The U.S. Department of Justice (“DOJ”) announced on March 15, 2023 that in a coordinated effort between U.S. Federal Bureau of Investigations, Europol, and German police, the darknet cryptocurrency mixing service ChipMixer has been shut down. The operation involved the U.S. government’s court-authorized seizure of two domains that directed users to the ChipMixer service and one Github account. In addition, German authorities seized $46 million in cryptocurrency, as well as ChipMixer’s back-end servers used to run the site.
Further, the U.S. Attorney’s Office for the Eastern District of Pennsylvania filed a criminal complaint against ChipMixer’s suspected founder, Vietnamese national, Minh Quoc Nguyen (“Nguyen”), alleging that Nguyen openly flouted financial regulations and instructed users how to use ChipMixer to evade reporting requirements while obscuring his true name under a series of stolen and fictitious identities. The complaint also alleges that ChipMixer, described as a popular platform for laundering illicit funds gained from unlawful activities like drug trafficking, ransomware attacks (according to Europol, ransomware actors Zeppelin, SunCrypt, Mamba, Dharma, Lockbit have used ChipMixer), and payment card fraud, was used to launder more than $3 billion in cryptocurrency since 2017. Nguyen has been charged with money laundering, operating an unlicensed money transmitting business, and identity theft in connection with the operation of ChipMixer.
ChipMixer is a crypto mixing service, also known as a crypto “tumbler.” Mixing services are an anonymity tool that transform transactions of potentially identifiable or “tainted” cryptocurrency funds with others, to obfuscate the trail back to the fund’s original source, making it difficult for law enforcement or regulators to trace the transactions. Because blockchain transactions are publicly visible, cybercriminals can use mixers to obscure the trail of ill-gotten digital currencies.
According to the complaint against Nguyen, ChipMixer processed between August 2017 and March 2023 over $700 million associated with wallets designated as stolen funds; $17 million connected to approximately 37 ransomware strains; and more than $200 million associated with darknet markets selling drugs, stolen identities, malware, hacking tools, and counterfeit cash. The investigations also revealed stolen funds tracked to the Lazarus Group, one of the Democratic People’s Republic of North Korea’s (“DPRK”) most notorious hacking groups, which has been accused of major crypto heists (we have previously blogged about the Lazarus Group here.) The DOJ further alleges that ChipMixer processed cryptocurrency linked to Russia’s military intelligence service – best known under its old acronym, the GRU – which used the mixing service to purchase infrastructure in connection with their “Drovorub” malware.
The DOJ alleges that Nguyen created and operated ChipMixer in order to subvert anti-money laundering requirements under the Bank Secrecy Act (“BSA”). The complaint claims that ChipMixer provided numerous features to its clients in order to increase the anonymity of its criminal customers, and that it had a clearnet web domain but primarily operated as a Tor hidden service, concealing the operating location of its servers in order to avoid seizure by law enforcement. According to the complaint, ChipMixer charged customers a small fee to turn deposited Bitcoin into small tokens of equivalent value called “chips”, which were then mixed together with other customer’s Bitcoin, thereby further anonymizing the currencies and blocking the blockchain trails of the funds. At the end of the process, the “cleaned” Bitcoin could be exchanged into other cryptocurrencies or directly into fiat currency through bank accounts when customers wanted to “cash out.”
ChipMixer reportedly operated as a money transmitter, as defined by the BSA, and serviced many customers in the U.S., but did not register with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”). Unlike crypto services both registered to operate in the U.S. and compliant with the BSA, ChipMixer allegedly did not collect identifying information about its users, nor did it establish and maintain anti-money laundering programs to detect and report suspicious transactions. To the contrary, ChipMixer was allegedly established to specifically contravene such requirements.
According to the complaint, Nguyen took meticulous steps to conceal his identity, using fake names and addresses, primarily from U.S. residents in their 60s and 70s, opening up email accounts and using payment services with stolen credentials in order to subvert BSA requirements. He allegedly used such email accounts to operate the online infrastructure used by ChipMixer to try to hide his digital footprints. Further, Nguyen allegedly posted on public Bitcoin forums, opining that AML rules were nothing but excuses for the government to spy on people, arguing that they should be ignored. He purportedly advised customers “please do not use AML/KYC exchanges” and instructed users how to use ChipMixer to evade reporting requirements. Touting his platform on a popular crypto message board in 2017, Nguyen reportedly said, “If you want to hide who you are, ChipMixer is the perfect way.”
“If you want to hide who you are, ChipMixer is the perfect way.” Perhaps, not.
Other Related Enforcement
U.S. law enforcement and regulators have been cracking down on mixers. In October 2020, FinCEN assessed a $60 million dollar civil money penalty against Larry Dean Harmon, the founder, administrator, and primary operator of Helix and Coin Ninja, convertible virtual currency mixers, for alleged violations of the BSA. In April 2021, the DOJ alleged that Bitcoin Fog moved more than 1.2 million bitcoin, the bulk of which allegedly came from darknet marketplaces and was tied to illegal narcotics, computer fraud and abuse activities, and identity theft. (See our blog post about Helix, Coin Ninja, and Bitcoin Fog here).
Mixers also figure prominently in certain sanctions evasion cases. In May 2022, the U.S. Department of the Office of Foreign Assets Control (“OFAC”) issued its first ever sanctions on a virtual currency mixer, Blender.io, which was allegedly used by the DPRK to support its malicious cyber activities and money laundering of stolen virtual currency. Three months later, in August 2022, OFAC sanctioned Tornado Cash, which had reportedly been used to launder more than $7 billion worth of virtual currency since its creation in 2019. (See our blogs about the controversial OFAC sanctioning of mixers here and here).
The takedown of ChipMixer is the latest in a series of actions by law enforcement agencies aimed at identifying and shuttering the increasingly sophisticated methods online criminals use to attempt to anonymously launder billions of dollars of illicit funds. It further underscores increasing international coordination by law enforcement in such cases.