The Department of Justice today announced a coordinated international takedown of ChipMixer, a darknet cryptocurrency “mixing” service responsible for laundering more than $3 billion worth of cryptocurrency, between 2017 and present. in connection with, among other activities, ransomware, the darknet market, fraud. , cryptocurrency heists and other hacking schemes. The operation involved the court-authorized seizure by US federal law enforcement of two domains that directed users to the ChipMixer service and a Github account, as well as the seizure by the German Federal Criminal Police (the Bundeskriminalamt) of ChipMixer and back-end servers over $46. million in cryptocurrency.
Coinciding with ChipMixer’s takedown efforts, Minh Quốc Nguyễn, 49, of Hanoi, Vietnam, was charged today in Philadelphia with money laundering, operating an unlicensed money transfer business and impersonation, related to the operation of ChipMixer.
“This morning, in collaboration with domestic and foreign partners, the Department of Justice disabled a prolific cryptocurrency mixer, which has fueled ransomware attacks, state-sponsored burglaries, and darknet purchases across the world,” Deputy Attorney General Lisa Monaco said. “Today’s coordinated operation reinforces our consistent message: we will use all our authorities to protect victims and lead the fight against our adversaries. Cybercrime seeks to exploit borders, but the Department of Justice’s network of alliances transcends borders and helps disrupt criminal activity that threatens our global cybersecurity.
“Today’s announcement demonstrates the FBI’s commitment to dismantling the technical infrastructure that allows cybercriminals and state actors to illegally launder cryptocurrency funds,” said FBI Deputy Director Paul Abbate. . “We will not allow cybercriminals to hide behind keyboards or escape the consequences of their illegal actions. Fighting cybercrime requires the ultimate level of collaboration between and among all law enforcement partners. The FBI will continue to strengthen these partnerships and leverage all available tools to identify, apprehend, and hold these bad actors accountable and stop their illicit activities.
According to court documents, ChipMixer – one of the mixers most widely used to launder criminal funds – allowed customers to deposit bitcoin, which ChipMixer then mixed with the bitcoin of other ChipMixer users, mixing funds in a way that made it difficult for the law. law enforcement or regulators to trace transactions. As detailed in the complaint, ChipMixer offered numerous features to enhance the anonymity of its criminal clients. ChipMixer had a clearnet web domain but operated primarily as a hidden Tor service, hiding the operating location of its servers to prevent seizure by law enforcement. ChipMixer has served many customers in the United States, but has not registered with the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) and does not collect identifying information about its customers.
As alleged in the complaint, ChipMixer has attracted a large criminal following and has become indispensable in concealing and laundering funds from multiple criminal schemes. Between August 2017 and March 2023, ChipMixer processed:
- $17 million in bitcoins for criminals connected to approximately 37 strains of ransomware, including Sodinokibi, Mamba, and Suncrypt;
- More than $700 million in bitcoins associated with wallets designated as stolen funds, including those linked to break-ins by North Korean cyber actors of Axie Infinity’s Ronin Bridge and Harmony’s Horizon Bridge in 2022 and 2020, respectively ;
- Over $200 million in bitcoin associated directly or through intermediaries with darknet markets, including over $60 million in bitcoin processed on behalf of clients of Hydra Market, the largest and oldest darknet market in the world. world until closed in April 2022 by US and German law enforcement;
- Over $35 million in bitcoins associated directly or through intermediaries with “fraud stores,” which are used by criminals to buy and sell stolen credit cards, hacked account credentials, and data stolen by intrusions on the network; And
- Bitcoin used by the Main Intelligence Directorate of the Russian General Staff (GRU), 85th Main Special Service Center, Military Unit 26165 (aka APT 28) to purchase the infrastructure for the Drovorub malware, which was leaked for the first time in a joint cybersecurity advisory issued by the FBI and National Security Agency in August 2020.
Beginning in and around August 2017, as alleged in the Complaint, Nguyễn created and operated the online infrastructure used by ChipMixer and promoted ChipMixer’s services online. Nguyễn registered domain names, purchased hosting services, and paid for services used to run ChipMixer using identity theft, pseudonyms, and anonymous email providers. In online posts, Nguyễn has publicly derided efforts to reduce money laundering, posting in reference to anti-money laundering (AML) and know-your-customer (KYC) legal requirements. that “AML/KYC is selling to banks and governments”, advising customers “please do not use AML/KYC exchanges” and explaining how to use ChipMixer to evade reporting requirements.
“ChipMixer has facilitated the laundering of cryptocurrency, particularly Bitcoin, on a vast international scale, encouraging nefarious actors and criminals of all kinds to evade detection,” US Attorney Jacqueline C. Romero said for the Eastern District of Pennsylvania. “Platforms like ChipMixer, which are designed to conceal the sources and destinations of staggering amounts of criminal proceeds, undermine public trust in cryptocurrencies and blockchain technology. We thank all our partners at home and abroad for their hard work in this matter. Together, we cannot and will not allow the exploitation of technology by criminals to threaten our national and economic security.
“Criminals have long sought to launder the proceeds of their illegal activity through a variety of means,” said Special Agent in Charge Jacqueline Maguire of the FBI’s Philadelphia field office. “Technology has changed the game, however, with a site like ChipMixer and an enabler like Nguyen allowing bad actors to do it at scale with ease. In response, the FBI continues to evolve the way we “follow the money” from illegal businesses, employing every tool and technique at our disposal and building on our strong partnerships at home and around the world. As a result, criminals around the world now have one less option to launder their dirty money.
“Together with our international partners at HSI The Hague, we are firmly committed to identifying and investigating cybercriminals who pose a serious threat to our economic security by laundering billions of dollars worth of cryptocurrency under the false anonymity of the darknet. “said Special Agent in Charge Scott Brown of Homeland Securities Investigations (HSI) Arizona. “HSI Arizona could not be prouder to work alongside all of the agents involved in this complex international case. We thank all our national and international partners for their support.
Nguyễn is accused of operating an unlicensed money transfer business, money laundering and identity theft. If found guilty, he faces a maximum sentence of 40 years in prison.
The FBI, HSI Phoenix and HSI The Hague investigated the case.
The U.S. Attorney’s Office for the Eastern District of Pennsylvania is pursuing the case.
German law enforcement authorities took separate action today under his authority. The FBI Legal Attaché in Germany, the HSI Office in The Hague, the HSI Cyber Crimes Center, the Office of International Affairs and the National Cryptocurrency Enforcement Team of the Ministry of Justice, EUROPOL, the Polish cyberpolice (Centralnego Biura Zwalczania Cyberprzestępczości) and Zurich State Police (Kantonspolizei Zürich) provided assistance in this case.
To report information about ChipMixer and its operators, visit rfj.tips/Duhsup.
A criminal complaint is only an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in court.
