Darknet money laundering platform "ChipMixer" take down by BKA (March 2023)

Sicherheit (Pexels, allgemeine Nutzung)[German]The Federal Criminal Police Office (BKA) has succeeded in a new cyber coup. Investigators of the BAK as well as the Central Office for Combating Cybercrime (ZIT) of the General Public Prosecutor's Office in Frankfurt am Main have seized and shut down a server through which cybercriminals were able to conduct money laundering on a large scale via dark net. In addition, data and bitcoins could be seized.


What is behind ChipMixer?

Cybercriminals have the problem of converting captured funds (mostly in the form of cryptocurrencies) into real currencies and disguising their origin at the same time. This is exactly what ChipMixer, a dark-net platform that has been around since 2017, was used by cybercriminals to launder funds. Specifically, ChipMixer was a service that accepted Bitcoin of criminal origin in particular. Then, obfuscation operations (so-called "mixing") took place and the deposited sum was "laundered" back out.

In this process, deposited crypto funds were divided into uniform small amounts called "chips" for the purpose of thwarting investigations. The users' "chips" were then mixed together, thus hiding the origin of the funds. "ChipMixer" promised its users complete anonymity.

It is estimated that ChipMixer has laundered crypto assets worth about 154,000 bitcoin or 2.8 billion euros since 2017. A significant portion of this came from darknet marketplaces, fraudulently obtained crypto assets, ransomware groups, and other criminal acts. Among other things, the investigation is looking into the suspicion that parts of crypto assets stolen in connection with the bankruptcy of a major crypto exchange in 2022 were laundered via ChipMixer.

In addition, transactions worth millions can be proven from the darknet platform "Hydra Market", which was shut down in April 2022 by the ZIT and the BKA. Likewise, ransomware actors such as Zeppelin, SunCrypt, Mamba, Dharma, and Lockbit have used the service to launder money.

German BKA strikes

It seems that the aforementioned anonymity didn't quite work out that way. The General Public Prosecutor's Office in Frankfurt am Main – Central Office for Combating Internet Crime (ZIT) – and the Federal Criminal Police Office (BKA) today (Wednesday) seized the server infrastructure located in Germany of the world's highest-turnover crypto-mixer on the Darknet, "ChipMixer". According to the BKA, in addition to data amounting to approximately 7 terabytes, bitcoins currently worth the equivalent of approximately 44 million euros were also seized. This is the highest seizure of crypto assets by the BKA to date, the investigators write. The following seizure banner was published on the service's Tor website:


ChipMixer Beschlagnahmemeldung
ChipMixer seizure report, source: BKA

In the investigation, the BKA cooperated closely with the United States Department of Justice (US DoJ), the Federal Bureau of Investigation Philadelphia (FBI), Homeland Security Investigations Phoenix and Europol.

The operators of ChipMixer are suspected of, among other things, commercial money laundering and operating a criminal trading platform on the Internet. In the U.S. proceedings, the FBI put out an alert for the suspected main defendant and offered a reward for further tips relevant to the investigation via the U.S. DoJ's "Rewards for Justice Program.

The renewed success in the fight against cybercrime is a result of innovative counter strategies against the global cybercrime industry. This is because: money laundering services are regularly an important component in extortion through ransomware attacks. The goal of the BKA and the ZIT is therefore to use the knowledge gained in the case against "ChipMixer" to advance the investigation of further cybercrimes and to prevent German infrastructures from being misused for criminal purposes with funds from illegal activities.

Further details may be found within the 60 pages PDF from US district court of Pennsylvania.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *