Cryptomixers Enable Ransomware Payment Laundering

While cryptomixers aren’t illegal in and of themselves, they have become “a linchpin in ransomware schemes,” according to a report from Intel 471.

As the name implies, cryptomixers, typically standalone services, mix streams of identifiable cryptocurrency to add anonymity to transactions. “They often use anonymous means of communication and do not keep logs of customer transactions,” researchers at Intel 471 wrote in a blog post.

But “actors all over the world have leveraged this technology’s increased anonymity to buy and sell illegal goods, services, stolen data, underground infrastructure and force victims to pay ransom,” the Intel 471 researchers said. “While blockchain analysis enables researchers and law enforcement to glean information from illicit transactions, criminals have countered by adopting the use of cryptomixers to obscure their transactions and further complicate investigations.”

Cryptomixers allow miscreants to cash out and keep “the criminal underground liquid through the trade of illicit goods and services,” they said.

Threat actors use mixers to send Bitcoin or some other cryptocurrency to a wallet address owned by a mixing service operator, where it is pooled with the service’s own cryptocurrency and that of other cybercriminals. “The initial threat actor’s cryptocurrency joins the back of the ‘chain’ and the threat actor receives a unique reference number known as a ‘mixing code’ for deposited funds,” the researchers wrote. “This code ensures the actor does not get back their own ‘dirty’ funds that theoretically could be linked to their operations.”

Then, the threat actor gets “the same sum of bitcoins from the mixer’s pool, muddled using the service’s proprietary algorithm, minus a service fee,” they explained. “For added anonymity, the threat actor can choose to send this new ‘clean’ sum of bitcoins to numerous wallet addresses to further obfuscate the trail of the illicit funds,” hampering law enforcement’s attempts “to associate the original ‘dirty’ crypt.”

Understanding how mixing services work and how they are used by underground forces can help law enforcement and others to understand how cybercriminals launder money.

“It’s important to understand how all facets of a ransomware operation works if civil society is to stop the losses inflicted by these schemes,” Intel 471 said.

Intel 471 observed popular mixers like Absolutio, AudiA6, Blender and Mix-btc, noting that all were well-established on several well-known cybercrime forums. “All of the mixers had professional-looking sites, likely serving as an attempt to make their operations appear more legitimate and attract a wider range of clients,” the researchers wrote. “None of the providers advertised their roles in money laundering, instead preferring to suggest their sites serve businesses using cryptocurrencies and individuals interested in protecting their privacy.”

Some of the cryptomixer services let users select a “dynamic” service fee, which, the researchers said, “is most likely done to complicate investigations into illicit cryptocurrency funds by altering the amount being laundered at different stages of the process, making it more difficult to tie the funds to a specific crime or individual.”

Cryptomixers are becoming more prevalent. “Given that all four of the mixers mentioned in the blog run ads on several popular cybercrime underground forums, we are confident in saying mixers are prevalent to the point of being a common tool,” said Greg Otto, a researcher at Intel 471. “Cryptocurrency gives cybercriminals a layer of anonymity, so adding another layer with the use of cryptomixers is something that cybercriminals will look to use whenever possible.”

The rise of the cryptomixer among criminals has prompted law enforcement to push “for crypto exchanges to incorporate financial compliance laws into their operations,” the researchers said.

“At this point, it’s tough to curb actual use of cryptomixers. Cryptomixers, by themselves, are not illegal,” Otto said. “However, the moves by governments to make legitimate exchanges and services adhere to traditional anti-money-laundering rules like KYC separate legitimate uses from criminal ones.”

He explained, “We don’t see cryptomixers attached to any legitimate services, so if investigators spot the use of one of the services, it becomes a red flag by default.”