December 9, 2022

The use of crypto mixers has risen to record levels, with significant involvement of states and cybercriminals.

Mixers are a convenient tool for cybercriminals, one way or another connected with cryptocurrencies, and therefore one of the most important types of cryptocurrency services for (research) researchers and specialists in compliance. direct assignment mixers — increasing the privacy of cryptocurrency transactions, but they can also be used to hide the source of funds and, for lack of a better word, to “fool” blockchain analysts.

The reasons for such desires are not necessarilyassociated with breaking the law. Financial privacy is important, especially for those who live in countries with authoritarian governments or for some other reason need the ability to confidentially conduct legitimate transactions. However, the basic functionality of mixers, and the fact that such services rarely (if ever) ask users for personal data (KYC), naturally makes them attractive to cybercriminals. Almost 10% of all cryptocurrency transfers from criminal addresses go to mixers, and no other type of service exceeds 0.3% of the share of mixers.

Shares of various types of senders in the total volume of cryptocurrencies sent to mixers

Mixers run the risk of becoming obsolete soon,as blockchain analytics companies continue to develop the ability to demix certain transactions and determine the original source of funds. But for now, our data shows that mixers are receiving more cryptocurrencies in 2022 than ever before.

Total daily volume of incoming cryptocurrency transfers of mixers, 30-day moving average

The total volume of cryptocurrencies received by mixersvaries greatly from day to day, but on April 19, the 30-day moving average reached an all-time high of $51.8 million, about double the figure for the same period in 2021. Below, Chainalysis explains the reasons behind the rise in the use of cryptocurrency mixers and what this means for law enforcement and compliance professionals.

How mixers work

Mixers create a gap between cryptocurrenciesfunds entered into them by users and what they withdraw from the service, making it difficult to track the flow of funds. This is achieved by pooling funds received from many users and randomly mixing these "coins" together. Users receive the equivalent amount from the mixed pool minus a small service fee. Some mixers make tracking even more difficult by allowing users to receive different amounts to different addresses and at different times. Others try to hide the very fact of using the mixer by changing the commission for each transaction and / or varying the types of deposit addresses. This may throw off at least some of the researchers who are unable to identify such mixers.

Various types of mixers

Most mixers fall into one of the following three categories.

  • Centralized mixers. Centralized mixers simply sendthe equivalent amount of cryptocurrencies, minus the service fee, to the addresses specified by users or provided in advance by the mixer. This means that there is no definitive link between the “coins” sent and received by the user, but since the mixer itself is a centralized and custodial service, its operators have the ability to store the data necessary to restore such links, which is a risk to users.
  • CoinJoin mixers. CoinJoin transactions are a tactic usedmixers, including wallets with built-in mixing capabilities, in which a group of users send their coins in a series of transactions and receive back an equivalent amount from the mixed coins of other participants. Unlike centralized services, CoinJoin mixers are not custodial, meaning they do not receive the mixed coins at all to their wallets.
  • Mixing smart contracts. Like CoinJoin mixers, mixers based onsmart contracts are non-custodial. However, unlike CoinJoin mixers, smart contracts can receive and send user funds in many transactions. Instead, after sending coins to the mixer's smart contract, users receive a cryptographic message confirming that they have made a deposit. The user can then send a transaction to the mixer from another address using this digital "receipt" to withdraw funds to the new address. It is important that this cryptographic "receipt" is valid indefinitely: the user can withdraw the mixed funds whenever he wants. Mixer smart contracts also work with service providers called relayers who can provide the ETH needed to pay the fee for a withdrawal transaction from the mixer, ensuring that the user can withdraw funds to a new address that has no transaction history or interaction with other services.

(For anyone who is seriously interested in the topic of mixing methods, we suggest that you refer to the article Classification and evaluation of mixing methods.)

Mixers have one key vulnerability:large transactions make them inefficient. Since users receive a "mix" of coins contributed by other users, if one user contributes significantly more than the rest by "flooding" the mixer with their funds, then most of what he will receive as a result will consist of the same funds that he originally invested, which allows you to track the coins to the source. In other words, mixers work best if they have a large number of users, all of whom are mixing comparable amounts of cryptocurrencies.

Are mixers legal?

