top of page

ChipMixer laundromat was used by North Korean hackers and Russian military intelligence

North Korean hackers and Russian military agents were linked to the cryptocurrency "laundromat" taken down this week by US and European law enforcement agencies.

The effort to take down ChipMixer, which over five years laundered about €2.73BN in illicit gains, was led by German, Dutch, and US detectives.

The US Department of Justice has now connected the dirty money laundromat to rogue nations like North Korea and Russia.

To make it harder for law authorities to trace down illicit earnings, ChipMixer charged a small fee to accept cryptocurrencies from clients and distribute it among other accounts.

The DOJ has charged Minh Quc Nguyn, 49, of Hanoi, Vietnam, with running the business since 2017, and all of ChipMixer's domains have been taken down. Moreover, €44 million has been seized.

Also, Europol has connected the laundromat to the Lazarus Group, one of North Korea's most infamous hacker teams that has been charged with significant crypto thefts. This included a hack of Harmony's Horizon Bridge in 2020, which resulted in the loss of $100 million, and a breach of Axie Infinity's Ronin Bridge last year, which saw $540 million stolen.

In the meantime, the US Department of Justice thinks the Russian GRU intelligence service used ChipMixer.

The Russian military intelligence agency's APT28 group, also known as Fancy Bear, was accused of having "used ChipMixer to obfuscate the origin of the funds that were used to purchase infrastructure for their ‘Drovorub’ malware" in a complaint against Nguyen that was submitted on Wednesday.

The malware was previously examined by the Department of Defense, which concluded that it was designed for ongoing surveillance of an infected device. The Democratic National Committee (DNC), which was infamously compromised in the run-up to the 2016 election, is one of APT28's prior victims.

The FBI claims that it was able to link $17 million in ransomware profits from 37 distinct groups to ChipMixer's services.

The mixer was used to launder more than $800,000 in bitcoin from the Sodinokibi ransomware strain, also known as REvil. Its biggest hack occurred in 2021 when it targeted Kaseya customers, compromising as many as 1,500 firms and demanding a $70 million ransom.

"ChipMixer facilitated the laundering of cryptocurrency, specifically bitcoin, on a vast international scale, abetting nefarious actors and criminals of all kinds in evading detection," according to U.S. attorney Jacqueline Romero. 

"We cannot and will not allow criminals’ exploitation of technology to threaten our national and economic security."

Authorities in Germany and the US claimed to have taken down the "laundromat" platform's infrastructure, which had been seized about 1909.4 Bitcoins in 55 transactions , totaling about €44.2 million.

According to Europol, ransomware perpetrators like Zeppelin, SunCrypt, Mamba, Dharma, or Lockbit employed ChipMixer to launder ransom money.

Authorities were also looking into the potential that ChipMixer was used to launder some of the cryptocurrency assets that were taken after a significant crypto exchange went bankrupt in 2022.

Also including Belgium, Poland, and Switzerland, the operation entailed the seizure of four servers. The bitcoin mixer ChipMixer, which is well-known in the world of cybercrime, was the target, according to the police.

The unlicensed cryptocurrency mixer ChipMixer, which was established in the middle of 2017, specialized in mixing or cutting trails for virtual currency assets.

Because the ChipMixer software obscured the funds' blockchain trail, it became more appealing to cybercriminals attempting to launder the profits of crimes including drug and weapon trafficking, ransomware attacks, and payment card fraud.

Deposited monies would be converted into "chips" (little tokens of equal value), which were then combined, obscuring any traces of the original funds' source.

"Platform #ChipMixer was a central hub for crypto money flows, for example from online extortion using #Ransomware. We estimate the turnover of this criminal platform since its inception in 2017 at around €2.8BN," stated Carsten Meywirth, Director at the Cyberdivision of the Bundeskriminalamt.

"At the same time, we were able to identify the alleged operator of the platform. From now on, there will be an international and public search for him. Our mission does not end until the handcuffs click. We also expect new investigative approaches from the evaluation of the 7 terabytes of data, which were also confiscated. We follow the trail of money, including to the users of the obfuscation service."

"With today’s (Wed) seizure, the #BKA has once again significantly exceeded its own record (then around 23 million euros) in the seizure of the #HydraMarket in the previous year."

"Our thanks for the excellent cooperation go to our partners in the United States. In the investigation, the BKA cooperated closely with the U.S. Department of Justice, the FBI Cyber Division (FO Philadelphia), Homeland Security Investigations Phoenix and Europol," he added.

ChipMixer guaranteed complete anonymity to their customers and was a service that was accessible on both the clear and dark web. This kind of service is frequently utilized before criminals route their laundered cryptocurrency assets to crypto exchanges, some of which also work for organized crime gangs.

Because of this, they continued, it was "attractive for cybercriminals looking to launder illegal proceeds from criminal activities" such as drug and weapon trafficking, ransomware attacks, and payment card fraud.

After the procedure, the "cleaned" cryptocurrency is easily exchangeable for other cryptocurrencies or for FIAT money via ATMs or bank accounts.

National authorities "took down the infrastructure of the platform for its alleged involvement in money laundering activities," according to a statement from Europol.



bottom of page