German and US authorities, supported by Europol, seized Bitcoins worth around $46 million in a coordinated international law enforcement action, which took down ChipMixer, a darknet cryptocurrency “mixing” service responsible for laundering more than $3 billion worth of cryptocurrency since 2017. The service laundered the money from illicit activities, including ransomware, darknet markets, fraud, cryptocurrency heists, and other hacking schemes.
The law enforcement operation included the seizure of two domains that directed users to the ChipMixer service and one Github account, as well as the German Federal Criminal Police’s (the Bundeskriminalamt) seizure of the ChipMixer back-end servers and more than $46 million in cryptocurrency.
ChipMixer was one of the most widely used mixers to launder criminally-derived funds. It allowed customers to deposit bitcoin, which ChipMixer then mixed with other ChipMixer users’ bitcoin, commingling the funds in a way that made it difficult for law enforcement or regulators to trace the transactions.
Between August 2017 and March 2023, ChipMixer processed:
- $17 million in bitcoin for criminals connected to approximately 37 ransomware strains, including Sodinokibi, Mamba and Suncrypt;
- Over $700 million in bitcoin associated with wallets designated as stolen funds, including those related to heists by North Korean cyber actors from Axie Infinity’s Ronin Bridge and Harmony’s Horizon Bridge in 2022 and 2020, respectively;
- More than $200 million in bitcoin associated either directly or through intermediaries with darknet markets, including more than $60 million in bitcoin processed on behalf of customers of Hydra Market, the largest and longest-running darknet market in the world until its April 2022 shutdown by U.S. and German law enforcement;
- More than $35 million in bitcoin associated either directly or through intermediaries with “fraud shops,” which are used by criminals to buy and sell stolen credit cards, hacked account credentials and data stolen through network intrusions; and
- Bitcoin used by the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center, military unit 26165 (aka APT 28) to purchase infrastructure for the Drovorub malware, which was first disclosed in a joint cybersecurity advisory released by the FBI and National Security Agency in August 2020.
Coinciding with the ChipMixer takedown efforts, Minh Quốc Nguyễn, 49, of Hanoi, Vietnam, was charged today in Philadelphia with money laundering, operating an unlicensed money transmitting business, and identity theft, connected to the operation of ChipMixer.
In and around August 2017, Nguyễn created and operated the online infrastructure used by ChipMixer and promoted ChipMixer’s services online. Nguyễn registered domain names, procured hosting services, and paid for the services used to run ChipMixer through identity theft, pseudonyms, and anonymous email providers.
Nguyễn is charged with operating an unlicensed money-transmitting business, money laundering, and identity theft. If convicted, he faces a maximum penalty of 40 years in prison.