ChipMixer Down!
What does that mean?
The United States last week took down ChipMixer for allegedly laundering more than $3 billion in criminal proceeds, including funds stolen by North Korean hackers. The mixer also apparently laundered millions in ransomware proceeds, as well as more than $40 million of the hundreds of millions stolen from FTX after the exchange filed for bankruptcy in November.
In other words, ChipMixer was bad.
US law enforcement seized two domains that directed users to the service, as well as a Github account. German partners also seized ChipMixer back-end servers and more than $46 million in cryptocurrency.
But what is a mixer, and why is it bad (mostly)?
Let me preface the explanation by highlighting that there are legitimate uses for a mixer, which comingles illicitly derived cryptocurrencies with legal ones, or simply blends crypto from numerous wallets together and spits the funds out to owners, making them difficult for law enforcement or anyone else to track.
A hedge fund involved in a possible acquisition does not want to telegraph its business strategies and has every reason to obscure its market moves.
Individuals wishing to increase the privacy of their transactions, who don’t want government snooping into their wallets, can also use mixers to increase their anonymity. The transactions don’t have to be illicit. The individual may just want to preserve the privacy of the money transfer for principles’ sake.
But the increased privacy is very attractive to illicit users, because let’s face it—if it takes place on the blockchain, it’s transparent and traceable from one wallet to another. The blockchain is a database - a very public ledger - so hiding transactions on it is not a great criminal strategy.
Enter the mixers.
OFAC last year designated Tornado Cash as a service that was used to conceal billions of dollars in illicit proceeds. The blender operated on the Ethereum blockchain and facilitated illicit transactions by mixing the proceeds of crime with legitimate proceeds, jumbling the data and concealing its origin, destination, and involved parties.
I’m not going to discuss the First Amendment implications here. Yes, Tornado Cash is a code, and there are constitutional implications. But the point is that this type of service blends together cryptocurrencies into one large bundle (that’s why mixers are also called blenders and tumblers), making tracking difficult.
Mixers or blenders are not inherently illegal, although illicit actors overwhelmingly love these services, which allow them to obscure the origins of their illicit proceeds, which is exactly what money laundering is.
FinCEN considers these services as money transmitters, subject to the Bank Secrecy Act (BSA) and obligated to maintain an AML compliance program, including collecting customer identification information and abiding by other requirements.
Entities such as Blender.io—sanctioned by OFAC last year—darknet bitcoin mixer, Helix, penalized in 2020 by FinCEN for violating AML laws, and other mixers represent money-laundering risks, despite the fact that they can be and are occasionally used for legitimate purposes.
In ChipMixer’s case, everyone from North Korean cyber actors to malicious Russian hackers linked to the GRU was using the mixer to obscure illicit assets. According to the Justice Department, between August 2017 and March 2023, ChipMixer processed a myriad of transactions for illicit actors. And ChipMixer certainly did not conduct any kind of due diligence on its customers, as required by the BSA, or register with FinCEN.
$17 million in bitcoin for criminals connected to approximately 37 ransomware strains, including Sodinokibi, Mamba and Suncrypt;
Over $700 million in bitcoin associated with wallets designated as stolen funds, including those related to heists by North Korean cyber actors from Axie Infinity’s Ronin Bridge and Harmony’s Horizon Bridge in 2022 and 2020, respectively;
More than $200 million in bitcoin associated either directly or through intermediaries with darknet markets, including more than $60 million in bitcoin processed on behalf of customers of Hydra Market, the largest and longest running darknet market in the world until its April 2022 shutdown by U.S. and German law enforcement;
More than $35 million in bitcoin associated either directly or through intermediaries with “fraud shops,” which are used by criminals to buy and sell stolen credit cards, hacked account credentials and data stolen through network intrusions; and
Bitcoin used by the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center, military unit 26165 (aka APT 28) to purchase infrastructure for the Drovorub malware, which was first disclosed in a joint cybersecurity advisory released by the FBI and National Security Agency in August 2020.
Minh Quốc Nguyễn, the Vietnam-based operator of ChipMixer, has been charged with a number of offenses in connection with the takedown of this blender, including money laundering, operating an unlicensed money transmitting business, and identity theft.
The criminal complaint against him is also instructive, detailing how the FBI sent bitcoins to a wallet controlled by ChipMixer and received access to “chips” that corresponded to the initial amount of credited bitcoin. ChipMixer demanded a “donation” of a bit more than 2 percent of the total bitcoin submitted for mixing in exchange for its service. Since the “customer” or undercover FBI agent was a US person, ChipMixer had an obligation to register as a US money transmitter with FinCEN before providing the service.
But that was just one of ChipMixer’s transgressions.
