Mixers and Tumblers: Regulatory Overview and Use in Illicit Activities
Merkle Science
The use of mixers and tumblers in various illicit activities such as money laundering and hacks is rapidly increasing. Attackers run illicit proceeds through mixers and tumblers to obscure the trail of ownership by pooling others’ holdings, scrambling it, and redistributing the funds on the other end. On January 18, 2022, $34 million in crypto was stolen from Singapore-based crypto exchange, Crypto.com. Reportedly, the stolen Ethereum (ETH) was laundered through Tornado Cash — an ETH mixer protocol — and Bitcoin was laundered through an unknown Bitcoin mixer.
However, with the rise in the use of mixers and tumblers for illicit activities, the regulatory scrutiny around them is also increasing. The FATF in its Second 12 Month Review Report, under the section, Trends in the use of Virtual Assets (VA) for ML/TF purposes, noted that the use of mixers/tumblers by bad actors for obfuscating the source of funds has significantly gone up.
Use of cryptocurrency tumblers in conducting illicit activities
Hacks: Crypto mixers and tumblers are services that help attackers confuse the trail of crypto transactions by associating unrelated funds together using various methods. Attackers often use unregulated decentralized mixers and tumblers on the darknet to surpass regulatory requirements such as the Know Your Customer (KYC) requirement
In 2021, a large number of hackers used mixers and tumblers to evade detection. In the Liquid Global Hack, hackers sent roughly 6,000 stolen Ethereum (ETH) amounting to $20 million to Tornadocash.com, allowing them to hide their transactions by mixing their coins in with the others. Similarly, in the BitMart Hack hackers stole $150 million worth of tokens from ETH and Binance Smart Chain (BSC) hot wallets. The hackers swapped the stolen tokens by using the 1inch — decentralized exchange aggregator — and then used Tornado Cash to deposit the funds, allowing them to keep their identities hidden.
Darkweb: Criminals may use mixers and tumblers and the dark web to clean dirty crypto. Mixers and tumblers clean dirty crypto by bouncing it between various addresses, before recombining the full amount through a crypto wallet hosted on the dark web.
To conduct illicit activities using mixers and tumblers, attackers usually use one crypto wallet hosted on Clearnet (public internet) and two or more crypto wallets running solely on the dark web. For example, an attacker will send crypto from a wallet hosted on Clearnet to mixers and tumblers. After tumbling the clean crypto is transferred to the attackers’ TOR wallets. TOR wallets are anonymous wallets designed to keep their user’s identities hidden. TOR works by changing the location of the users’ internet address and encrypts the internet address by rerouting the users’ network via multiple remote servers. These encrypted transactions are repeated multiple times across dark web crypto addresses, adding a layer of obfuscation with each transaction.
Money laundering: The process of running dirty crypto through mixers and tumblers is very similar to the three stages of money laundering. The three stages of the money laundering process are placement, layering, and integration.
In the placement, stage criminals deposit dirty crypto into the tumbler. In a decentralized mixer, users receive crypto from other users during this stage. They are at the risk of receiving dirty crypto, which has been used for illicit activities, and can now connect them to these activities.
The second stage is called layering. In this phase, criminals use various types of services such as mixers and tumblers to create a complex transaction trail, removing the direct association with funds’ origin. Mixers split transactions into multiple smaller transactions and combine them again. Money launderers use mixes multiple times at various steps, making the source of funds unidentifiable.
The third stage is known as Integration. Once the process of mixing is complete, clean crypto is transferred to pre-determine wallets —either back to the sender or the new owner. Now, that the source of these funds is untraceable, the final phase is to legitimize the funds. There are many ways of doing this, sometimes money launderers may create new businesses providing services, which accept crypto payments. Then convert the crypto received into fiat currency through off-shore banking services.
Regulatory overview
FATF: The FATF in its Second 12 Month Review Report, under the sections — Trends in the use of Virtual Assets (VA) for ML/TF purposes — noted that the use of mixers/tumblers by bad actors for obfuscating the source of funds has significantly gone up. The FATF also observed that several mixer/tumbler services have been taken offline following enforcement action for operating as unregistered VASPs.
Further, in its Virtual Assets Red Flag Indicator Guidance, the FATF has stated that the transactions making use of mixing and tumbling services should be flagged, as they suggest an intent to obscure the flow of illicit funds between known wallet addresses and darknet marketplaces.
