Getty Images

Cryptocurrency mixer activity reaches new heights in 2022

Chainalysis observed a stark uptick in April that led to a steady decline in May and June, but illicit addresses and DeFi platforms have kept mixers busy so far this year.

While cryptocurrency deposited into mixers reached all-time highs in 2022, Chainalysis estimated their use could soon come to a halt.

In a blog post Thursday, the cryptocurrency analytics vendor shared factors that led to the significant spike, including increased volumes being sent to centralized exchanges and decentralized finance (DeFi) protocols, as well as illicit addresses that accounted for the highest amount. However, due to better tracking capabilities and increased law enforcement efforts, Chainalysis predicted threat actors may soon choose alternative methods to obfuscate illegal funds.

Chainalysis emphasized that while mixers and tumblers are a "go-to-tool" for cybercriminals looking for financial anonymity and a way to hide their money trail, legitimate uses remain for such services. Illegal and legal uses both contributed to a stark uptick in April.

"While value received by mixers fluctuates significantly day-to-day, the 30-day moving average reached an all-time high of $51.8 million worth of cryptocurrency on April 19, 2022, roughly doubling incoming volumes at the same point in 2021," the blog post read.

The peak was followed by a steep decline in May and June, which Chainalysis attributed to better tracking. Kim Grauer, director of research at Chainalysis, said it also correlates with attacks.

"The volatility is because mixer usage is correlated with hacking activity, and hacks are rather distinct events that aren't consistent over time. In other words, surges in usage correspond with hacks," Grauer said in an email to SearchSecurity.

In April, threat actors breached email marketing platform Mailchimp to target cryptocurrency companies with a phishing campaign. Later that month, DeFi platform Beanstalk Farms was drained of over $180 million in cryptocurrency assets; Beanstalk Farms is just one of several cryptocurrency and DeFi platforms that have lost funds to threat actors this year.

Additionally, REvil resumed ransomware operations in April and not only breached Oil India, a natural resources company, but also leaked its data -- a method used to shame companies into paying a ransom. Threat actors expect ransoms to be paid in cryptocurrency.

While May and June saw less action, Chainalysis said mixer usage remains close to all-time highs in 2022. Though the blockchain platform said the increase coincided with the growing popularity of DeFi platforms at the time, more notable was the increase in illicit cryptocurrency moving to mixers.

Illicit addresses accounted for 23% of funds sent to mixers, up from 12% in 2021, according to the blog. Those addresses included ransomware, stolen funds, scams, dark web markets, cybercriminal administrators and sanctioned entities.

"What stands out most is the huge volume of funds moving to mixers from addresses associated with sanctioned entities, especially in Q2 of 2022," the blog read.

The shutdown of the largest cybercrime marketplace on the dark web, Hydra, which was sanctioned by the Office of Foreign Assets Control (OFAC) in April, accounted for 50% of all funds moving from mixers to sanctioned entities, according to Chainalysis. The Russian-language marketplace played a significant role in laundering funds from cryptocurrency thefts and ransomware attacks.

North Korean state-backed entities Lazarus and received nearly all the remaining funds. The Lazarus group is known for high-profile attacks such as WannaCry ransomware attacks and, more recently, the breach of Axie Infinity developer Sky Mavis, where the group stole $600 million in cryptocurrency. After investigators discovered the money was laundered through, OFAC issued sanctions against the cryptocurrency mixer.

"Overall, if we label cybercrime organizations with known nation state affiliations, we can see that these groups make up a significant and growing share of illicit cryptocurrency sent to mixers," the blog read.

Despite the massive peak in mixer activity in 2022, Chainalysis noted in the blog that mixers may soon become obsolete. As tracking improves, leading law enforcement to the original source of the funds, actors may be forced to pivot to other avenues.

"It's not certain that mixers will become obsolete," Grauer said. "But the combination of demixing capabilities with law enforcement and regulatory developments may lead to them falling out of favor."

Next Steps

Decentralized finance vs. centralized finance: What's the difference?

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing