Darknet Cryptocurrency 'Mixing' Service Dismantled After Laundering $3B in Cryptocurrency
A Cryptocurrency Mixer is a program used to keep cryptocurrency transactions private by mixing potentially identifiable cryptocurrency funds with vast sums of other funds; often used to anonymize fund transfers between services.
ChipMixer, one of the most widely used darknet cryptocurrency “mixing” services responsible for laundering more than $3 billion worth of cryptocurrency, has been taken offline. According to the Department of Justice (DOJ), ChipMixer was allegedly “unlicensed” and was “attractive for cybercriminals looking to launder illegal proceeds from criminal activities such as payment card fraud, drug trafficking, weapons trafficking, ransomware attacks, and child sexual exploitation.”
In concert with international authorities, DOJ seized two domains that directed users to the ChipMixer service, one Github account, back-end servers, and more than $46 million in cryptocurrency. Minh Quốc Nguyễn, the founder of ChipMixer, was charged this week in Philadelphia with money laundering, operating an unlicensed money-transmitting business, and identity theft.
Ransomware group clients of ChipMixer (Zeppelin, SunCrypt, Mamba, Dharma, and Lockbit) found their services desirable due to ChipMixer having a clearnet web domain but operating primarily as a Tor hidden service, concealing the operating location of its servers to prevent seizure by law enforcement.
DOJ documented that between August 2017 and March 2023, ChipMixer processed:
$17 million in bitcoin for criminals connected to 37 ransomware strains, including Sodinokibi, Mamba, and Suncrypt.
Over $700 million in bitcoin associated with wallets designated as stolen funds, including those related to heists by North Korean cyber actors from Axie Infinity’s Ronin Bridge and Harmony’s Horizon Bridge.
More than $200 million in bitcoin associated with darknet markets, including more than $60 million in bitcoin processed on behalf of customers of Hydra Market.
More than $35 million in bitcoin is associated with “fraud shops,” which are used by criminals to buy and sell stolen credit cards, hacked account credentials and data stolen through network intrusions.
Bitcoin used by the Russian General Staff Main Intelligence Directorate (GRU) to purchase infrastructure for the Drovorub malware.
Where ChipMixer’s logo once appeared on its site, a minimalist banner now lies donning the logos of U.S., German, Swiss, and Polish law enforcement. It reads: “THIS WEBSITE HAS BEEN SEIZED.”