Darknet Crypto Mixer Busted: US DOJ Investigation Leads to Seizure of Almost $50 Million – Here’s What You Need to Know

Sead Fadilpašić
Last updated: | 5 min read
Source: AdobeStock / flowertiare

The US Justice Department (DoJ) and Europol have made a major breakthrough in their fight against cryptocurrency money laundering. ChipMixer, one of the largest cryptocurrency laundering services on the dark web, has been dismantled following a coordinated effort, according to the agencies. The service is believed to have laundered over $3 billion worth of cryptocurrencies for illicit activities such as ransomware, fraud, and other illegal practices.

The agency stated that,

“The operation involved U.S. federal law enforcement’s court-authorized seizure of two domains that directed users to the ChipMixer service and one Github account, as well as the German Federal Criminal Police’s (the Bundeskriminalamt) seizure of the ChipMixer back-end servers and more than $46 million in cryptocurrency.”

According to the US Justice Department, Minh Quốc Nguyễn, a 49-year-old resident of Hanoi, Vietnam, was identified as the mastermind behind the notorious ChipMixer cryptocurrency laundering service. 

Nguyễn allegedly promoted the platform as a means of evading anti-money laundering and know-your-customer requirements, deriding them as “a sellout to the banks and governments.” 

The post also contained instructions on how to use ChipMixer to evade such measures, urging customers to avoid AML/KYC exchanges.

Nguyễn was charged in Philadelphia, USA, with money laundering, operating an unlicensed money-transmitting business, and identity theft. If convicted, he faces a maximum penalty of 40 years in prison.

Also on Wednesday, the European Union Agency for Law Enforcement Cooperation (Europol) said it assisted German and US authorities, supported by Belgium, Poland, and Switzerland, in taking down ChipMixer, adding that they seized 1,909.4 Bitcoin (BTC) in 55 transactions.

“The investigation into the criminal service suggests that the platform may have facilitated the laundering of 152 000 Bitcoins (worth roughly EUR 2.73 billion in current estimations) in crypto assets,” Europol said. “A large share of this is connected to darkweb markets, ransomware groups, illicit goods trafficking, procurement of child sexual exploitation material, and stolen crypto assets.”

Between August 2017 and March 2023, according to the DoJ, ChipMixer processed:

  • $17 million in bitcoin for criminals connected to 37 ransomware strains;
  • over $700 million in Bitcoin associated with wallets designated as stolen funds, including those related to heists by North Korean cyber actors from Axie Infinity’s Ronin Bridge and Harmony’s Horizon Bridge in 2022 and 2020, respectively;
  • more than $200 million in Bitcoin associated with darknet markets, including more than $60 million in bitcoin processed on behalf of customers of Hydra Market, the world’s largest and longest-running darknet market until its April 2022 shutdown by US and German law enforcement;
  • more than $35 million in Bitcoin associated with “fraud shops,” which are used by criminals to buy and sell stolen credit cards, hacked account credentials, and data stolen through network intrusions;
  • Bitcoin used by the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center, military unit 26165, to purchase infrastructure for the Drovorub malware.

‘One of the largest crypto laundromats’

ChipMixer, said Europol, was “an unlicensed cryptocurrency mixer” launched in 2017. 

Its software blocked the blockchain trail of the funds, “making it attractive for cybercriminals” engaging in drug trafficking, weapons trafficking, and payment card fraud, among other illegal activities. 

Deposited funds would be turned into small tokens called “chips”, which were then mixed together. The platform offered full anonymity to their clients. 

The agency also claimed that criminals laundered crypto and redirected it to crypto exchanges, “some of which are also in the service of organized crime,” and added that,

“Authorities are also investigating the possibility that some of the crypto assets stolen after the bankruptcy of a large crypto exchange in 2022 were laundered via ChipMixer.”

The DoJ noted that ChipMixer had a clearnet web domain but that it operated primarily as a Tor hidden service so that its server location would be hidden from law enforcement, preventing seizure. 

It serviced “many customers” in the US but did not register with the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) nor collect identifying information about its customers, it added.

US Attorney Jacqueline Romero for the Eastern District of Pennsylvania was quoted as saying,

“Platforms like ChipMixer, which are designed to conceal the sources and destinations of staggering amounts of criminal proceeds, undermine the public’s confidence in cryptocurrencies and blockchain technology.”

Europol and its Joint Cybercrime Action Taskforce (J-CAT) facilitated the information exchange between national authorities, supported the coordination of the operation, provided analytical support linking available data to various criminal cases within and outside the EU, and supported the investigation through operational analysis, crypto tracing, and forensic analysis. 

National authorities involved included Belgium’s Federal Police; Germany’s Federal Criminal Police Office and General Prosecutors Office Frankfurt-Main; Poland’s Central Cybercrime Bureau; Switzerland’s Cantonal Police of Zurich; and the USA’s Federal Bureau of Investigation (FBI), Homeland Security Investigation, DoJ. 

According to Deputy Attorney General Lisa Monaco,

“Cybercrime seeks to exploit boundaries, but the Department of Justice’s network of alliances transcends borders and enables disruption of the criminal activity that jeopardizes our global cybersecurity.”

FBI Deputy Director Paul Abbate commented that countering cybercrime “requires the ultimate level of collaboration between and among all law enforcement partners.”

Meanwhile, the US Treasury Department redesignated sanctions on Tornado Cash in November, saying North Korea’s Lazarus Group had used the mixing service to launder more than $100m stolen in crypto heists. 

The Treasury Department’s Office of Foreign Assets Control (OFAC) first sanctioned Tornado Cash in August last year, when it said the service “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors.”

You can read more about this below.

____

Learn more: 

Early Tornado Cash Contributor Builds Improved Version of Blacklisted Coin Mixer – Here’s How it Works
Tornado Cash Developer is in Jail But There Are Hints of a Comeback for the Crypto Mixer Regulators Hate

Lazarus ‘Using New Coin Mixer to Launder Crypto’
Mixers Receiving ‘More Cryptocurrency than Ever in 2022’

Coin Mixers: How Do They Work and Should You Use Them?
Top 5 Best Bitcoin Mixers & Tumblers in 2022