US-led action takes down money launderer for North Korea and Russia-sponsored hackers

Rick Steves

“The Department of Justice disabled a prolific cryptocurrency mixer, which has fueled ransomware attacks, state-sponsored crypto-heists and darknet purchases across the globe.”

A coordinated international enforcement action was able to take down ChipMixer, a darknet cryptocurrency “mixing” service responsible for laundering more than $3 billion worth of cryptocurrency throughout the last five years in support of ransomware, darknet market, fraud, cryptocurrency heists, and other hacking schemes.

The operation involved U.S. federal law enforcement’s court-authorized seizure of two domains that directed users to the ChipMixer service and one Github account, as well as the German Federal Criminal Police’s (the Bundeskriminalamt) seizure of the ChipMixer back-end servers and more than $46 million in cryptocurrency.

Minh Quốc Nguyễn, 49, of Hanoi, Vietnam, was charged in Philadelphia with money laundering, operating an unlicensed money-transmitting business, and identity theft, connected to the operation of ChipMixer. If convicted, he faces a maximum penalty of 40 years in prison.

Minh Quốc Nguyễn was behind $3 billion-worth crypto mixing operation

Nguyễn allegedly created and operated the online infrastructure used by ChipMixer and promoted ChipMixer’s services online. He registered domain names, procured hosting services, and paid for the services used to run ChipMixer through the use of identity theft, pseudonyms, and anonymous email providers, according to the complaint.

In online posts, Nguyễn publicly derided efforts to curtail money laundering, posting in reference to anti-money laundering (AML) and know-your-customer (KYC) legal requirements that “AML/KYC is a sellout to the banks and governments,” advising customers “please do not use AML/KYC exchanges” and instructing them how to use ChipMixer to evade reporting requirements.

One of the most widely used mixers to launder criminally-derived funds, ChipMixer allowed customers to deposit bitcoin to then commingle funds with other users’ assets in a way that made it difficult for law enforcement or regulators to trace the transactions and its criminal customers’ identity.

ChipMixer had a clearnet web domain but operated primarily as a Tor hidden service, concealing the operating location of its servers to prevent seizure by law enforcement.

ChipMixer serviced many customers in the United States, but did not register with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and did not collect identifying information about its customers.

According to the complaint, between August 2017 and March 2023, ChipMixer processed:

  • $17 million in bitcoin for criminals connected to approximately 37 ransomware strains, including Sodinokibi, Mamba and Suncrypt;
  • Over $700 million in bitcoin associated with wallets designated as stolen funds, including those related to heists by North Korean cyber actors from Axie Infinity’s Ronin Bridge and Harmony’s Horizon Bridge in 2022 and 2020, respectively;
  • More than $200 million in bitcoin associated either directly or through intermediaries with darknet markets, including more than $60 million in bitcoin processed on behalf of customers of Hydra Market, the largest and longest running darknet market in the world until its April 2022 shutdown by U.S. and German law enforcement;
  • More than $35 million in bitcoin associated either directly or through intermediaries with “fraud shops,” which are used by criminals to buy and sell stolen credit cards, hacked account credentials and data stolen through network intrusions; and
  • Bitcoin used by the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center, military unit 26165 (aka APT 28) to purchase infrastructure for the Drovorub malware, which was first disclosed in a joint cybersecurity advisory released by the FBI and National Security Agency in August 2020.

Prolific cryptocurrency mixer ChipMixer disabled

The FBI’s Legal Attaché in Germany, the HSI office in The Hague, the HSI Cyber Crimes Center, the Justice Department’s Office of International Affairs and National Cryptocurrency Enforcement Team, EUROPOL, the Polish Cyber Police (Centralnego Biura Zwalczania Cyberprzestępczości) and Zurich State Police (Kantonspolizei Zürich) provided assistance in this case.

Deputy Attorney General Lisa Monaco, said: “This morning, working with partners at home and abroad, the Department of Justice disabled a prolific cryptocurrency mixer, which has fueled ransomware attacks, state-sponsored crypto-heists and darknet purchases across the globe. Today’s coordinated operation reinforces our consistent message: we will use all of our authorities to protect victims and take the fight to our adversaries. Cybercrime seeks to exploit boundaries, but the Department of Justice’s network of alliances transcends borders and enables disruption of the criminal activity that jeopardizes our global cybersecurity.”

