March 4, 2024

The use of crypto mixers has risen to record levels, with significant involvement of states and cybercriminals.

Mixers are a convenient tool for cybercriminals who are somehow related to cryptocurrencies, and thereforeOne of the most important types of cryptocurrency services for (IP)investigators and specialists incompliance. Direct PurposemixersIncreasing the privacy of cryptocurrency transactions, but they can also be used to hide the source of funds and, for lack of a better word, to "fool" blockchain analysts.

The reasons for such desires are not necessarilyassociated with breaking the law. Financial privacy is important, especially for those who live in countries with authoritarian governments or for some other reason need the ability to confidentially conduct legitimate transactions. However, the basic functionality of mixers, and the fact that such services rarely (if ever) ask users for personal data (KYC), naturally makes them attractive to cybercriminals. Almost 10% of all cryptocurrency transfers from criminal addresses go to mixers, and no other type of service exceeds 0.3% of the share of mixers.

Shares of various types of senders in the total volume of cryptocurrencies sent to mixers

Mixers run the risk of becoming obsolete soon,as blockchain analytics companies continue to develop the ability to demix certain transactions and determine the original source of funds. But for now, our data shows that mixers are receiving more cryptocurrencies in 2022 than ever before.

Total daily volume of incoming cryptocurrency transfers of mixers, 30-day moving average

Total amount of cryptocurrencies received by mixersvaries widely from day to day, but on April 19, the 30-day moving average hit an all-time high of $51.8 million, roughly double the level for the same period in 2021. Below, Chainalysis discusses the reasons behind the rise in the use of cryptocurrency mixers and what this means for law enforcement and compliance professionals.

How mixers work

Mixers create a gap between cryptocurrenciesfunds entered into them by users and what they withdraw from the service, making it difficult to track the flow of funds. This is achieved by pooling funds received from many users and randomly mixing these "coins" together. Users receive the equivalent amount from the mixed pool minus a small service fee. Some mixers make tracking even more difficult by allowing users to receive different amounts to different addresses and at different times. Others try to hide the very fact of using the mixer by changing the commission for each transaction and / or varying the types of deposit addresses. This may throw off at least some of the researchers who are unable to identify such mixers.

Various types of mixers

Most mixers fall into one of the following three categories.

  • Centralized mixers.Centralized mixers simply sendan equivalent amount of cryptocurrencies, minus the service commission, to the addresses specified by users or provided in advance by the mixer. This means there is no defining connection between the “coins” a user sends and receives, but since the mixer itself is a centralized and custodial service, its operators have the ability to store the data needed to re-establish such connections, which is a risk for users.
  • CoinJoin mixers.CoinJoin transactions are a tactic usedmixers, including wallets with built-in mixing capabilities, in which a group of users send their coins in a series of transactions and receive back an equivalent amount from the mixed coins of the remaining participants. Unlike centralized services, CoinJoin mixers are not custodial, meaning they do not receive mixed coins into their wallets at all.
  • Mixing smart contracts.Like CoinJoin mixers, mixers based onsmart contracts are non-custodial. However, unlike CoinJoin mixers, smart contracts can receive and send user funds across multiple transactions. Instead, after sending coins to the mixer's smart contract, users receive a cryptographic message confirming that the deposit has been made. The user can then send a transaction to the mixer from a different address, using this digital “receipt” to withdraw funds to the new address. Importantly, this cryptographic “receipt” does not expire: the user can withdraw the mixed funds whenever he wants. Mixer smart contracts also work with service providers called relayers, who can provide the ETH needed to pay the mixer withdrawal transaction fee, ensuring that the user can withdraw funds to a new address that has no transaction history or interaction with other services.

(For anyone who is seriously interested in the topic of mixing methods, we suggest that you refer to the articleClassification and evaluation of mixing methods.)

Mixers have one key vulnerability:large transactions make them inefficient. Since users receive a "mix" of coins contributed by other users, if one user contributes significantly more than the rest by "flooding" the mixer with their funds, then most of what he will receive as a result will consist of the same funds that he originally invested, which allows you to track the coins to the source. In other words, mixers work best if they have a large number of users, all of whom are mixing comparable amounts of cryptocurrencies.

Are mixers legal?

