Ransomware Criminals Employ these Cryptomixers to Clean Up their Ransoms

Ransomware Criminals Employ These Cryptomixers to Clean Up Their Ransoms

Cryptomixers have long been at the heart of cybercrime, allowing hackers to “clean” cryptocurrency stolen from victims while making it difficult for law authorities to trace them down.

When criminals take cryptocurrency or obtain it as ransom, researchers or law enforcement can know what cryptocurrency wallet money was moved to. Threat actors could use mixers to deposit illegally obtained money and then mix it with a big pool of “random” transactions. As a result, the original crypto becomes jumbled in an extensive collection of amounts from various unknown sources.

The “cleaned” crypto is then delivered to a new address held by the threat actors, which has never been used before and is not known to law enforcement. The cryptomixers collect a fee (typically 1-3 percent) from the mixed cryptocurrency to use their service.

Because there is a specialized area of study dedicated to detecting illegal bitcoin transactions, mixing services must use secret and strong mixing algorithms, or law enforcement will track the cash. Furthermore, these services must not maintain any logs or information that may be used to identify individuals or link them to their assets. Intel471 researchers combed the criminal underground for systems regarded as the most trustworthy at deleting transaction traces and discovered four significant instances.

Absolutio, AudiA6, Blender, and Mix-btc are four common cryptomixing platforms used by hackers today. Apart from Mix-btc, all platforms employ the Tor network to protect their users’ anonymity and privacy. They accept Bitcoin, Bitcoin Cash, Dash, Ethereum, Ethereum Classic, Litecoin, Monero, Tether, etc. Mixers might charge a set price or a variable cost for their services. “Dynamic fee,” explains Intel471.

According to the Intel471 report, some services enable users to choose a “dynamic” service fee, which is most probably done to make investigations into illicit cryptocurrency funds more difficult by changing the laundered amount at different stages of the process, making it harder to tie the funds to a particular crime or individual.

Intel471 analysts discovered a wallet belonging to Blender and found that it conducted $3,400,000 in bitcoin transactions between June and July 2020. This reflects the scale of these platforms’ operations, which operate in a murky legal area and generate thousands of dollars every month, primarily from cybercrime. Mixing cryptocurrencies isn’t inherently unlawful, and it’s often advocated as a way to increase anonymity. However, if a mixer intentionally supports illegal enterprises in laundering their illicit gains, they will be targeted by law authorities, and their business will be shut down.

The Helix bitcoin mixer has been shut down in the past for laundering millions of dollars in illicit drugs proceeds. Similarly, after constructing a case in threat actors used the mixer to launder at least $200 million in bitcoin for hackers, the Dutch authorities confiscated the BestMixer.io website. 

According to Intel471, some ransomware gangs have implemented bitcoin mixing services right into their management panels. The makers of Avaddon, DarkSide 2.0 (also known as BlackMatter), and REvil likely installed the BitMix bitcoin mixer to ease the laundering of ransom money for program affiliates. Because mixers are known to be employed by criminal enterprises, law enforcement and perhaps US sanctions will continue to pursue them, as we saw with the Chatex and Suex exchanges.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.