Cryptomixers are helping hackers to launder ransomware payments

The services enable cyber criminals to anonymously clean proceeds from illicit activities

Cyber criminals are turning to cryptomixing services to hide the proceeds of ransomware activities and make them harder to track by law enforcement. 

That's according to security researchers at IT cyber security firm Intel 471, which reports that cryptomixing services, which mix cryptocurrency transactions from a variety of sources to provide more privacy, are available on the internet and the dark web.

While this is not illegal - cryptomixers are dvertised as adding an extra layer of privacy for cryptocurrency transactions - the researchers found that these services had well-established presences on multiple, well-known cyber crime forums. 

“All of the mixers had professional-looking sites, likely serving as an attempt to make their operations appear more legitimate and attract a wider range of clients,” said Intel 471.

“None of the providers advertised their roles in money laundering, instead preferring to suggest their sites serve businesses using cryptocurrencies and individuals interested in protecting their privacy.”

From a cyber criminals' perspective, these cryptomixers work by sending a sum of cryptocurrency, typically Bitcoin, to a wallet address the mixing service operator owns. This sum joins a pool of the service provider’s own Bitcoins, as well as cryptocurrencies from other cyber criminals using the service. The initial threat actor’s cryptocurrency joins the back of the “chain”, and the threat actor receives a unique reference number known as a “mixing code” for deposited funds. 

“This code ensures the actor does not get back their own 'dirty' funds that theoretically could be linked to their operations. The threat actor then receives the same sum of Bitcoins from the mixer’s pool, muddled using the service’s proprietary algorithm, minus a service fee,” the researchers said.

This can be made more anonymous by criminals by sending this “clean” sum of Bitcoins to numerous wallet addresses to further obfuscate the trail of the illicit funds.

“This makes it more difficult for law enforcement to associate the original “dirty” cryptocurrency with the threat actor,” the researchers added.

Cyber criminals were found to be using four popular cryptomixing services: Absolutio, AudiA6, Blender, and Mix-btc. These cryptomixers can either charge a flat fee or a “dynamic” one, which Intel 471 said is most likely done to “complicate investigations into illicit cryptocurrency funds by altering the amount being laundered at different stages of the process, making it more difficult to tie the funds to a specific crime or individual”.

Researchers said that a thorough understanding of the operational underpinnings of these mixing services is key to comprehending how criminals are laundering the money they earn from their crimes. 

“It’s important to understand how all facets of a ransomware operation works if civil society is to stop the losses inflicted by these schemes,” they said.

Featured Resources

The challenge of securing the remote working employee

The IT Pro Guide to Sase and successful digital transformation

Free Download

VMware Cloud workload migration tools

Cloud migration types, phases, and strategies

Free download

Practices for maximising the business value of digital infrastructure Consumption-as- a-Service subscriptions

IDC PeerScape

Free Download

Container network security guide for dummies

Enforcing Kubernetes best practices

Free download

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
Solving cyber security's diversity problem
Careers & training

Solving cyber security's diversity problem

5 Jan 2022