue, the treasury can expand the sanctioned entity definition to include to any smart contract that uses the code from TC. Or automatically scan for such addresses and update the list of aliases for the sanctioned entity. Or several other approaches.
So... OFAC deploys a static analyzer scanning the address space for anything hosting a similar smart contract, then add that to the list.
You don't get it. Everyone says "OFAC may I <transaction info>?" OFAC implements services to take that info, and check it against their list and generate an answer real time. They can also update the list real time, and being centralized, every integrated processor starts giving that new entry the ol' deposit only treatment.
All OFAC needs is a scanner for what might be a hit, they preemptively add it to the list, do further digging in case it's a false positive, and still get the outcome they want. An effective brake on suspicious or possibly sanctioned individuals access to the financial network.
OFAC isn't stupid. They have the architecture of the financial network literally working for them in this case.
Decentralized doesn't mean squat with a fully public data structure that a centalized entity can real time declare chunks of off limits for a sufficiently large swathe of potential endpoints.
There is no penalty to a false positive by OFAC, or any of the service providers it oversees, btw. As that error case is handled by information collection and resubmission by the service provider to OFAC for re-analysis. The deck is stacked pretty much entirely in OFAC's favor.
You don’t. You just keep nailing people to touch it. Sanctions make things difficult for someone. Nobody expects them to e.g. poof Pyongyang.