Crypto mixers are a go-to tool for cybercriminals on the blockchain. We find that in 2022, crypto addresses tied to illicit activity transferred nearly 10% of their funds to mixers – with no other address type sending more than 0.3%.
Crypto mixers may soon become obsolete as Chainalysis refines its ability to demix transactions, but for the time being, our data shows that mixers are processing more cryptocurrency than ever. On April 19, 2022, the 30-day moving average value received by mixers reached an all-time high of $51.8 million worth of cryptocurrency — double the value received by mixers at the same time in 2021.
Below, we’ll dive into who’s driving the increase in mixer usage and what it means for law enforcement and compliance pros.
What’s driving the increase in mixer usage?
Cryptocurrency mixers saw significant quarter-over-quarter volume increases starting in 2020 and continuing through 2021. While that growth has leveled off somewhat this year, it remains close to all-time highs.
The increases come primarily from growth in the volume sent from centralized exchanges, DeFi protocols, and most notably, addresses connected to illicit activity. DeFi protocols in particular have risen not just in terms of value sent to mixers, but also in terms of the share of all volume sent to mixers, which makes sense given that the timing coincides with DeFi’s increasing prominence within the overall cryptocurrency ecosystem.
The increase in illicit cryptocurrency moving to mixers is more interesting though. Illicit addresses account for 23% of funds sent to mixers so far in 2022, up from 12% in 2021. On the chart below, we examine the types of criminal activity those illicit actors are associated with.
Note: Sanctioned entities on the graph above includes volume sent from entities that, prior to being sanctioned, would have fit in another category. For example, Hydra Market is a darknet market that was sanctioned in Q1 2022 – all of its volume from previous years is now labeled as “Sanctions.”
What stands out most is the huge volume of funds moving to mixers from addresses associated with sanctioned entities, especially in Q2 2022. Below, we look at which specific sanctioned entities have accounted for those funds so far in 2022.
Russian darknet market Hydra, which was sanctioned in April 2022, leads the way here, accounting for 50% of all funds moving to mixers from sanctioned entities this year. Importantly, drug sales weren’t the only reason OFAC decided to go after Hydra. DOJ officials specified that Hydra played a role in laundering funds from other darknet markets, cryptocurrency thefts, and ransomware attacks — the market offered mixer-like services of its own — and facilitated the sale of stolen data and hacking tools used in cyber attacks. Given the outsized role that Russia plays in cybercrime, and the connections some of these cybercriminal groups have to Russian intelligence services, an increase in funds moving from services like Hydra to mixers could be significant from a national security standpoint.
Nearly all of the remaining funds moving from sanctioned entities to mixers come from two groups associated with the North Korean government: Lazarus Group and Blender.io. Lazarus Group is a cybercrime syndicate responsible for several cryptocurrency hacks on behalf of the North Korean government, and along with associated groups remains extremely active today. Already in 2022, hackers associated with the North Korean government are believed to have stolen over $1 billion worth of cryptocurrency, mostly from DeFi protocols. Blender.io, on the other hand, became the first ever mixer sanctioned this year for its role in laundering funds stolen by Lazarus Group and others associated with North Korea. Any funds it sends to other mixers could very well represent a continuation of that illegal activity.
Overall, if we label cybercriminal organizations with known nation state affiliations, we can see that these groups make up a significant and growing share of all illicit cryptocurrency sent to mixers.
Note: Transaction volume has no known nation state connection unless otherwise noted
Funds sent to mixers by cybercriminal groups associated with Russia, and especially those associated with North Korea, have risen dramatically in 2021 and 2022.
Balancing privacy with safety
Crypto mixers present a difficult dilemma to regulators and members of the cryptocurrency community. Virtually everyone would acknowledge that privacy is valuable, and that in a vacuum, there’s no reason services like mixers shouldn’t be able to provide it. But the data suggest that 25% of mixed funds come from illicit addresses, and that cybercriminals associated with hostile governments are among those taking the most advantage.
We encourage stakeholders in the public and private sectors to work together on how to address the risks associated with mixers, and stand ready to provide any data necessary to make those engagements as productive as possible.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.