Philly feds help dismantle popular crypto money-laundering site responsible for cleaning $3 billion in illicit funds

U.S. and European authorities — led by a team of federal investigators from Philadelphia — dismantled what they described Wednesday as the world’s most popular cryptocurrency service used by online drug dealers, North Korean hackers, and Russian military intelligence services to launder more than $3 billion in illicit proceeds since 2017.

The site — which operated under the name ChipMixer — drew thousands of users from the darker corners of the internet, the U.S. Justice Department said, including parties responsible for a series of headline-grabbing bitcoin heists and recent ransomware attacks that have plagued health-care services and municipal governments in the United States and abroad.

In addition to seizing two of ChipMixer’s domain names, its backend servers and more than $46 million in cryptocurrency from the service, authorities also filed charges Wednesday against its founder, Minh Quoc Nguyen — a Vietnamese national last known to be living in Hanoi. They accused him of openly flouting financial regulations while obscuring his true name under a series of stolen and fictitious identities.

“ChipMixer facilitated the laundering of cryptocurrency, specifically Bitcoin, on a vast international scale, abetting nefarious actors and criminals of all kinds in evading detection,” U.S. Attorney Jacqueline C. Romero said in a statement. “We cannot and will not allow criminals’ exploitation of technology to threaten our national and economic security.”

The coordinated law enforcement strike against ChipMixer is the latest in a series of actions by worldwide law enforcement agencies aimed at identifying and shuttering the increasingly sophisticated methods online criminals are using to anonymously make off with billions of dollars from their misdeeds.

» READ MORE: Tracking stolen crypto is a booming business: How blockchain sleuths recover digital loot

But federal court filings unsealed Wednesday in Philadelphia detail an equally complex global investigation — one that began with probes into ransomware attacks in eastern Pennsylvania, passed through a series of servers set up under fake names in Eastern Europe, and eventually led to Nguyen, 49, who earned a doctorate in electronic engineering in Taiwan in 2016 only to launch what would become a go-to resource for the online underworld in less than a year.

Though ChipMixer’s service relied upon a detailed understanding of the blockchains that underlay the decentralized and anonymous world of cryptocurrency, its core purpose was simple.

“If you want to hide who you are,” Nguyen allegedly wrote, touting his platform on a popular crypto message board in 2017, “ChipMixer is the perfect way.”

Because blockchain transfers are publicly visible and have been used by authorities to link supposedly anonymous cryptocurrency transactions back to individual users, mixers like Nguyen’s aim to prevent that by comingling different streams of potentially identifiable bitcoin or other digital currencies to obscure their origins.

Users would deposit bitcoin with ChipMixer and when they returned to cash it out, the service arranged for the total to be transferred from addresses of other users that can’t be traced to the original customer.

For example, when a municipal government in the United States — which prosecutors did not identify in court papers Wednesday — paid a $42,500 ransom to cyber attackers who had seized their servers in August 2020, the criminals passed the funds through ChipMixer to ensure that they couldn’t be traced back to the source.

And after U.S. and European law enforcement shut down several competitor sites between 2019 and 2021, ChipMixer assumed their illicit market share and became a leader in the field, prosecutors said.

Investigators estimate that between 2017 and 2021, the site helped “clean” some $700 million in funds stolen by hackers, $17 million extorted through ransomware attacks, and more than $200 million associated with darknet markets selling drugs, stolen identities, malware, hacking tools, and counterfeit cash.

One of the largest sources of those funds, according to authorities, was Hydra Market, the Russian-based marketplace that had been the largest and longest-running illicit online bazaar in the world until U.S. and German authorities shut it down last year.

The platform was also allegedly used to launder roughly $46 million of the $370 million in funds stolen from the crypto exchange FTX shortly after it filed for bankruptcy in November, according to the crypto analytics firm Elliptic Enterprises Ltd.

Other prolific users, according to prosecutors, included a unit of the Russian military intelligence services, which had previously been linked to efforts to interfere with the 2016 U.S. presidential election. It used ChipMixer, they said, to obfuscate funds used to purchase infrastructure for a malware tool it designed and deployed in attacks in 2020.

A North Korean military intelligence group that has been linked to a series of bank and cryptocurrency heists also laundered some $700 million in stolen bitcoin through the site between 2020 and last year, prosecutors said.

“Criminals have long sought to launder the proceeds of their illegal activity through various means,” said Jacqueline Maguire, head of the FBI’s field office in Philadelphia. “Technology has changed the game, though, with a site like ChipMixer and a facilitatory like Nguyen enabling bad actors to do so on a grand scale with ease.”

But just as allegedly adept as Nguyen was in helping others anonymize their online financial transactions, he proved equally skilled, authorities said, at hiding his own involvement.

According to the charging documents in his case, he created and operated the online infrastructure used by ChipMixer through a series of domain names and hosting services registered under fake names or identities stolen primarily from U.S. residents in their 60s and 70s.

Search warrants for email accounts linked to Nguyen revealed documents filled with passwords, credit card numbers, driver’s license details, and other identity documents linked to hundreds of victims.

Despite the charges filed against him — which included counts of money laundering, identity theft, and operating an unlicensed money-transmitting business that could send him to prison for up to 40 years — Nguyen was not in custody Wednesday, Justice Department officials said.

His whereabouts remained unknown, and efforts to reach him at email addresses listed in his charging documents were unsuccessful.

His website, meanwhile, has gone dark. Where ChipMixer’s logo once appeared alongside boasts of its effectiveness in hiding transactions from law enforcement, a simple banner has replaced it under the logos of U.S., German, Swiss, and Polish law enforcement.

It reads: “THIS WEBSITE HAS BEEN SEIZED.”