Despite its usefulness to criminals,mixers in and of themselves are not illegal. However, in the US, the Financial Crime Investigation Network (FinCEN) has clarified that mixers are senders of money under the Bank Secrecy Act (BSA). Therefore, they are required to register with FinCEN, develop, implement and maintain an anti-money laundering compliance program and comply with applicable reporting and record keeping requirements. In 2020 FinCEN fined bitcoin mixer operator Helix and Coin Ninja for operating unregistered cash settlement businesses, and in 2021 the Justice Department arrested Bitcoin operator Fog and charged him with money laundering and operating an unlicensed money transfer business.

To date, we do not know mixers,that would comply with procedures related to KYC, verification of sources of funds and other basic rules for identifying customers, as well as due diligence, which companies "providing cash and settlement services" in most jurisdictions must comply with. Given that increasing privacy is the whole point of using mixers, it seems unlikely that you can implement these compliance procedures while maintaining your user base.

What is the reason for the rise in the use of mixers?

Quarterly usage of mixers has grown significantly since 2020, and although this growth has somewhat leveled off in 2022, the current numbers are still close to all-time highs.

Quarterly volumes of cryptocurrencies received by mixers by source type

As can be seen from the diagram, the increase occurs inprimarily due to the growth of transfers from centralized exchanges, DeFi protocols and, importantly, from addresses associated with illegal activities. The volume of transfers from DeFi protocols in particular has increased not only in terms of absolute value, but their share of the total incoming transfer volume of cryptocurrency mixers has also increased, which makes sense as this growth coincides with the increasing popularity and weight of DeFi in the overall cryptocurrency ecosystem.

It is more interesting to see the growth of transfer to mixers withcriminal cryptocurrency addresses. Criminal addresses are responsible for 23% of mixers’ incoming cryptocurrency transfers YTD, up from 12% in 2021. The diagram below shows this volume broken down by type of illegal activity with which these criminal addresses are associated.

Quarterly volumes of criminal cryptocurrency transfers to mixers, broken down by address categories

Note:The Sanctions category in the diagram above includes transfers from addresses that would have been in a different category prior to the imposition of sanctions. For example, Hydra is a darknet market that was sanctioned in the first quarter of 2022, and now all of its volumes from previous years fell into the Sanctions category.

What stands out the most is the huge volumesfunds directed to mixers by entities under sanctions, especially in the second quarter of 2022. It is shown below how these volumes have been distributed by specific subjects since the beginning of the current year.

Top senders to mixers among sanctioned entities in 2022

Russian darknet market Hydra, which fell undersanctions in April this year, leading the way in this category with more than 50% of the total. It's important to note here that drug sales aren't the only reason OFAC (the US Treasury Department's Office of Foreign Assets Control) decided to tackle Hydra. U.S. Department of Justice officials clarified that Hydra played a significant role in laundering funds from other darknet markets, cryptocurrency thefts, and ransomware. Hydra offered its own mixer-like services and facilitated the sale of stolen data and hacking tools used in cyberattacks. Given Russia's huge role in global cybercrime and the connections of some of these cybercriminal groups to Russian intelligence agencies, increasing the transfer of funds from services like Hydra to mixers could have national security implications.

Almost the entire rest of the transfer fromThe entities under sanctions against mixers come from two groups associated with the North Korean government: Lazarus Group and Blender.io. The Lazarus Group is a cybercriminal syndicate responsible for several cryptocurrency hacks on behalf of the North Korean government and, along with groups associated with it, remains extremely active today. In 2022, hackers linked to the North Korean government are believed to have already stolen over $1 billion worth of cryptocurrencies, mostly from DeFi protocols. Blender.io, on the other hand, was the first ever mixer to be sanctioned this year for its role in laundering funds stolen by the Lazarus Group and other North Korean-linked groups. Any funds he sends to other mixers may be related to the continuation of this activity.

In general, if we label cybercriminalsorganizations with known links to the governments of certain countries, it is clear that these groups make up a significant and growing share in the total amount of criminal cryptocurrency transfer to mixers.

Quarterly volumes of criminal cryptocurrency transfers to mixers, broken down by type of source

Note: A relationship between transaction volumes and individual countries has not been established unless otherwise noted.

Funds sent to mixers by cybercriminal groups linked to Russia and especially North Korea in 2021 and 2022 increased sharply.

Balance between privacy and security

The role of mixers is a difficult and debatable issuefor regulators and members of the crypto community. Almost everyone would probably agree that financial privacy is important and that there is no reason “in a vacuum” why services like mixers can't provide it. However, data shows that mixers currently carry significant money laundering risks, as 25% of incoming crypto transfers come from criminal addresses, and that cybercriminals associated with some of the most aggressive governments are actively using such services.