The FBI engaged with a blockchain analytics firm and discovered that ChipMixer sent funds to wallets associated with darknet marketplaces, and it received and sent funds to wallets designated as fraud shops. This is in addition to sending and receiving crypto from wallets associated with ransomware groups, such as “Sodinokibi” and “Mamba,” as well as proceeds from hacked and stolen crypto.
And then there was Hydra.
Hydra was a Russian language darknet marketplace that facilitated the sale of illicit items such as narcotics, stolen personal identifying information, malware, hacking services, forged documents, and counterfeit currencies. Hydra allowed buyers to purchase these items using cryptocurrencies, such as bitcoin. The FBI has learned of significant funds traced from Hydra to ChipMixer. According to Company A’s tracing platform, as of March 2023, Hydra users conducted over 5,583 transactions directly with ChipMixer, and sent over $37 million worth of bitcoin from Hydra’s wallets to ChipMixer.
And because several other mixers had been taken down during the past few years, ChipMixer had a huge market share of the illicit mixer services. It was a veritable swamp of illicit activity.
Nguyễn himself was sketchy, using multiple pseudonyms and anonymous emails to conceal his identity.
ChipMixer’s domains were registered to a James Hall in Mumbai, India.
ChipMixer set up an account with one hosting provider using the name “Max Archdall,” leasing servers using a PayPal account associated with that name and the (fake) mailing address 5 Myrtle Street, Merrijig, Australia. Another account at another hosting provider used the name “Ronald Boatwright” and the address Saharova 41, Riga, Latvia, and set up a PayPal account using that information.
Nguyễn has also been posting as “ChipMixer” on bitcoin message boards, touting ChipMixer’s anonymity services and criticizing US AML laws, claiming that “AML/KYC is a sellout to the banks and governments” and advising readers not to use exchanges that abide by US laws. His public posts indicate that he engaged in helping customers avoid detection, and they were used as evidence to charge him.
Mixers, however, are not a new phenomenon. The risk of their use to launder illicit proceeds had been flagged for several years by various governments, think tanks, and agencies.
FinCEN in 2017 assessed a civil monetary penalty against BTC-E (aka Canton Business Corporation (BTC-e)) and Alexander Vinnik, who were indicted that year for money laundering, conspiracy to commit money laundering, engaging in unlawful monetary transactions, and the operation of an unlicensed money transmitting business. Vinnik, who last year was extradited from Greece to the United States, and BTC-e had been operating since 2011 without an effective AML program, without registering with FinCEN, without filing suspicious activity reports (SARs), and committing other violations.
BTC-e also lacked adequate internal controls to mitigate the risks presented by virtual currencies with anonymizing features. BTC-e facilitated transfers of the convertible virtual currency Dash, which has a feature called “PrivateSend.” PrivateSend provides a decentralized mixing service within the currency itself in an effort to enhance user anonymity. BTC-e and Alexander Vinnik failed to conduct appropriate risk-based due diligence to address the challenges anonymizing features would have on compliance with BSA reporting and recordkeeping requirements.
What does this all mean?
Well, if I were a compliance officer at a financial institution, I would think twice about banking a mixer. Although, technically legal, these services are much too risky, and transactions would require a lot more due diligence.
Is there evidence that the mixer’s leadership is intentionally and systematically helping customers violate US laws? You’d have to research this, if you could even correctly identify the person behind the mixer, since they tend to hide behind multiple false identities to avoid detection.
Is the mixer gaining more and more market share in the illicit finance space? You’d have to monitor the space to determine takedowns or other various demises of existing mixers.
Are malign actors recommending the service as a way to launder funds? Monitoring online fora and message boards could help you determine the reputation of the mixer, as well as customer ratings.
Is the individual wishing to open the account a real person or with real connections and a real online presence, or is it a fake identity with a superficial presence, no photo, or a photo taken from a site that provides free images? Run a reverse image search to determine that information.
If the entity is taken down, will the financial institution be cited for insufficient due diligence performed on its customer? If the red flags were present, then probably yes.
From Nguyễn’s very public Internet posts, it was certainly obvious that he intentionally helped customers conceal the origins of funds and evade regulations. If I were a compliance officer, I would certainly recommend avoiding this client like the plague, because if you’re willing to service this entity, you’re going to be considered high-risk as well, and will probably draw the attention of regulators.
As more of these mixers are taken down, I’m sure that others will pop up and will use the information in the criminal complaints and Justice Department press releases to alter their modus operandi and not make the same mistakes.
In some cases, these takedowns can act as deterrents to newcomers.
In other cases, they can be roadmaps.
As the illicit actors learn, so should we.
This crap is why is it so hard to 'follow the money' in international circles these days. And another reason to stay away from crypto currencies in general.
I don't know enough to say anything smart. I've never done a deep enough dive to actually make sense of the whole crypto mess. But I can say that going from crypto to fiat is always interesting. For versions of interesting.