FBI Deputy Director Paul Abbate, said: “Today’s announcement demonstrates the FBI’s commitment to dismantling technical infrastructure that enables cyber criminals and nation-state actors to illegally launder cryptocurrency funds. We will not allow cyber criminals to hide behind keyboards nor evade the consequences of their illegal actions. Countering cybercrime requires the ultimate level of collaboration between and among all law enforcement partners. The FBI will continue to elevate those partnerships and leverage all available tools to identify, apprehend and hold accountable these bad actors and put an end to their illicit activity.”

U.S. Attorney Jacqueline C. Romero for the Eastern District of Pennsylvania, said: “ChipMixer facilitated the laundering of cryptocurrency, specifically Bitcoin, on a vast international scale, abetting nefarious actors and criminals of all kinds in evading detection. Platforms like ChipMixer, which are designed to conceal the sources and destinations of staggering amounts of criminal proceeds, undermine the public’s confidence in cryptocurrencies and blockchain technology. We thank all our partners at home and abroad for their hard work in this case. Together, we cannot and will not allow criminals’ exploitation of technology to threaten our national and economic security.”

Special Agent in Charge Jacqueline Maguire of the FBI Philadelphia Field Office, commented: “Criminals have long sought to launder the proceeds of their illegal activity through various means. Technology has changed the game, though, with a site like ChipMixer and facilitator like Nguyen enabling bad actors to do so on a grand scale with ease. In response, the FBI continues to evolve in the ways we ‘follow the money’ of illegal enterprise, employing all the tools and techniques at our disposal and drawing on our strong partnerships at home and around the globe. As a result, there’s now one less option for criminals worldwide to launder their dirty money.”

Special Agent in Charge Scott Brown of Homeland Securities Investigations (HSI) Arizona, stated: “Together, with our international partners at HSI The Hague, we are firmly committed to identifying and investigating cyber criminals who pose a serious threat to our economic security by laundering billions of dollars’ worth of cryptocurrency under the misguided anonymity of the darknet. HSI Arizona could not be more proud to work alongside every agent involved in this complex international case. We thank all our domestic and international partners for their support.”

Read this next

Digital Assets

Masa Announces Comprehensive AI Developer Ecosystem with 13 Dynamic Partners Focused on Leveraging Decentralized Data and Large Language Models

In a groundbreaking development, Masa, the global leader in decentralized AI and Large Language Models (LLMs), proudly announces the launch of its AI Developer Ecosystem, partnering with 13 visionary projects.

Financewire

Kinesis Mint becomes the official partner for the House of Mandela

Kinesis Mint, the certified independent precious metals mint and refinery of Kinesis, the monetary system backed by 1:1 allocated gold and silver, has been appointed the exclusive coin producer for the House of Mandela.

Chainwire

Kadena Announces Annelise Osborne as Chief Business Officer

Kadena, the only scalable Layer-1 Proof-of-Work blockchain, expands its leadership team by onboarding Annelise Osborne as Kadena’s new Chief Business Officer (CBO).

Fintech

TNS brings full-stack market data management to EMEA

“We are also delighted to have Ben Myers join our London-based TNS Financial Markets team as Head of Strategic Sales for EMEA, to bolster our presence in the region.”

Chainwire

Velocity Labs and Ramp Network facilitate fiat to crypto onramp on Polkadot via Asset Hub support

Velocity Labs is proud to announce a fiat to crypto onramp using Ramp Network through the integration of Asset Hub. Through it, Ramp will be able to service any parachain in the Polkadot ecosystem.

Executive Moves

INFINOX hires Mayne Ayliffe as Global Head of HR

“I look forward to working with our teams around the world to develop a strategic HR agenda that supports high performance and is centred on human motivation.”

Fintech

Sterling to provide risk and margin support for fixed income

“Firms must have the tools to effectively manage their risk across all asset classes. As yields rise, we see more exposure from clients in the fixed income space. We understand their need to measure and mitigate risk in a highly regulated environment.”

Retail FX

FXOpen launches HK share CFDs: Tencent, Alibaba, Xiaomi, Baidu

Hong Kong share CFDs will be commission-free for a limited period of time.

Retail FX

IronFX Celebrates an Award-Winning Start to 2024 with a Series of Industry Recognitions

IronFX, a global leader in online trading, has embarked on 2024 with a spectacular display of accolades that highlight its commitment to excellence and innovation in the competitive financial services sector.

<