Cryptomixers are helping hackers to launder ransomware payments

A collection of various coins with cryptocurrency logos embedded onto them
(Image credit: Shutterstock)

Cyber criminals are turning to cryptomixing services to hide the proceeds of ransomware activities and make them harder to track by law enforcement.

That's according to security researchers at IT cyber security firm Intel 471, which reports that cryptomixing services, which mix cryptocurrency transactions from a variety of sources to provide more privacy, are available on the internet and the dark web.

While this is not illegal - cryptomixers are dvertised as adding an extra layer of privacy for cryptocurrency transactions - the researchers found that these services had well-established presences on multiple, well-known cyber crime forums.

“All of the mixers had professional-looking sites, likely serving as an attempt to make their operations appear more legitimate and attract a wider range of clients,” said Intel 471.

“None of the providers advertised their roles in money laundering, instead preferring to suggest their sites serve businesses using cryptocurrencies and individuals interested in protecting their privacy.”

From a cyber criminals' perspective, these cryptomixers work by sending a sum of cryptocurrency, typically Bitcoin, to a wallet address the mixing service operator owns. This sum joins a pool of the service provider’s own Bitcoins, as well as cryptocurrencies from other cyber criminals using the service. The initial threat actor’s cryptocurrency joins the back of the “chain”, and the threat actor receives a unique reference number known as a “mixing code” for deposited funds.

“This code ensures the actor does not get back their own 'dirty' funds that theoretically could be linked to their operations. The threat actor then receives the same sum of Bitcoins from the mixer’s pool, muddled using the service’s proprietary algorithm, minus a service fee,” the researchers said.

This can be made more anonymous by criminals by sending this “clean” sum of Bitcoins to numerous wallet addresses to further obfuscate the trail of the illicit funds.

“This makes it more difficult for law enforcement to associate the original “dirty” cryptocurrency with the threat actor,” the researchers added.

Cyber criminals were found to be using four popular cryptomixing services: Absolutio, AudiA6, Blender, and Mix-btc. These cryptomixers can either charge a flat fee or a “dynamic” one, which Intel 471 said is most likely done to “complicate investigations into illicit cryptocurrency funds by altering the amount being laundered at different stages of the process, making it more difficult to tie the funds to a specific crime or individual”.

Researchers said that a thorough understanding of the operational underpinnings of these mixing services is key to comprehending how criminals are laundering the money they earn from their crimes.

“It’s important to understand how all facets of a ransomware operation works if civil society is to stop the losses inflicted by these schemes,” they said.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.