Cryptocurrency sent to mixers reaches an all-time high thanks to illicit activity
Jonathan Greig July 15, 2022

Cryptocurrency sent to mixers reaches an all-time high thanks to illicit activity

Cryptocurrency sent to mixers reaches an all-time high thanks to illicit activity

The amount of cryptocurrency sent to mixing services reached an all-time monthly high in April of $51.8 million, according to data published by blockchain research company Chainalysis. 

Mixing services are used for both legitimate and illicit reasons, allowing cryptocurrency holders to obscure the source of funds. Most mixers typically pool funds together from multiple users and pay people out with a new mix of cryptocurrency equaling what they put in.

Chainalysis noted that some platforms allow users to receive different-sized chunks of funds at different addresses at staggered times. Others try to obfuscate the fact that a mixer is even being used by changing the fee on each transaction or varying the type of deposit address used, the researchers explained.

But Chainalysis researchers said they have seen an increase in illicit cryptocurrency moving to mixers, with criminal​​ addresses accounting for 23% of funds sent to mixers so far in 2022, up from 12% in 2021.

They noted that nearly 10% of all funds sent from illicit addresses are sent to mixers while no other service type cracked a 0.3% mixer sending share.

The 30-day moving average of $51.8 million on April 19, 2022 was about double the incoming volumes seen at the same point in 2021. 

“Mixer usage saw significant quarter-over-quarter increases starting in 2020, and while that growth has leveled off somewhat in 2022, it remains close to all-time highs,” Chainalysis found. 

“As we can see, the increases come primarily from increased volumes sent from centralized exchanges, DeFi protocols, and most notably, addresses connected to illicit activity. DeFi protocols in particular have risen not just in terms of value sent to mixers, but also in terms of the share of all volume sent to mixers, which makes sense given that the timing coincides with DeFi’s increasing prominence within the overall cryptocurrency ecosystem.”

The report explains that significant amounts of cryptocurrencies sent to mixers come from sanctioned entities, most of which are connected to actors based in Russia and North Korea. 

North Korean hackers have been accused of leading a wave of attacks on cryptocurrency platforms and have been caught laundering significant tranches of funds through mixers.  

Chainalysis said Russian darknet market Hydra, which was sanctioned in April 2022, led the way in their data set, accounting for 50% of all funds moving to mixers from sanctioned entities this year. 

“Importantly, drug sales weren’t the only reason OFAC decided to go after Hydra. DOJ officials specified that Hydra played a role in laundering funds from other darknet markets, cryptocurrency thefts, and ransomware attacks — the market offered mixer-like services of its own — and facilitated the sale of stolen data and hacking tools used in cyber attacks,” the researchers noted.

“Nearly all of the remaining funds moving from sanctioned entities to mixers come from two groups associated with the North Korean government: Lazarus Group and Blender.io.” 

The U.S. Treasury Department sanctioned cryptocurrency mixing service Blender.io in May, citing evidence that it was used to launder funds stolen by North Korean state-backed hackers. This was the first time a mixer had ever been sanctioned by the U.S. government.

The department’s Office of Foreign Assets Control (OFAC) said the Blender.io service was used to process more than $20.5 million in illicit proceeds from a March attack on the Ronin Network. That incident, which cost the company more than $620 million at the time, was linked to North Korean hackers known as the Lazarus Group.

“Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests,” said Brian Nelson, undersecretary of the Treasury for terrorism and financial intelligence. 

“We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered.”

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.