Cryptocurrency mixers are a go-to tool for cybercriminals dealing in cryptocurrency, and therefore one of the most important types of cryptocurrency services for investigators and compliance professionals to understand. Mixers are designed to provide more privacy in cryptocurrency transactions, but may also be used to obfuscate the source of funds, and, for lack of a better word, “fool” blockchain investigators. 

To be clear, there are legitimate reasons one would want to do this. Financial privacy is important, especially to people living under oppressive governments or who otherwise need the ability to make legal transactions anonymously. However, crypto mixers’ core functionality, combined with the fact that mixers rarely if ever ask for KYC information, makes them naturally attractive to cybercriminals. In fact, nearly 10% of all funds sent from illicit addresses are sent to mixers — no other service type cracked a 0.3% mixer sending share.  

Crypto mixers may soon become obsolete as Chainalysis continues to refine its ability to demix transactions and determine users’ original source of funds. But for the time being, our data shows that mixers are receiving more cryptocurrency than ever in 2022.

While value received by mixers fluctuates significantly day-to-day, the 30-day moving average reached an all-time high of $51.8 million worth of cryptocurrency on April 19, 2022, roughly doubling incoming volumes at the same point in 2021. Below, we’ll dive into who’s driving increased mixer usage and what it means for law enforcement and compliance pros.

How crypto mixers work 

Mixers create a disconnect between the cryptocurrencies that users deposit and what they withdraw, making it more difficult to trace the flow of funds. They do this by pooling the funds deposited by many users and shuffling them at random before returning to each user a sum equivalent to what they deposited, minus a small service fee.

Some mixers make funds more difficult to track by letting users receive different-sized chunks of funds at different addresses and at staggered times. Others try to obfuscate the fact that a mixer is even being used by changing the fee on each transaction or varying the type of address used.

The different types of crypto mixers

Most mixers fit into one of the following three categories.

  • Centralized mixers. Centralized mixers simply send equivalent cryptocurrency to what users submit to addresses the user specifies or that the mixer provides in advance, minus fees. That means there’s no definitive on-chain link between the cryptocurrency the user sends and what they receive, but because the mixing service itself is centralized and custodial, the operators can record the data necessary to make those connections, creating privacy risk for users. 
  • CoinJoin mixers. CoinJoin transactions are a tactic used by mixers, and in particular wallets with built-in mixer capabilities, in which a group of users send their funds and receive back a mix of each other’s funds in a series of transactions. Unlike centralized mixers, CoinJoin mixers are non-custodial, meaning they never actually hold users’ funds.
  • Smart contract mixers. Like CoinJoin mixers, smart contract-based mixers are non-custodial. However, unlike CoinJoin mixers, smart contract mixers don’t receive and send users’ funds in one transaction. Instead, once the user sends the funds to the mixer, they receive a cryptographic note that proves they were the one behind the deposit. From a new address, the user can then send the mixer a transaction that uses that note to withdraw the funds to the new address. Importantly, the user can wait as long as they want to withdraw their funds from the mixer using that cryptographic note. Smart contract mixers also work alongside service providers called relayers, which can provide the ether necessary to pay fees on the mixer withdrawal transaction, ensuring the user can withdraw funds to a new address with no transaction history or connections to other services.

Mixers share one key vulnerability: large transactions make them ineffective. Since users receive a mixture of funds contributed by the mixer’s other users, if one user floods the mixer and contributes significantly more than others, much of what they end up with will consist of the very funds they put in, making it possible to trace the funds back to them. In other words, mixers function best when they have a large number of users, all of whom are mixing comparable amounts of cryptocurrency.

Are crypto mixers legal?

Despite their frequent use by criminals, crypto mixers are not explicitly illegal in most jurisdictions. Whether or not they are compliant, however, is a different question. In the United States, the Financial Crimes Enforcement Network (FinCEN) has clarified that mixers are considered money transmitters under the Bank Secrecy Act (BSA), and therefore have three key obligations:

  1. to register with FinCEN
  2. to develop, implement, and maintain an anti-money laundering and know-your-customer compliance program
  3. to meet all applicable reporting and record-keeping requirements. 

