Darknet cryptocurrency mixer ChipMixer has been taken offline in a sting involving Europol, the FBI and German police, which saw servers, internet domains and $46m in cryptocurrencies seized. Evidence of digital currencies belonging to wallets linked to North Korean cybercriminals and Russian intelligence services was uncovered during the raid.
Vietnamese national Minh Quốc Nguyễn, 49 was arrested in connection with the bust, and charged in Philadelphia, US, with money laundering, operating an unlicensed money-transmitting business and identity theft. He is thought to be the sole operator of ChipMixer.
Money laundering site ChipMixer used by state-backed cybergangs taken offline by international law enforcement
ChipMixer was launched in 2019 and has since washed more than $3bn in cryptocurrencies according to the US Department of Justice. The service randomised funds stolen during the Axie Infinity Ronin Bridge heist in April and Harmony Horizon Bridge in 2020, both perpetrated by infamous North Korean state-backed hacking gang the Lazarus group.
Evidence of Bitcoin used by Russian intelligence agency the GRU to purchase infrastructure for the Drovorub malware in 2020 was also uncovered during the raid.
Cryptocurrencies linked to thirty-seven ransomware strains went through the mixer when it was operational. These included LockBit, the gang that carried out both the Royal Mail and the WH Smith hacks this year, alongside internationally renowned REvil, who carried out the cyberattack on US managed service provider Kaseya.
As well as organised cybercriminals, over $200m in bitcoin appears to have been laundered by individuals using ChipMixer, with $60m of it coming from the infamous Hydra Market, which was shut down during a coordinated effort by international law enforcement in April.
Nguyễn appears to have created and operated the online infrastructure, registered the domain names, procured and paid for the hosting services and advertised the web tool on the dark web all by himself, according to a press release from the DoJ.
“ChipMixer facilitated the laundering of cryptocurrency, specifically Bitcoin, on a vast international scale, abetting nefarious actors and criminals of all kinds in evading detection,” said US Attorney Jacqueline C Romero for the Eastern District of Pennsylvania.
“Platforms like ChipMixer, which are designed to conceal the sources and destinations of staggering amounts of criminal proceeds, undermine the public’s confidence in cryptocurrencies and blockchain technology. We thank all our partners at home and abroad for their hard work in this case. Together, we cannot and will not allow criminals’ exploitation of technology to threaten our national and economic security,” she continued.
How did ChipMixer work?
According to court documents, ChipMixer allowed customers to deposit Bitcoin, which it would then be mixed with other users’ Bitcoin to anonymise the currency. This mixer went a step further however, by turning the deposited funds into small tokens with equivalent value called “chips”, which were then mixed together, thereby further anonymising the currencies and blocking the blockchain trails of the funds. This aspect is what drew so many criminals to the site.
The domain now displays a seizure notice, stating: “This domain has been seized by the FBI in accordance with a seizure warrant.”
Scott Brown, special agent in charge of Homeland Securities Investigations (HSI) Arizona, added: “Together, with our international partners, we are firmly committed to identifying and investigating cybercriminals who pose a serious threat to our economic security by laundering billions of dollars’ worth of cryptocurrency under the misguided anonymity of the darknet.”