Despite its usefulness to criminals,mixers in and of themselves are not illegal. However, in the US, the Financial Crime Investigation Network (FinCEN) has clarified that mixers are senders of money under the Bank Secrecy Act (BSA). Therefore, they are required to register with FinCEN, develop, implement and maintain an anti-money laundering compliance program and comply with applicable reporting and record keeping requirements. In 2020 FinCEN fined bitcoin mixer operator Helix and Coin Ninja for operating unregistered cash settlement businesses, and in 2021 the Justice Department arrested Bitcoin operator Fog and charged him with money laundering and operating an unlicensed money transfer business.

To date, we do not know mixers,that would comply with procedures related to KYC, verification of sources of funds and other basic rules for identifying customers, as well as due diligence, which companies "providing cash and settlement services" in most jurisdictions must comply with. Given that increasing privacy is the whole point of using mixers, it seems unlikely that you can implement these compliance procedures while maintaining your user base.

What is the reason for the rise in the use of mixers?

Quarterly usage of mixers has grown significantly since 2020, and although this growth has somewhat leveled off in 2022, the current numbers are still close to all-time highs.

Quarterly volumes of cryptocurrencies received by mixers by source type

As can be seen from the diagram, the increase occurs inprimarily due to the growth of transfers from centralized exchanges, DeFi protocols and, importantly, from addresses associated with illegal activities. The volume of transfers from DeFi protocols in particular has increased not only in terms of absolute value, but their share of the total incoming transfer volume of cryptocurrency mixers has also increased, which makes sense as this growth coincides with the increasing popularity and weight of DeFi in the overall cryptocurrency ecosystem.

It is more interesting to see the growth of transfer to mixers withcriminal cryptocurrency addresses. Criminal addresses are responsible for 23% of mixers’ incoming cryptocurrency transfers YTD, up from 12% in 2021. The diagram below shows this volume broken down by type of illegal activity with which these criminal addresses are associated.

Quarterly volumes of criminal cryptocurrency transfers to mixers, broken down by address categories

Note:The Sanctions category in the diagram above also includes transfers from addresses that would have been classified in a different category before the sanctions were introduced. For example, Hydra is a darknet market that was sanctioned in the first quarter of 2022, and now all its volumes for previous years are included in the Sanctions category.

What stands out most is the sheer volumefunds sent to mixers by sanctioned entities, especially in the second quarter of 2022. Below is shown how these volumes have been distributed among specific entities since the beginning of this year.

Top senders to mixers among sanctioned entities in 2022

Russian darknet market Hydra, which fell undersanctions in April this year, leading the way in this category with more than 50% of the total. It's important to note here that drug sales aren't the only reason OFAC (the US Treasury Department's Office of Foreign Assets Control) decided to tackle Hydra. U.S. Department of Justice officials clarified that Hydra played a significant role in laundering funds from other darknet markets, cryptocurrency thefts, and ransomware. Hydra offered its own mixer-like services and facilitated the sale of stolen data and hacking tools used in cyberattacks. Given Russia's huge role in global cybercrime and the connections of some of these cybercriminal groups to Russian intelligence agencies, increasing the transfer of funds from services like Hydra to mixers could have national security implications.

Almost the entire remaining volume of transfers fromsanctioned entities against mixers comes from two groups associated with the North Korean government: Lazarus Group and The Lazarus Group is a cybercrime syndicate responsible for several cryptocurrency hacks on behalf of the North Korean government and, along with associated groups, remains extremely active today. In 2022, hackers linked to the North Korean government are believed to have already stolen more than $1 billion worth of cryptocurrencies, mostly from DeFi protocols., on the other hand, became the first ever mixer to be sanctioned this year due to its role in laundering funds stolen by the Lazarus Group and other North Korea-linked groups. Any funds sent by him to other mixers may be related to the continuation of this activity.

In general, if we label cybercriminalsorganizations with known links to the governments of certain countries, it is clear that these groups make up a significant and growing share in the total amount of criminal cryptocurrency transfer to mixers.

Quarterly volumes of criminal cryptocurrency transfers to mixers, broken down by type of source

Note: A relationship between transaction volumes and individual countries has not been established unless otherwise noted.

Funds sent to mixers by cybercriminal groups linked to Russia and especially North Korea in 2021 and 2022 increased sharply.

Balance between privacy and security

The role of mixers is a difficult and debatable issuefor regulators and members of the crypto community. Almost everyone would probably agree that financial privacy is important and that there is no reason “in a vacuum” why services like mixers can't provide it. However, data shows that mixers currently carry significant money laundering risks, as 25% of incoming crypto transfers come from criminal addresses, and that cybercriminals associated with some of the most aggressive governments are actively using such services.