ChipMixer Takedown: On-Chain Analysis Shows Ransomware Syndicates and DNMs Used Mixer to Launder Illicit Proceeds
On March 15, 2023, German and US authorities, supported by Europol, announced the shutdown of ChipMixer, a cryptocurrency mixing service that facilitated international money laundering. During the operation, officials seized four servers and nearly USD 44.2 million in cryptocurrency.
Research by TRM Labs confirms that ChipMixer was widely used by prominent ransomware syndicates to launder illicit proceeds. Among them were Karakurt, SunCrypt, REvil, Conti, LockBit, Ragnar Locker, and Royal.
Royal in particular is believed to be the main successor of Conti, one of the most notorious and sophisticated groups in the history of ransomware, which shut down its operations in May 2022. According to a recent advisory by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), Royal has been operating since approximately September 2022. Royal has targeted numerous critical infrastructure sectors including, manufacturing, communications, healthcare, and education. Its ransom demands have ranged from approximately USD 1 million to USD 11 million, payable in bitcoin.
Royal frequently relied on ChipMixer to launder extorted funds. The graph below shows one instance when actors affiliated with Royal laundered nearly USD 500,000 from a ransom payment they received in November 2022.
TRM research also found at least 20 darknet marketplaces (DNMs) that laundered over USD 18 million in direct transfers through ChipMixer during the mixer’s nearly six years of activity. Russian-language DNMs were its most frequent customers, with Hydra Market by far the largest, with over USD 17 million laundered through ChipMixer. Kraken Market - by now one of the most popular and significant Russian-language DNMs - has relied on ChipMixer for nearly USD 130,000 worth of transactions.
Western DNMs were found to have sent significantly lower volumes to ChipMixer than their Russian-language counterparts. In fact, Western DNMs accounted for less than 1% of the all-time DNM volume laundered via ChipMixer.
Among Western DNMs, the now-defunct Swedish darknet marketplace Flugsvamp 3.0 had funneled the most funds to ChipMixer - over USD 120,000. Established in December 2018, Flugsvamp 3.0 was the third iteration of the “Flugsvamp” DNM brand that was originally launched in February 2014. Its name roughly translates as “fly agaric”, a type of psychoactive mushroom.
Of the currently active Western DNMs, actors associated with ASAP Market were the largest ChipMixer users, with approximately USD 14,000 sent to the mixer. Another Western darknet marketplace community favorite, Incognito Market, only delivered the equivalent of about a third of this amount to ChipMixer.
Independent vendor shops selling illicit drugs also relied on ChipMixer’s services, although much less extensively than DNM actors due to their significantly lower volumes. This is because independent vendor shops are entities where a single vendor controls the shop’s operations and escrow, whereas DNMs are platforms that allow a multitude of vendors to operate alongside each other on the marketplace.
Longtime British vendor and independent shop operator “DCdutchconnectionUK” was the largest user of ChipMixer’s capabilities, funneling more than 80% of the funds they generated through the sale of illicit drugs in their shop to ChipMixer. Another British independent shop operator, “MadMax”, also heavily relied on ChipMixer to launder the proceeds of their illicit drug business. Specializing in the sale of cocaine, 4MMC, cannabis, ketamine, MDMA, hashish, and speed, MadMax laundered more than 95% of their proceeds through ChipMixer. Two Russian vendors also channeled USD 14,000 and USD 3,600 respectively to the mixer.
“Cybercrime seeks to exploit boundaries, but the Department of Justice’s network of alliances transcends borders and enables disruption of the criminal activity that jeopardizes our global cybersecurity”, stated the official DOJ press release about the takedown of ChipMixer. Illicit actors will always seek new and innovative ways to obfuscate fund flows, and TRM Labs will continue to monitor the use of mixers and other tools and services being used to move illicit funds.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.