German and US authorities, supported by Europol, have targeted ChipMixer, a cryptocurrency mixer well-known in the cybercriminal underworld.

The investigation was also supported by Belgium, Poland and Switzerland, Europol said in a statement. 

It said on on 15 March, national authorities took down the infrastructure of the platform for its alleged involvement in money laundering activities and seized four servers, about 1909.4 Bitcoins in 55 transactions (approx. €44.2m) and 7 TB of data. 
ChipMixer, an unlicensed cryptocurrency mixer set up in mid-2017, was specialised in mixing or cutting trails related to virtual currency assets. 

The ChipMixer software blocked the blockchain trail of the funds, making it attractive for cybercriminals looking to launder illegal proceeds from criminal activities such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud.

Deposited funds would be turned into "chips" (small tokens with equivalent value), which were then mixed together - thereby anonymising all trails to where the initial funds originated. 

A service available both on the clear and on the darkweb, ChipMixer offered full anonymity to their clients. This type of service is often used before criminals' laundered crypto assets are redirected to cryptocurrency exchanges, some of which are also in the service of organised crime. At the end of the process, the ‘cleaned' crypto can easily be exchanged into other cryptocurrencies or directly into FIAT currency though ATM or bank accounts. 

The investigation into the criminal service suggests that the platform may have facilitated the laundering of 152 000 Bitcoins (worth roughly €2.73bn in current estimations) in crypto assets. A large share of this is connected to darkweb markets, ransomware groups, illicit goods trafficking, procurement of child sexual exploitation material, and stolen crypto assets.

Information obtained after the takedown of the Hydra Market darkweb platform uncovered transactions in the equivalent of millions of euros. 

Ransomware actors such as Zeppelin, SunCrypt, Mamba, Dharma or Lockbit have also used this service to launder ransom payments they have received. Authorities are also investigating the possibility that some of the crypto assets stolen after the bankruptcy of a large crypto exchange in 2022 were laundered via ChipMixer. 

Europol facilitated the information exchange between national authorities and supported the coordination of the operation. Europol also provided analytical support linking available data to various criminal cases within and outside the EU, and supported the investigation through operational analysis, crypto tracing, and forensic analysis.

The Joint Cybercrime Action Taskforce (J-CAT) at Europol also supported the operation. This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations.

The National authorities involved were:

  • Belgium: Federal police (Police Fédérale/Federale Politie)
  • Germany: Federal Criminal Police Office (Bundeskriminalamt) and General Prosecutors Office Frankfurt-Main (Generalstaatsanwaltschaft Frankfurt/Main, Zentralstelle zur Bekämpfung der Internetkriminalität)
  • Poland: Central Cybercrime Bureau (Centralne Biuro Zwalczania Cyberprzestępczości)
  • Switzerland: Cantonal Police of Zurich (Kantonspolizei Zürich)
  • USA - Federal Bureau of Investigation, Homeland Security Investigation, Department of Justice