We aren’t aware of any Bitcoin or Ethereum mixers currently following these rules. And given that preserving privacy is for many users the point of using a crypto mixer, it seems unlikely that one could implement these compliance procedures and still retain its users.

Major crypto mixer enforcement actions

  • October 2020: FinCEN penalized the operator of Bitcoin mixers Helix and Coin Ninja for operating unregistered money services businesses (MSB)
  • April 2021: the Department of Justice (DOJ) arrested and charged the operator of Bitcoin Fog with money laundering, operating an unlicensed money transmitting business, and money transmission without a license.
  • August 2022: the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the popular Ethereum mixer Tornado Cash, adding it to the Specially Designated Nationals (SDN) List with 38 unique cryptocurrency addresses included as identifiers.

What’s driving the increase in mixer usage?

Mixer usage saw significant quarter-over-quarter increases starting in 2020, and while that growth has leveled off somewhat in 2022, it remains close to all-time highs. 

As we can see, the increases come primarily from increased volumes sent from centralized exchanges, DeFi protocols, and most notably, addresses connected to illicit activity. DeFi protocols in particular have risen not just in terms of value sent to mixers, but also in terms of the share of all volume sent to mixers, which makes sense given that the timing coincides with DeFi’s increasing prominence within the overall cryptocurrency ecosystem. 

The increase in illicit cryptocurrency moving to mixers is more interesting though. Illicit addresses account for 23% of funds sent to mixers so far in 2022, up from 12% in 2021. On the chart below, we examine the types of criminal activity those illicit actors are associated with. 

Note: Sanctioned entities on the graph above includes volume sent from entities that, prior to being sanctioned, would have fit in another category. For example, Hydra Market is a darknet market that was sanctioned in Q1 2022 – all of its volume from previous years is now labeled as “Sanctions.” 

What stands out most is the huge volume of funds moving to mixers from addresses associated with sanctioned entities, especially in Q2 2022. Below, we look at which specific sanctioned entities have accounted for those funds so far in 2022. 

Russian darknet market Hydra, which was sanctioned in April 2022, leads the way here, accounting for 50% of all funds moving to mixers from sanctioned entities this year. Importantly, drug sales weren’t the only reason OFAC decided to go after Hydra. DOJ officials specified that Hydra played a role in laundering funds from other darknet markets, cryptocurrency thefts, and ransomware attacks — the market offered mixer-like services of its own — and facilitated the sale of stolen data and hacking tools used in cyber attacks. Given the outsized role that Russia plays in cybercrime, and the connections some of these cybercriminal groups have to Russian intelligence services, an increase in funds moving from services like Hydra to mixers could be significant from a national security standpoint. 

Nearly all of the remaining funds moving from sanctioned entities to mixers come from two groups associated with the North Korean government: Lazarus Group and Lazarus Group is a cybercrime syndicate responsible for several cryptocurrency hacks on behalf of the North Korean government, and along with associated groups remains extremely active today. Already in 2022, hackers associated with the North Korean government are believed to have stolen over $1 billion worth of cryptocurrency, mostly from DeFi protocols., on the other hand, became the first ever mixer sanctioned this year for its role in laundering funds stolen by Lazarus Group and others associated with North Korea. Any funds it sends to other mixers could very well represent a continuation of that illegal activity. 

Overall, if we label cybercriminal organizations with known nation state affiliations, we can see that these groups make up a significant and growing share of all illicit cryptocurrency sent to mixers.

Note: Transaction volume has no known nation state connection unless otherwise noted

Funds sent to mixers by cybercriminal groups associated with Russia, and especially those associated with North Korea, have risen dramatically in 2021 and 2022. 

Balancing privacy with safety

Crypto mixers present a difficult dilemma to regulators and members of the cryptocurrency community. Virtually everyone would acknowledge that financial privacy is valuable, and that in a vacuum, there’s no reason services like mixers shouldn’t be able to provide it. But the data shows that mixers pose a significant money laundering risk. 25% of mixed funds come from illicit addresses, and cybercriminals associated with hostile governments are among those taking the most advantage.

We encourage stakeholders in the public and private sectors to work together on how to address the risks associated with mixers, and stand ready to provide any data necessary to make those engagements as productive as possible.

This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.