Site icon Forkast

Bad actors in North Korea, Russia send record-high funds to crypto mixers

Russia Flag

Image: Envato Elements

The volatility in cryptocurrencies notwithstanding, bad actors sent a record sum of money to services that obfuscate the source and destination of digital assets, according to research by a blockchain analytics firm.

The total amount sent to cryptocurrency mixers reached an all-time high of US$51.8 million in April 2022, including a significant portion coming from sanctioned and state-backed actors, a report last week by Chainalysis showed. ​​The blockchain analytics firm tracked a 30-day moving average of all funds sent to mixers over time and found April’s figures to be roughly double the value from the same period last year.

“That spike is 100% to do with North Korean hacking,” Kim Grauer, Head of Research at Chainalysis, said in an interview with Forkast. “A hacking event isn’t a trend, it’s a one-off incident,” she said. “And so, whereas with other types of crime like darknet market or scamming activity, you might see consistent usage over time, hacking happens in an instant and the laundering happens almost as fast.”

“That spike is 100% to do with North Korean hacking.”

– Kim Grauer, Head of Research at Chainalysis

Mixers allow clients to add their cryptocurrency into a communal pool and withdraw the same amount minus a fee in different tokens to the ones they contributed. This makes it extremely difficult to trace the flow of funds, making it very attractive to those engaged in illicit activity in an industry where everything is recorded on the blockchain.



“Mixers are a go-to tool for cybercriminals dealing in cryptocurrency, and therefore one of the most important types of cryptocurrency services for investigators and compliance professionals to understand,” the Chainalysis team said in the report.

See related article: Hold onto your crypto bags, the regulators are coming

The blockchain analytics firm found funds originating from illicit addresses making up for 23% of all funds sent to mixers in the first half of this year compared to only 12% through all of 2021. Furthermore, the report identified that nearly 10% of all illicit funds are sent through a mixer service, while no other service type reached more than a 0.3% mixer sending share.

“Because of just the gravity of the situations and the bad actors involved it’s really become almost a no-brainer that law enforcement has to grapple with this issue,” Grauer said.

The Laundromat

When the Ronin sidechain was hacked in March for US$600 million, the hackers moved at least 500 Ether worth roughly US$1.5 million at the time through the Ethereum mixer Tornado Cash in the days shortly after the hack. 

The Ronin sidechain hosts the popular play-to-earn game Axie Infinity, and the hack of 173,000 Eth and 25.5 million USDC was among the biggest ever recorded in the industry.

“They’ve tapped into the fundamental value of cryptocurrency,” said Grauer, explaining many criminals use crypto to circumvent know-your-customer (KYC) requirements. “If anything, it just proves the value [proposition] of crypto, which is that it’s highly effective at moving money around the world instantaneously.”

Illicit activity accounted for US$14 billion worth of transactions in 2021 — a 44% increase from the previous year, according to Chainalysis’ 2022 Crypto Crime Report. However, when accounting for the growth in the crypto industry as a whole, these fraudulent transactions account for 0.2% of the total, which is a 75% drop from the previous year.

This recent emergence of mixers as a service shows this recent surge in their use could be just the beginning, Bryan Tan, a Singapore-based partner at law firm Reed Smith LLP, who specializes in transactions and anti-money laundering in the digital asset industry, told Forkast in an interview.

“People usually want to test those tools before they commit large amounts,” said Tan. “And so, what you will see is that over time, more and more funds will get sent to such tools as people become more familiar.”

See related article: Hackers got $602M in cryptocurrency ransom in 2021: report

While crypto can allow bad actors to circumvent KYC requirements, it also records all transactions on the blockchain, which leads bad actors to use mixers to attempt to cover their tracks. 

This perception of security may be growing increasingly separate from reality, however; Grauer says Chainalysis is becoming increasingly adept at “de-mixing” these transactions and is working closely with law enforcement agencies to assist investigations where possible.

Grauer declined to share Chainalysis’ methods for de-mixing.

Money spinner

Bad actors can also use mixers at the front end of their attacks.

In January, the non-fungible token (NFT) marketplace OpenSea suffered a front-end attack worth 332 Eth (US$800,000 at the time), carried out using wrapped wETH which had first been sent through Tornado Cash. 

What’s different this year is the rise of sanctioned and/or state actors using these services.

Almost US$500 million was sent from sanctioned addresses in the second quarter of 2022, of which more than 50% came from one source alone — the Russian darknet market Hydra, Chainalysis said. This group was sanctioned in April 2022 for selling drugs, conducting money laundering, cryptocurrency thefts and ransomware attacks, it added.

An additional 48.8% was sent by two groups associated with the North Korean government: Lazarus Group and Blender.io.

Lazarus Group is a cybercrime organization acting on behalf of the North Korean government believed to have stolen more than US$1 billion this year alone, while Blender.io is a mixer itself tied to both Lazarus Group and the North Korean government.

Despite their continued use in criminal activity, mixers aren’t illegal, however. 

The U.S. Financial Crimes Enforcement Network (FinCEN) has determined mixers to be money transmitters under the Bank Secrecy Act, forcing them to maintain an anti-money laundering and reporting scheme.

In 2020, FinCEN penalized Bitcoin mixers Helix and Coin Ninja for operating unregistered money services businesses. While in 2021 the U.S. Department of Justice arrested and charged the operator of Bitcoin Fog for money laundering and operating an unlicensed money transmitting business, and money transmission without a license.  

As with many areas of the crypto industry, regulation can be difficult when trying to apply legislation across borders and oftentimes with anonymous parties. One body that could be positioned to take effective action, could be the Financial Action Task Force (FATF), an international agency focused on setting standards for anti-money laundering and counter-terrorist financing.

“We’ve seen over the last couple of years the FATF now makes fairly frequent recommendations — especially on crypto regulation — and the willingness of the financial hubs [like] Singapore, Hong Kong, Switzerland to then follow those recommendations would be actually pretty quick these days,” said Reed Smith’s Tan.

The European Union has also recently passed legislation that could limit the efficacy of mixers; last month it extended the Eurozone’s “travel-rule” to require information on the source and receiver of crypto-assets to be sent with the transaction and subsequently stored.

Under these new rules crypto-asset service providers will be required to provide this information to authorities if an investigation into money laundering or terrorist finance is being conducted.

According to the report, no KYC requirements exist for mixer operators, but given the focus on privacy within the industry, any such requirement would likely render the services quite unattractive to many customers. 

The report concludes that any regulation approaching mixers needs to strike a difficult balance of protecting the right to digital privacy they offer while addressing their clear utility to illicit activity.

“We encourage stakeholders in both the private and public sectors to work together on how to address the risks associated with mixers, and stand ready to provide any data necessary to make those engagements as productive as possible,” concluded the report.

Exit mobile version