The U.S.: Under the Bank Secrecy Act (BSA), a money transmitter is required to develop and maintain a functional anti-money laundering (AML) compliance program and adhere to the applicable reporting and recording-keeping requirements. FinCEN further clarified its guidance in 2019 with FIN-2019-G001, stating the crypto anonymizing services — mixers and tumblers—are also considered money transmitters under the BSA.
The Department of Justice (DOJ) first charged Larry Harmon, the primary operator of bitcoin mixers Helix and Ninja, in 2019, with three crimes — conspiracy to commit money laundering, operating an unlicensed money transmitting business, and conducting money transmission without a license. In October 2020, FinCEN assessed a civil monetary penalty of $60 million against Harmon for not registering Helix as a money service business. Finally, in August 2021, Harmon pleaded guilty to helping darknet market criminals launder around $300 million.
In April 2021, U.S. authorities arrested Roman Sterlingov — Russian-Swedish founder of bitcoin tumbling service Bitcoin Fog — for helping people launder $335 million.
In its first government-wide list of priorities for AML/CFT, the FinCEN made virtual currency considerations one of its top priorities. Further, the FinCEN had also issued a warning, noting that in cases of hacks, criminals may leverage tools such as mixers and tumblers in order to break the connection between the sender address and the receiver address.
On October 6, 2021, the U.S. Department of Justice announced the National Cryptocurrency Enforcement Team (NCET), an enforcement team dedicated to investigating and prosecuting criminal misuses of cryptocurrency — in particular mixers and tumblers.
On August 8, 2022, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned cryptocurrency mixer Tornado Cash, which has been used to launder more than $7 billion worth of crypto since 2019.
Tornado Cash is the most popular coin-mixing service on the Ethereum blockchain. The service offers a set of smart contracts that enable the user to obfuscate their funds by cutting the link between their original address and the address they eventually receive the funds in.
This is not the first time a crypto mixer has been sanctioned by the U.S. Treasury. In May 2022, the OFAC added the crypto mixing service Blender. io to its Specially Designated Nationals list. The OFAC revealed that the crypto currency mixer was used to process more than $20.5 million in the Ronin Network Attack, which the U.S. Treasury had linked to the North Korea- backed Lazarus Group.
This move is the latest in the Biden Administration's efforts to disrupt the illicit flow of funds from cyberattacks, especially crypto-centric North Korean cyberattacks. The OFAC has added Tornado Cash and 44 associated Ethereum and USD Coin (USDC) wallet addresses to its SDN list.
According to the OFAC, Lazarus Group used Tornado Cash to launder circa $450 million. In fact, Tornado Cash has been at the center of multiple recent hacks including the Ronin bridge attack, Harmony bridge exploit, Nomad heist, Beanstalk flash loan attack, and more.
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks. Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.” warned Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson
Tornado Cash is the most popular coin-mixing service on the Ethereum blockchain. The service offers a set of smart contracts that enable the user to obfuscate their funds by cutting the link between their original address and the address they eventually receive the funds in.
As a result of today’s sanctions all property and interests in the property of Tornado Cash that is in the U.S. or in the possession or control of the U.S. persons are blocked and must be reported to OFAC. Moreover, U.S. persons or entities cannot interact with Tornado Cash.
How can Merkle Science help?
To mitigate the risks mixers and tumblers pose to users, investors, and the financial system, the regulatory oversight over them is increasing. In order to protect themselves from exposure to the AML/CFT risks, crypto businesses should proactively put compliance frameworks in place to monitor all transactions surrounding stablecoins and to mitigate AML/CFT risks.
Merkle Science also provides sanction screenings for wallet addresses that are tagged against sanctioned entities. Using the sanctioned addresses, we run clustering algorithms to identify associated addresses that may — with a high degree of confidence — potentially belonging to the sanctioned entities.
Merkle Science’s multi-hop feature equips compliance officers to investigate both direct and indirect risks, such as those originating from associated addresses. Therefore, addresses interacting either directly or indirectly with the sanctioned addresses will be flagged as high-risk alerts. Our best-in-class wallet and transaction monitoring tool, Compass can monitor the transactional history of all the wallet addresses associated with a user.
As an additional compliance measure, addresses that have or have had any exposure to sanctioned entities are directly or indirectly flagged with new alerts per the business's risk policies. For instance, when the OFAC added Tornado Cash and 44 associated Ethereum and USD Coin (USDC) wallet addresses to its SDN list. We tagged those addresses immediately in our system and assigned them as “Sanctions” with the subtype “OFAC SDN List” on Compass. The risk level of the sanctioned addresses was escalated to “Critical Risk” in our system. Our customers received new alerts for addresses that have or have had any exposure to Tornado Cash, directly or indirectly.