Cryptocurrency tumbling in the air

An international law enforcement operation has seized the cryptocurrency mixing service 'ChipMixer' which is said to be used by hackers, ransomware gangs, and scammers to launder their proceeds.

The operation was conducted by Europol in coordination with law enforcement in Germany (BKA) and the United States (FBI), allowing the police to seize four servers, 7 TB of data, and $46.5 million worth of cryptocurrency (Bitcoin).

This operation makes it the largest seizure of cryptocurrency assets by the BKA to date.

ChipMixer has been one of the largest cryptocurrency mixing platforms operating on the dark web since 2017, allowing users to convert their money into untraceable "chips," which are then cashed out on "clean" cryptocurrency addresses that can be converted to FIAT money.

As the police seized infrastructure, including the operation's Tor dark web servers, visitors to the platform will now see a seizure banner from Germany's Federal Criminal Police Office Bundeskriminalamt (BKA).

BKA seizure banner
BKA seizure banner
Source: BleepingComputer

Cryptocurrency mixing platforms, otherwise known as "tumblers," receive digital assets from users and add them to a massive pool of cryptocurrency containing other people's coins.

These coins are then "mixed" by shuffling the cryptocurrency between many new wallet addresses, boosting the privacy and anonymity of transactions and cryptocurrency holders. For this activity, the mixing service takes a fee, which could be a flat rate or a percentage of the mixed amount.

While legitimate use cases exist for such services, they are predominately used by cybercriminals looking to evade identification and prosecution, and this was very much the case with ChipMixer too.

"The investigation into the criminal service suggests that the platform may have facilitated the laundering of 152 000 Bitcoins (worth roughly EUR 2.73 billion in current estimations) in crypto assets," reads the Europol announcement.

"A large share of this is connected to dark web markets, ransomware groups, illicit goods trafficking, procurement of child sexual exploitation material, and stolen crypto assets."

The authorities found further ties to illegal activity to ChipMixer service that arose from examining seized infrastructure from the dark web market Hydra, which the German police confiscated in April 2022.

Ransomware groups confirmed to have used ChipMixer to launder their ransoms include LockBit, Zeppelin, SunCrypt, Mamba, and Dharma.

Additionally, there are indications that ChipMixer aided in laundering the assets stolen from a large cryptocurrency exchange following its bankruptcy last year. However, authorities are still investigating on that front.

In a post published today, the BKA also mentions that the primary operator of ChipMixer has been identified, and the FBI is already on a manhunt to bring him in front of justice. 

Additionally, a reward is now offered via the U.S. DoJ "Rewards for Justice" program.


Update 3/15 - The U.S. Department of Justice has published an announcement about ChipMixer's seizure, and also announced the charging of an individual who is believed to be the creator and operator of the platform.

"Minh Quốc Nguyễn, 49, of Hanoi, Vietnam, was charged today in Philadelphia with money laundering, operating an unlicensed money transmitting business and identity theft, connected to the operation of ChipMixer," announced the U.S. Department of Justice in a press statement.

"Nguyễn created and operated the online infrastructure used by ChipMixer and promoted ChipMixer’s services online."

"Nguyễn registered domain names, procured hosting services and paid for the services used to run ChipMixer through the use of identity theft, pseudonyms, and anonymous email providers."

Related Articles:

US arrests suspects behind $73M ‘pig butchering’ laundering scheme

Ethereum mailing list breach exposes 35,000 to crypto draining attack

Europol takes down 593 Cobalt Strike servers used by cybercriminals

Patelco shuts down banking systems following ransomware attack

Affirm says cardholders impacted by Evolve Bank data breach