Crypto ‘Mixer’ Laundered $700 Million For Customers, Including Russian And North Korean Spies, DOJ Says
An international law enforcement operation has taken down ChipMixer, a dark web “mixer” that helped criminals launder over $700 million, Europol and other policing agencies announced on Wednesday. Amongst its users were North Korean hackers and Russian spies, according to the Department of Justice.
ChipMixer charged a small fee to take in clients’ cryptocurrency and spread it across different accounts, in order to complicate law enforcement tracking of criminal proceeds, police said. In total, it processed $3 billion, nearly a billion of which has been traced to crimes, including ransomware incidents and darknet market drug sales, the DOJ said.
ChipMixer domains have been taken down, nearly $50 million seized, and the DOJ has charged Minh Quốc Nguyễn, 49, of Hanoi, Vietnam, with allegedly operating the service since 2017.
Tom Robinson, founder of cryptocurrency tracking company Elliptic, said it was a “very significant” takedown. “Chipmixer was the largest centralized mixer in operation,” he told Forbes. He pointed to its use by the Lazarus Group, one of North Korea’s most notorious hacking groups, accused of major crypto thefts. That included a breach of Axie Infinity’s Ronin Bridge last year, which saw $540 million stolen, and a hack of Harmony’s Horizon Bridge in 2020, when $100 million went missing.
The DOJ also claimed Russia’s GRU intelligence agency was a ChipMixer user. In a complaint filed on Wednesday against Nguyễn, the agency’s APT28 group, also known as Fancy Bear, “used ChipMixer to obfuscate the origin of the funds that were used to purchase infrastructure for their ‘Drovorub’ malware.” The Department of Defense previously analyzed the malware, saying it was for persistent surveillance of an infected device. Amongst APT28’s previous victims is the Democratic National Committee (DNC), which was infamously hacked in the lead up to the 2016 election.
According to the FBI, it traced $17 million in ransomware proceeds linked to 37 different groups to ChipMixer’s services. Over $800,000 in bitcoin laundered via the mixer was from a ransomware strain known as Sodinokibi, otherwise known as REvil. Its most significant breach came in 2021 when it targeted customers of IT software supplier Kaseya, with as many as 1,500 businesses breached and a $70 million ransom demanded.
“ChipMixer facilitated the laundering of cryptocurrency, specifically bitcoin, on a vast international scale, abetting nefarious actors and criminals of all kinds in evading detection,” said U.S. attorney Jacqueline Romero. “We cannot and will not allow criminals’ exploitation of technology to threaten our national and economic security.”
But cutting off one head often leads others to grow. The shutdown of ChipMixer will likely lead users to move to rival platforms, said Robinson. He pointed to Sinbad, believed to be a new version of Blender, a mixer also sanctioned for helping North Korea’s Lazarus Group funnel tens of millions in illicitly obtained bitcoin.An international law enforcement operation has taken down ChipMixer, a dark web “mixer” that helped criminals launder over $700 million, Europol and other policing agencies announced on Wednesday. Amongst its users were North Korean hackers and Russian spies, according to the Department of Justice.
ChipMixer charged a small fee to take in clients’ cryptocurrency and spread it across different accounts, in order to complicate law enforcement tracking of criminal proceeds, police said. In total, it processed $3 billion, nearly a billion of which has been traced to crimes, including ransomware incidents and darknet market drug sales, the DOJ said.
ChipMixer domains have been taken down, nearly $50 million seized, and the DOJ has charged Minh Quốc Nguyễn, 49, of Hanoi, Vietnam, with allegedly operating the service since 2017.
Tom Robinson, founder of cryptocurrency tracking company Elliptic, said it was a “very significant” takedown. “Chipmixer was the largest centralized mixer in operation,” he told Forbes. He pointed to its use by the Lazarus Group, one of North Korea’s most notorious hacking groups, accused of major crypto thefts. That included a breach of Axie Infinity’s Ronin Bridge last year, which saw $540 million stolen, and a hack of Harmony’s Horizon Bridge in 2020, when $100 million went missing.
The DOJ also claimed Russia’s GRU intelligence agency was a ChipMixer user. In a complaint filed on Wednesday against Nguyễn, the agency’s APT28 group, also known as Fancy Bear, “used ChipMixer to obfuscate the origin of the funds that were used to purchase infrastructure for their ‘Drovorub’ malware.” The Department of Defense previously analyzed the malware, saying it was for persistent surveillance of an infected device. Amongst APT28’s previous victims is the Democratic National Committee (DNC), which was infamously hacked in the lead up to the 2016 election.
According to the FBI, it traced $17 million in ransomware proceeds linked to 37 different groups to ChipMixer’s services. Over $800,000 in bitcoin laundered via the mixer was from a ransomware strain known as Sodinokibi, otherwise known as REvil. Its most significant breach came in 2021 when it targeted customers of IT software supplier Kaseya, with as many as 1,500 businesses breached and a $70 million ransom demanded.
“ChipMixer facilitated the laundering of cryptocurrency, specifically bitcoin, on a vast international scale, abetting nefarious actors and criminals of all kinds in evading detection,” said U.S. attorney Jacqueline Romero. “We cannot and will not allow criminals’ exploitation of technology to threaten our national and economic security.”
But cutting off one head often leads others to grow. The shutdown of ChipMixer will likely lead users to move to rival platforms, said Robinson. He pointed to Sinbad, believed to be a new version of Blender, a mixer also sanctioned for helping North Korea’s Lazarus Group funnel tens of millions in illicitly obtained bitcoin.
It may also be unlikely that Nguyễn will ever appear in court. The U.S. does not have an extradition treaty with Vietnam. Prosecutors will have to hope he turns up in an America-friendly country to have any chance of making him face their charges in person.