U.S. and German authorities, supported by Europol, have targeted ChipMixer, a cryptocurrency mixer well-known in the cybercriminal underworld. The investigation was also supported by Belgium, Poland and Switzerland.
On March 15, national authorities took down the infrastructure of the platform for its alleged involvement in money laundering activities and seized four servers, about 1909.4 Bitcoins in 55 transactions and 7 TB of data.
ChipMixer, an unlicensed cryptocurrency mixer set up in mid-2017, specialized in mixing or cutting trails related to virtual currency assets. The ChipMixer software blocked the blockchain trail of the funds, making it attractive for cybercriminals looking to launder illegal proceeds from criminal activities such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud. Deposited funds would be turned into “chips” (small tokens with equivalent value), which were then mixed together – thereby anonymizing all trails to where the initial funds originated.
A service available both on the clear and on the dark web, ChipMixer offered full anonymity to their clients. This type of service is often used before criminals’ laundered crypto assets are redirected to cryptocurrency exchanges, some of which are also in the service of organized crime. At the end of the process, the ‘cleaned’ crypto can be exchanged into other cryptocurrencies or directly into FIAT currency through ATM or bank accounts.
Between August 2017 and March 2023, ChipMixer processed:
- $17 million in bitcoin for criminals connected to approximately 37 ransomware strains, including Sodinokibi, Mamba and Suncrypt;
- Over $700 million in bitcoin associated with wallets designated as stolen funds, including those related to heists by North Korean cyber actors from Axie Infinity’s Ronin Bridge and Harmony’s Horizon Bridge in 2022 and 2020, respectively;
- More than $200 million in bitcoin associated either directly or through intermediaries with darknet markets, including more than $60 million in bitcoin processed on behalf of customers of Hydra Market, the largest and longest running darknet market in the world until its April 2022 shutdown by U.S. and German law enforcement;
- More than $35 million in bitcoin associated either directly or through intermediaries with “fraud shops,” which are used by criminals to buy and sell stolen credit cards, hacked account credentials and data stolen through network intrusions; and
- Bitcoin used by the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center, military unit 26165 (aka APT 28) to purchase infrastructure for the Drovorub malware, which was first disclosed in a joint cybersecurity advisory released by the FBI and National Security Agency in August 2020.
Europol says that ransomware actors such as Zeppelin, SunCrypt, Mamba, Dharma or Lockbit have also used this service to launder ransom payments they have received. Authorities are also investigating the possibility that some of the crypto assets stolen after the bankruptcy of a large crypto exchange in 2022 were laundered via ChipMixer.
Coinciding with the ChipMixer takedown efforts, Minh Quốc Nguyễn, 49, of Hanoi, Vietnam, was charged on March 15 in Philadelphia, U.S. with money laundering, operating an unlicensed money transmitting business and identity theft, connected to the operation of ChipMixer.
Beginning in and around August 2017, as alleged in the complaint, Nguyễn created and operated the online infrastructure used by ChipMixer and promoted ChipMixer’s services online. Nguyễn registered domain names, procured hosting services and paid for the services used to run ChipMixer through the use of identity theft, pseudonyms, and anonymous email providers. In online posts, Nguyễn publicly derided efforts to curtail money laundering, posting in reference to anti-money laundering (AML) and know-your-customer (KYC) legal requirements that “AML/KYC is a sellout to the banks and governments,” advising customers “please do not use AML/KYC exchanges” and instructing them how to use ChipMixer to evade reporting requirements.
“Working with partners at home and abroad, the Department of Justice disabled a prolific cryptocurrency mixer, which has fueled ransomware attacks, state-sponsored crypto-heists and darknet purchases across the globe,” said Deputy Attorney General Lisa Monaco.
