Mixers are a go-to tool for cybercriminals dealing in cryptocurrency, and therefore one of the most important types of cryptocurrency services for investigators and compliance professionals to understand. Mixers are designed to provide more privacy in cryptocurrency transactions, but may also be used to obfuscate the source of funds, and, for lack of a better word, “fool” blockchain investigators.
To be clear, there are legitimate reasons one would want to do this. Financial privacy is important, especially to people living under oppressive governments or who otherwise need the ability to make legal transactions anonymously. However, mixers’ core functionality, combined with the fact that mixers rarely if ever ask for KYC information, makes them naturally attractive to cybercriminals. In fact, nearly 10% of all funds sent from illicit addresses are sent to mixers — no other service type cracked a 0.3% mixer sending share.
Mixers may soon become obsolete as Chainalysis continues to refine the ability to demix certain mixing transactions and see users’ original source of funds. But for the time being, our data shows that mixers are receiving more cryptocurrency than ever in 2022.
While value received by mixers fluctuates significantly day-to-day, the 30-day moving average reached an all-time high of $51.8 million worth of cryptocurrency on April 19, 2022, roughly doubling incoming volumes at the same point in 2021. Below, we’ll dive into who’s driving increased mixer usage and what it means for law enforcement and compliance pros.
How mixers work
Mixers create a disconnect between the cryptocurrency funds that users deposit and what they withdraw, making it more difficult to trace the flow of funds. They do this by pooling together funds deposited by many users and mixing them together at random. Users can then receive funds back from the now-jumbled pool equivalent to what they put in, minus a small service fee. Some mixers make funds even more difficult to track by letting users receive different-sized chunks of funds at different addresses at staggered times. Others try to obfuscate the fact that a mixer is even being used by changing the fee on each transaction or varying the type of deposit address used.
Different types of mixers
Most mixers fit into one of the following three categories.
- Centralized mixers. Centralized mixers simply send equivalent cryptocurrency to what users submit to addresses the user specifies or that the mixer provides in advance, minus fees. That means there’s no definitive on-chain link between the cryptocurrency the user sends and what they receive, but because the mixing service itself is centralized and custodial, the operators can record the data necessary to make those connections, creating privacy risk for users.
- CoinJoin mixers. CoinJoin transactions are a tactic used by mixers, and in particular wallets with built-in mixer capabilities, in which a group of users send their funds and receive back a mix of each other’s funds in a series of transactions. Unlike centralized mixers, CoinJoin mixers are non-custodial, meaning they never actually hold users’ funds.
- Smart contract mixers. Like CoinJoin mixers, smart contract-based mixers are non-custodial. However, unlike CoinJoin mixers, smart contract mixers don’t receive and send users’ funds in one transaction. Instead, once the user sends the funds, the mixer sends an equivalent amount to an address specified by the user beforehand.
Mixers share one key vulnerability: Large transactions make them ineffective. Since users are receiving a “mix” of funds contributed by others, if one user floods the mixer and contributes significantly more than others, much of what they end up with will be made up of the funds they originally put in, making it possible to trace the funds back to their original source. In other words, mixers function best when they have a large number of users, all of whom are mixing comparable amounts of cryptocurrency.
Are mixers compliant?
Despite their utility for criminals, mixers aren’t illegal by their nature. However, in the United States, the Financial Crimes Enforcement Network (FinCEN) has clarified that mixers are money transmitters under the Bank Secrecy Act (BSA), and therefore have an obligation to register with FinCEN; to develop, implement, and maintain an anti-money laundering compliance program; and to meet all applicable reporting and recordkeeping requirements. In fact, in 2020 FinCEN penalized the operator of Helix and Coin Ninja for operating unregistered money services businesses (MSB) and in 2021 the Department of Justice arrested and charged the operator of Bitcoin Fog with money laundering, operating an unlicensed money transmitting business, and money transmission without a license.
We aren’t aware of any mixers currently following rules related to KYC processes, source of funds checks, and other basic customer identification and due diligence regulations that MSBs are subject to in most jurisdictions. Given that increased privacy is the whole point of using a mixer, it seems unlikely that one could implement those compliance procedures and retain its user base.
What’s driving the increase in mixer usage?
Mixer usage saw significant quarter-over-quarter increases starting in 2020, and while that growth has leveled off somewhat in 2022, it remains close to all-time highs.
As we can see, the increases come primarily from increased volumes sent from centralized exchanges, DeFi protocols, and most notably, addresses connected to illicit activity. DeFi protocols in particular have risen not just in terms of value sent to mixers, but also in terms of the share of all volume sent to mixers, which makes sense given that the timing coincides with DeFi’s increasing prominence within the overall cryptocurrency ecosystem.
The increase in illicit cryptocurrency moving to mixers is more interesting though. Illicit addresses account for 23% of funds sent to mixers so far in 2022, up from 12% in 2021. On the chart below, we examine the types of criminal activity those illicit actors are associated with.
Note: Sanctioned entities on the graph above includes volume sent from entities that, prior to being sanctioned, would have fit in another category. For example, Hydra Market is a darknet market that was sanctioned in Q1 2022 – all of its volume from previous years is now labeled as “Sanctions.”
What stands out most is the huge volume of funds moving to mixers from addresses associated with sanctioned entities, especially in Q2 2022. Below, we look at which specific sanctioned entities have accounted for those funds so far in 2022.
Russian darknet market Hydra, which was sanctioned in April 2022, leads the way here, accounting for 50% of all funds moving to mixers from sanctioned entities this year. Importantly, drug sales weren’t the only reason OFAC decided to go after Hydra. DOJ officials specified that Hydra played a role in laundering funds from other darknet markets, cryptocurrency thefts, and ransomware attacks — the market offered mixer-like services of its own — and facilitated the sale of stolen data and hacking tools used in cyber attacks. Given the oversized role that Russia plays in cybercrime, and the connections some of these cybercriminal groups have to Russian intelligence services, an increase in funds moving from services like Hydra to mixers could be significant from a national security standpoint.
Nearly all of the remaining funds moving from sanctioned entities to mixers come from two groups associated with the North Korean government: Lazarus Group and Blender.io. Lazarus Group is a cybercrime syndicate responsible for several cryptocurrency hacks on behalf of the North Korean government, and along with associated groups remains extremely active today. Already in 2022, hackers associated with the North Korean government are believed to have stolen over $1 billion worth of cryptocurrency, mostly from DeFi protocols. Blender.io, on the other hand, became the first ever mixer sanctioned this year for its role in laundering funds stolen by Lazarus Group and others associated with North Korea. Any funds it sends to other mixers could very well represent a continuation of that activity.
Overall, if we label cybercriminal organizations with known nation state affiliations, we can see that these groups make up a significant and growing share of all illicit cryptocurrency sent to mixers.
Note: Transaction volume has no known nation state connection unless otherwise noted
Funds sent to mixers by cybercriminal groups associated with Russia, and especially those associated with North Korea, have risen dramatically in 2021 and 2022.
Balancing privacy with safety
Mixers present a difficult question to regulators and members of the cryptocurrency community. Virtually everyone would acknowledge that financial privacy is valuable, and that in a vacuum, there’s no reason services like mixers shouldn’t be able to provide it. However, the data shows that mixers currently pose a significant money laundering risk, with 25% of funds coming from illicit addresses, and that cybercriminals associated with hostile governments are taking advantage. We encourage stakeholders in both the private and public sectors to work together on how to address the risks associated with mixers, and stand ready to provide any data necessary to make those engagements as productive as possible.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.