Cybercriminals Increasingly Employ Crypto-Mixers to Launder Stolen Profits

Crypto-mixer services are set to grow as ransomware and other cybercriminal enterprises increasingly lean into cryptocurrency, new research shows.

4 Min Read
Bitcoins and code depicting cryptocurrency mining
Mykhailo Polenok / Alamy Stock Photo

Cryptocurrency mixing — a technique that uses pools of cryptocurrency to complicate the tracking of electronic transactions — has become a common service used by cybercriminals and is expected to become even more popular as governments regulate cryptocurrency exchanges in the future, researchers say.

Threat intelligence firm Intel 471 warned in a new report that crypto-mixers have professional-looking sites, offer services in English and often Russian, and handle individual transactions up to hundreds of thousands, or even hundreds of millions, of dollars. One service processed more than 54 bitcoins, or about $3.4 million, in less than two months.

In addition, crypto-mixing providers have started partnering with ransomware-as-a-service (RaaS) gangs to split fees for any group that offers mixing as part of their ransomware service, suggesting the service will only become more popular.

Mixers have become prevalent to the point of becoming a common tool as cybercriminals look for additional anonymity to slow down any investigators and keep their identities private, says Greg Otto, a threat researcher at Intel 471.

"If your company works in the crypto space or wants to follow crypto as it's paid out in a ransom, it's worth paying attention to wallet addresses tied to crypto-mixers as a way to track funds," he says. "Again, cryptomixers by themselves aren't illegal, but [they] are becoming a tool that is used more and more by cybercriminals. Monitoring these mixers should be done by security teams and law enforcement investigators alike."

The emergence of cryptocurrency is a fundamental factor in the epidemic of ransomware that has plagued many countries, with payments from victims surging more than 300% in 2020 compared with the previous year, according to an analysis published in January. While most payments are routed through cryptocurrency exchanges — which allow users to turn Bitcoin or Ethereum into dollars, for example — mixers allow cybercriminal groups to make tracking the destination of a ransom payment more difficult. 

Using multiple transactions spread out over time can make it harder for investigators to follow the money trail.

Yet the volume of cryptomixing had actually declined as a tool in ransomware operations, accounting for less than 10% of funds transferred from ransomware wallets in the fourth quarter of 2020 and down from a peak of about 40% in the third quarter of 2019, according to blockchain-analysis firm Chainalysis. Moreover, ransomware makes up a small fraction of overall transfers to illicit addresses, with profits from scams — such as the $1.5 billion Finiko Ponzi scheme — comprising the majority of transaction volume to illicit addresses, according to Chainalysis.

In its research note, Intel 471 argued that the recent crackdown by law enforcement and international agencies on ransomware groups will mean that more operators will use cryptomixers and add them to their services, suggesting the trend will reverse.

"With RaaS groups wanting as many ways as possible to keep a low profile, some developers decided to integrate cryptocurrency mixing services in their administrative panel instead of relying on the web-based options," the company stated.

Mixed Data on Mixers
Chainalysis has not released its data for 2021, but the company estimates that the vast majority of transactions processed by crypto-mixers, also known as tumblers, in 2020 were not tied to cybercrime. Only about 8% of mixed transactions can be positively linked to illicit addresses, the company says. Instead, the majority of funds currently go through cryptocurrency exchanges, with 82% of all ransomware transactions transferred through five exchanges. 

The relatively small network of cybercriminals involved in ransomware, however, means there are certain weak points in the infrastructure that could be exploited by law enforcement. Only about 200 deposit addresses received 80% of funds linked to ransomware, Chainalysis said in its report.

"The ability to cash out ransomware proceeds is supported by the owners of a very small group of deposit addresses," the report stated. "By targeting those deposit addresses, cryptocurrency businesses and law enforcement can work together to reduce ransomware attackers' ability to turn their profits into cash."

Red Flag
Mixers are also not a foolproof way to anonymize transactions. Blockchain tracking tools are able to connect the dots and determine the destinations of a particular chain of transaction. Whether that money passes through a crypto-mixer does not make a difference if law enforcement can track it all the way to the suspect's wallet, Intel 471's Otto says.

"The moves by governments to make legitimate exchanges and services adhere to traditional anti-money-laundering rules like Know Your Customer [KYC]) separate legitimate uses from criminal ones," he says. "We don't see crypto-mixers attached to any legitimate services, so if investigators spot the use of one of the services, it becomes a red flag by default."

About the Author

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights