Anti-Money Laundering (AML) , Blockchain & Cryptocurrency , Cryptocurrency Fraud
Money Laundering Cryptomixer Services Market to Criminals
Services Offering to 'Clean' Cryptocurrency Are Widespread on Cybercrime ForumsCryptocurrency-using criminals continue to rely on services designed to launder their virtual currency to give them "clean coins" that are tougher for law enforcement agencies to trace.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
These money laundering services, providing what's called mixing, tumbling or churning, have long been offered via cybercrime-as-a-service providers.
Service operators take a cut of every transaction, and the process typically takes time - often days. In return, they offer anonymity for users in multiple forms, with many promising to never retain logs of transactions, says threat intelligence firm Intel 471.
The underlying approach is simple: Mix together bitcoins from different sources to obfuscate their origin, then return the funds - minus a commission - to the customer.
Here's how it functions in greater detail: "Mixers work by allowing threat actors to send a sum of cryptocurrency - usually bitcoin - to a wallet address the mixing service operator owns. This sum joins a pool of the service provider's own bitcoins, as well as other cybercriminals using the service," Intel 471 says in a new report.
"The initial threat actor's cryptocurrency joins the back of the 'chain' and the threat actor receives a unique reference number known as a 'mixing code' for deposited funds," the company says. "This code ensures the actor does not get back their own 'dirty' funds that theoretically could be linked to their operations. The threat actor then receives the same sum of bitcoins from the mixer's pool, muddled using the service's proprietary algorithm, minus a service fee."
As a further anonymity boost, clean bitcoins can be routed to additional cryptocurrency wallets to make the connections with dirty bitcoins even more difficult for law enforcement authorities to track, Intel 471 says.
The company says there appear to be four especially popular cyptomixers, which charge widely varying commissions: Absolutio - 1% to 30%, AudiA6 - 3% to 5.5%, Blender - 0.6% to 2.5%, and Mix-btc - 3% to 5.5%. Most offer both Tor-based and clear website versions, as well as both Russian- and English-language versions of their sites. The amount of cryptocurrency they'll mix at any given time also varies, with a maximum of 2 bitcoins at Absolutio on the low end and up to 2,600 bitcoins at Blender.
Such services have been available since at least 2014, but continue to evolve, not least in their advertising, Greg Otto, a researcher at Intel 471, tells Information Security Media Group. "The thing that pops out is the multiple advertisements that sit on forums populated by cybercriminals," he says. "These services know who would benefit from cryptomixers, so they go to where their 'customers' are."
Some services only support bitcoin, but others will mix newer virtual currencies such as bitcoin cash, ethereum and litecoin. If monero and zcash are notably absent from that list, it's because experts say these two more privacy-preserving cryptocurrencies are already built to make them tough to track. Even so, some apparently scam cryptomixers that offer to mix monero regularly crop up.
Ransomware Portal Feature
Some cryptomixers have become closely tied to ransomware-as-a-service operations. In this approach to profiting from ransomware, the administrators or operators of a ransomware-as-a-service group will build and maintain crypto-locking malware, as well as a portal via which business partners can download a copy of the ransomware. These affiliates use the malware to infect victims and receive an agreed cut of every ransom that gets paid, which will be in cryptocurrency.
Of course, affiliates might then want to launder their virtual currency.
To give affiliates easier access to mixers, Intel 471 says the ransomware-as-a-service groups Avaddon, which is now defunct; DarkSide, which rebranded as BlackMatter; and REvil, aka Sodinokibi, which is currently offline; all added direct access via their affiliate portals to a relatively new cryptocurrency mixer called BitMix.
This turns out to also have been a money-making exercise for ransomware groups, since BitMix runs a partner program that splits commissions with the referring partner. "With BitMix commissions reaching as much as 4%, the affiliate program presents an appealing prospect to RaaS groups," Intel 471 says.
Law Enforcement Target
As with all aspects of the cybercrime service economy, and especially anything used to launder money, law enforcement agencies regularly target mixers, which have been tied not just to cybercrime operations, but also to hack attacks waged on behalf of North Korea, drug cartels and other types of organized crime.
Not all such services have been based beyond U.S. reach. In August, for example, Larry Dean Harmon of Akron, Ohio, pleaded guilty to running the well-known Helix and Coin Ninja cryptomixing services.
Harmon had been hit with a variety of charges and was fined $60 million by the U.S. Treasury Department's Financial Crimes Enforcement Network for violating anti-money laundering laws. He also agreed to forfeit 4,400 bitcoins, which in August were worth $200 million.
Federal prosecutors alleged that Helix was used to launder more than 350,000 bitcoins - worth over $300 million at the time - in criminal profits from 2014 to 2017, including for darknet marketplaces such as AlphaBay, Evolution and Cloud 9.
The indictment against Harmon, unsealed in February 2020, was dated May 7, 2019, which is two years after the period of the alleged activity. As that lag makes clear, building such cases can take time.
Services and operators based in some other jurisdictions - such as Russia - that won't extradite suspects based on foreign charges can make takedowns or arrests very difficult.
"Since they are all web-based, either Tor or the clear web, it's on the level of taking down a ransomware name-and-shame blog. It can be done, but a law enforcement operation would need to go through similar actions and channels," Intel 471's Otto says.
But there's one benefit for law enforcement agencies: A blockchain ledger is immutable. Evidence gathered well after the fact might be able to break cases. "The fact that all of these transactions are still on the public blockchains, there is a layer of transparency built in that gives investigators a leg up in tracking where the money ultimately ends up," Otto says.