The FBI and German authorities have taken down the infrastructure of one of the more notorious cryptocurrency mixing services on the darkweb, ChipMixer, which authorities allege was a major hub of money laundering activity for organized crime and ransomware groups.
The operation was a joint effort between the FBI, the German Federal Criminal Police Office, and agencies in Belgium, Poland, and Switzerland, along with support from Europol. As part of the operation, authorities seized four servers, 1909 Bitcoins, and seven terabytes of data from the ChipMixer infrastructure. The U.S. also charged Minh Quốc Nguyễn of Vietnam with money laundering and other crimes in connection with the ChipMixer operation.
"Beginning in and around August 2017, as alleged in the complaint, Nguyễn created and operated the online infrastructure used by ChipMixer and promoted ChipMixer’s services online. Nguyễn registered domain names, procured hosting services and paid for the services used to run ChipMixer through the use of identity theft, pseudonyms, and anonymous email providers," the Department of Justice said in a release.
ChipMixer is one of the many platforms that specializes in mixing cryptocurrency assets in such a way that it is much more difficult to trace the transactions and blockchain trail. Ransomware and cybercrime groups rely on mixing services to help turn their stolen or otherwise ill-gotten assets into clean cryptocurrency that they can then turn into hard currency. Authorities allege that ChipMixer laundered about $3.75 billion in assets.
“The ChipMixer software blocked the blockchain trail of the funds, making it attractive for cybercriminals looking to launder illegal proceeds from criminal activities such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud. Deposited funds would be turned into “chips” (small tokens with equivalent value), which were then mixed together - thereby anonymising all trails to where the initial funds originated,” a statement from Europol on the operation says.
“The investigation into the criminal service suggests that the platform may have facilitated the laundering of 152 000 Bitcoins (worth roughly EUR 2.73 billion in current estimations) in crypto assets. A large share of this is connected to darkweb markets, ransomware groups, illicit goods trafficking, procurement of child sexual exploitation material, and stolen crypto assets.”
The takedown of ChipMixer is the latest in a series of actions by the United States government against ransomware groups and the broader ecosystem that supports and enables them. In November, U.S. authorities arrested an alleged member of the LockBit ransomware group, in February they sanctioned alleged members of the Trickbot group, and in 2021 indicted two alleged members of the REvil ransomware group and seized $6 million in assets. The U.S. government also has targeted the financial holdings of ransomware operators, seizing millions in ransom payments from several different groups, including a portion of the ransom paid in the Colonial Pipeline attack.
Europol alleges that several ransomware groups, including Zeppelin, SunCrypt, Mamba, Dharma or Lockbit, used ChipMIxer to launder ransom payments.
“This morning, working with partners at home and abroad, the Department of Justice disabled a prolific cryptocurrency mixer, which has fueled ransomware attacks, state-sponsored crypto-heists and darknet purchases across the globe,” said Deputy Attorney General Lisa Monaco. “Today’s coordinated operation reinforces our consistent message: we will use all of our authorities to protect victims and take the fight to our adversaries. Cybercrime seeks to exploit boundaries, but the Department of Justice’s network of alliances transcends borders and enables disruption of the criminal activity that jeopardizes our global cybersecurity.”