> Nonsense, they didn't give away (or even sell) a tool, they were actively operating the tool themselves, taking requests to control and aim it in different ways.
They did give away a tool - they published (open-source, GPL3) a set of smart contracts. They then deployed those immutable (!) smart contracts as a one-time thing. From that point forward, anyone could interact with those smart contracts permissionlessly, that's just how Ethereum works. They didn't afterwards control or aim it in different ways - how could they? The smart contracts are immutable.
All they actually did afterwards is host a user interface (also open-source btw) that made it easy for users to interact with those smart contracts. After some outside pressure they added geo-blocking to the user interface they hosted, which —unsurprisingly— didn't actually stop bad actors from using Tornado Cash. After all, even if they were unable to get around the geo-blocking, bad actors could self-host the user interface or interact with the smart contracts directly.
Think of their user interface as an email client. Would somehow blocking an email client actually stop people from sending emails? No, they could still just use SMTP and directly interact with a server. In the same way, taking down their user interface or implementing any sort of check would not have prevented bad actors from interacting with the smart contracts directly.