Rules Navigator

US shuts down darknet crypto mixer tied to laundering over $3bn

A bitcoin is falling down in water
Photo: Getty Images

Martina Lindberg

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Fraudsters used ChipMixer to launder money for ransomware perpetrators, darknet markets, and state-sponsored crypto heists.

The darknet cryptocurrency “mixing” service ChipMixer has been shut down in a coordinated international operation, the US DOJ has announced. The service is said to have laundered more than $3bn worth of cryptocurrency since 2017, with funds used to fuel activities such as ransomware attacks, darknet market activity, fraud, cryptocurrency heists and other hacking schemes.

The takedown saw US federal law enforcement seize two domains that directed users to the ChipMixer service and one Github account. German Federal Criminal Police were also involved, seizing back-end servers and more than $46m in crypto. 

 “Platforms like ChipMixer, which are designed to conceal the sources and destinations of staggering amounts of criminal proceeds, undermine the public’s confidence in cryptocurrencies and blockchain technology.” 

Jacqueline C Romero, US Attorney for the Eastern District of Pennsylvania

Deputy Attorney General Lisa Monaco described ChipMixer as a “prolific cryptocurrency mixer which has fueled ransomware attacks, state-sponsored crypto-heists and darknet purchases across the globe”.

Money laundering

The operator behind the mixer is Minh Quốc Nguyễn, who created and ran the online infrastructure. He promoted its services online in order to attract fraudsters who wanted to skip know-your-customer (KYC) legal requirements. He publicly derided efforts to curtail money laundering, saying “AML/KYC is a sellout to the banks and governments,” and then instructed customers how to use ChipMixer to avoid reporting obligations.

“ChipMixer facilitated the laundering of cryptocurrency, specifically bitcoin, on a vast international scale, abetting nefarious actors and criminals of all kinds in evading detection,” said Jacqueline C Romero, US Attorney for the Eastern District of Pennsylvania. “Platforms like ChipMixer, which are designed to conceal the sources and destinations of staggering amounts of criminal proceeds, undermine the public’s confidence in cryptocurrencies and blockchain technology.”

ChipMixer offered, according to the court documents, various features to enhance anonymity, and was one of the most used mixers to launder criminally-derived funds. Customers could deposit bitcoin, which ChipMixer then mixed with other users’ bitcoin, making it difficult for law enforcement or regulators to trace the transactions.

It had a clearnet web domain but operated primarily as a Tor hidden service, which concealed its servers’ location to prevent seizure by law enforcement. ChipMixer served many US customers, but did not register with the US Department of the Treasury’s Financial Crimes Enforcement Network for doing that, and did not collect identifying information about customers. 

Darknet markets

It is alleged that ChipMixer attracted a large criminal clientele and became “indispensable in obfuscating and laundering funds from multiple criminal schemes”. Between August 2017 and March 2023, the platform processed:

  • $17m in bitcoin for criminals connected to around 37 ransomware strains, including Sodinokibi, Mamba and Suncrypt;
  • Over $700m in bitcoin associated with wallets designated as stolen funds, including those related to heists by North Korean cyber actors from Axie Infinity’s Ronin Bridge and Harmony’s Horizon Bridge in 2022 and 2020;
  • More than $200m in bitcoin associated with darknet markets, including more than $60m in bitcoin processed on behalf of customers of Hydra Market – which was the largest and longest running darknet market until it was shut down in April 2022 by US and German law enforcement;
  • More than $35m in bitcoin associated with “fraud shops,” where criminals buy and sell stolen credit cards, hacked account credentials and data stolen through network intrusions; and
  • Bitcoin used by the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center, military unit 26165 (aka APT 28) to purchase infrastructure for the Drovorub malware – which was revealed by the FBI and National Security Agency in August 2020.

40 years in prison

Minh Quốc Nguyễn has been charged with money laundering, operating an unlicensed money transmitting business and identity theft. He faces a maximum penalty of 40 years in prison if he’s convicted.

German law enforcement authorities have also taken separate actions.

The operation was a joint effort between the FBI’s Legal Attaché in Germany, the HSI office in The Hague, the HSI Cyber Crimes Center, the Justice Department’s Office of International Affairs and National Cryptocurrency Enforcement Team, EUROPOL, the Polish Cyber Police (Centralnego Biura Zwalczania Cyberprzestępczości) and Zurich State Police (Kantonspolizei Zürich).

, , , , , ,

You may also like