US, European Authorities Dismantle Darknet Cryptocurrency Mixer

Published: 20 March 2023

Hacker BitcoinThe U.S. and Europe's authorities dismantled a cryptocurrency mixer, believed to have laundered more than $3 billion worth illegal proceeds from criminal activities. (Photo: Pxfuel, License)

By Zdravko Ljubas

U.S. and European authorities reported Thursday that they have taken down ChipMixer, a cryptocurrency mixer well-known in the cybercriminal underground and suspected of having laundered more than US$3 billion worth of cryptocurrency.

The U.S. Justice Department (DOJ) said that ChipMixer  was also involved in “darknet market, fraud, cryptocurrency heists and other hacking schemes.”

The unlicensed cryptocurrency mixer was established in mid-2017 and specialized in mixing or cutting tracks relating to virtual currency assets, according to Europol which coordinated the investigation across Europe.

“ChipMixer software blocked the blockchain trail of the funds, making it attractive for cybercriminals looking to launder illegal proceeds from criminal activities such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud.”

Deposited cash were converted into “chips” – small tokens of comparable value – which were then mixed together, obscuring any traces of where the initial funds came from.

During the investigation, supported by Belgium, Poland and Switzerland, law enforcement, which took down the infrastructure of the platform, seized four servers, about 1909.4 Bitcoins in 55 transactions (more than $47 million) and 7 TB of data, Europol said.

The DOJ explained that ChipMixer provided numerous features to its clients in order to increase the anonymity of its criminal customers, and that it had a clearnet web domain but primarily operated as a Tor hidden service, concealing the operating location of its servers in order to avoid seizure by law enforcement.

“ChipMixer serviced many customers in the United States, but did not register with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and did not collect identifying information about its customers,” the DOJ said.

Ransomware operators including Zeppelin, SunCrypt, Mamba, Dharma, and Lockbit have also used this service to launder ransom money, according to Europol, while the DOJ added that the criminal platform was also used by North Korean cyber actors from Axie Infinity’s Ronin Bridge and Harmony’s Horizon Bridge or the Russian General Staff Main Intelligence Directorate (GRU) – “85th Main Special Service Center, military unit 26165 (aka APT 28) to purchase infrastructure for the Drovorub malware.”

The DOJ also reported that the U.S. authorities in Philadelphia charged Minh Quốc Nguyễn, a Vietnamese from Hanoi, with “money laundering, operating an unlicensed money transmitting business and identity theft, connected to the operation of ChipMixer.”

Nguyễn faces up to 40 years in prison if convicted of operating an unlicensed money transmitting company, money laundering, and identity theft, according to the DOJ.

“We will use all of our authorities to protect victims and take the fight to our adversaries,” Deputy Attorney General Lisa Monaco said.

She stressed that “cybercrime seeks to exploit boundaries, but the Department of Justice’s network of alliances transcends borders and enables disruption of the criminal activity that jeopardizes our global cybersecurity.”

FBI Deputy Director Paul Abbate warned that: “We will not allow cyber criminals to hide behind keyboards nor evade the consequences of their illegal actions.”