HSI Arizona investigation leads to takedown of cryptocurrency mixer that processed over $3 billion in unlawful crypto transactions

PHOENIX — On March 15, Homeland Security Investigations (HSI) and other law enforcement agencies participated in the coordinated, large-scale international takedown of ChipMixer, a darknet cryptocurrency "mixing" service. ChipMixer was responsible for laundering more than $3 billion in cryptocurrency between 2017 and the present involving ransomware, darknet marketplaces, fraud, cryptocurrency heists and other hacking schemes.

The operation involved court-authorized seizures of two internet domains directing users to ChipMixer and one Github account, as well as the German Federal Criminal Police’s seizure of the ChipMixer back-end servers and more than $46 million in cryptocurrency.

Coinciding with the ChipMixer takedown efforts, Minh Quốc Nguyễn, 49, of Hanoi, Vietnam, was charged today in Philadelphia with money laundering, operating an unlicensed money transmitting business and identity theft connected to ChipMixer’s operation.

"This morning, working with partners at home and abroad, the Department of Justice disabled a prolific cryptocurrency mixer, which has fueled ransomware attacks, state-sponsored crypto-heists and darknet purchases across the globe," said Deputy Attorney General Lisa Monaco. "Today’s coordinated operation reinforces our consistent message: We will use all of our authorities to protect victims and take the fight to our adversaries. Cybercrime seeks to exploit boundaries, but the Department of Justice’s network of alliances transcends borders and enables disruption of the criminal activity that jeopardizes our global cybersecurity."

"Today's announcement demonstrates the FBI's commitment to dismantling technical infrastructure that enables cyber criminals and nation-state actors to illegally launder cryptocurrency funds," said FBI Deputy Director Paul Abbate. "We will not allow cybercriminals to hide behind keyboards nor evade the consequences of their illegal actions. Countering cybercrime requires the ultimate level of collaboration between and among all law enforcement partners. The FBI will continue to elevate those partnerships and leverage all available tools to identify, apprehend and hold accountable these bad actors and put an end to their illicit activity."

According to court documents, ChipMixer — one of the most widely used mixers to launder criminally-derived funds — allowed customers to deposit bitcoin, which ChipMixer then mixed with other ChipMixer users’ bitcoin, commingling the funds in a way that made it difficult for law enforcement and regulators to trace the transactions. ChipMixer offered numerous features to enhance its criminal customers’ anonymity. The service had a clearnet web domain but operated primarily as a Tor hidden service, concealing the operating location of its servers to prevent seizure by law enforcement. ChipMixer serviced many customers in the United States but did not register with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network or collect identifying information about its customers.

As alleged in the complaint, ChipMixer attracted a significant criminal clientele and became indispensable in obfuscating and laundering funds from multiple criminal schemes. Between August 2017 and March 2023, ChipMixer processed:

• $17 million in bitcoin for criminals connected to approximately 37 ransomware strains, including Sodinokibi, Mamba and Suncrypt
• Over $700 million in bitcoin associated with wallets designated as stolen funds, including those related to heists by North Korean cyber actors from Axie Infinity’s Ronin Bridge and Harmony’s Horizon Bridge in 2022 and 2020, respectively
• More than $200 million in bitcoin associated either directly or through intermediaries with darknet markets, including more than $60 million in bitcoin processed on behalf of customers of Hydra Market, the largest and longest running darknet market in the world until its April 2022 shutdown by U.S. and German law enforcement
• More than $35 million in bitcoin associated either directly or through intermediaries with "fraud shops," which criminals use to buy and sell stolen credit cards, hacked account credentials and data stolen through network intrusions
• Bitcoin used by the Russian General Staff Main Intelligence Directorate, 85th Main Special Service Center, military unit 26165 aka APT 28 to purchase infrastructure for the Drovorub malware, which was first disclosed in a joint cybersecurity advisory released by the FBI and National Security Agency in August 2020.