Criminals are using software tools called “mixers” to launder millions of dollars worth of cryptocurrency—and it’s been happening for years.
Like an episode straight out of the TV show Ozark, cyber thieves essentially put stolen crypto into a program that “mixes” it with other people’s cryptocurrency. They’ll take out the same amount they put in, but it won’t be the same exact cryptocurrency.
That makes attempts to trace where money comes from “much more challenging and allows bad actors to hide their source of funds,” Chris DePow, a senior advisor of financial institution regulation and compliance at Elliptic, a blockchain analysis firm, told Fortune.
In 2021, an Ohio man operating a Bitcoin mixer called Helix pleaded guilty to laundering more than $300 million. Another man who operated a Bitcoin mixer called Bitcoin Fog was charged in April of last year with laundering $335 million over more than 10 years. And just this year, a hacker stole more than $33 million from Crypto.com in January, then allegedly washed the currency through an Ethereum mixer. They remain at large.
But even though mixers are well known to be connected with money laundering, they’re “not inherently illegal—they can be used for legitimate privacy purposes,” Kim Grauer, director of research at blockchain analysis firm Chainalysis, told Fortune.
So, what is a mixer? How do criminals sometimes use them to launder funds? And why are they still legal?
Imagine a swimming pool filled with cash.
Along with a bunch of other people, you drop in $100. Then you walk over to the other side of the pool and take out $100. You still have $100 in currency, but it’s a different bill entirely.
That’s what a mixer does, only with crypto.
Each mixer is different. Some, like Blender.io, are centralized, while others, like Tornado Cash, claim to be decentralized, or run purely by code rather than any humans being in charge. Some are advertised on the dark web in an apparent effort to evade law enforcement, while others say they comply with regulators and are advertised out in the open. Popular mixers include Wasabi Wallet, ChipMixer, JoinMarket and then SamouriWallet, according to Grauer. She estimates that overall, mixers receive about $30 million in cryptocurrency every day.
Tornado Cash has become one of the most popular crypto mixers.
It allows a user depositing the cryptocurrency Ether (ETH) in its protocol, or software, to then withdraw the same amount. Crucially, the trail of the transaction is hidden, as Tornado Cash severs it. The mixer breaks the on-chain link between the deposit and withdrawal to “improve transaction privacy,” according to its website.
“Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy,” the Tornado Cash website says.
That’s because a user doesn’t have to log in or provide Tornado Cash with any personal information. Instead, all they need is an Ethereum Name Service domain, or a simplified name that represents a cryptocurrency wallet, and a random key that Tornado Cash generates.
A user can deposit their Ether, wait a bit, and then withdraw different Ether, so long as they provide the random key generated by Tornado to begin with to prove they’re the original depositor.
As a result, “the use of mixers like Tornado Cash is a common means by which criminals seek to launder dirty or stolen crypto,” DePow said. In January, hackers took millions worth of stolen crypto to Tornado Cash.
There is nothing necessarily illegal about users wanting their crypto transactions to remain private. In the real world, DePow points out that physical cash transactions can be done without anyone knowing.
And moving or obscuring funds isn’t the same as money laundering, Bill Callahan, a retired Drug Enforcement Agency agent, told CoinDesk in January.
“Is Tornado Cash laundering money? They are certainly obfuscating it. But I’d be careful with the term money laundering,” Callahan said. “Pretend I’m running away from police with a bag of cash and jumping over fences, trying to evade capture … that’s not money laundering. If Tornado Cash knows who deposited the money and who took it out, that’s not money laundering.”
Tornado Cash co-founder Roman Semenov told Bloomberg earlier this month that the protocol falls under the “anonymizing software providers” definition, which excludes them from money transmitter regulations in the U.S. that are required to “know your customer,” or KYC, rules.
“All we do is write code and publish it on GitHub,” Semenov added. “This is pretty close to the definition of free speech so writing code cannot be illegal.”
Whether regulators agree with that argument from mixers is a different story.
The Financial Action Task Force (FATF), an international group whose recommendations are recognized as the global anti-money laundering standard, released guidance on virtual assets, including mixers, in October of 2021.
It wrote that countries should make sure that virtual asset service providers, or VASPs, “can manage and mitigate the risks of engaging in activities that involve the use of anonymity-enhancing technologies or mechanisms, including but not limited to AECs, mixers, tumblers, privacy wallets and other technologies that obfuscate the identity of the sender, recipient, holder, or beneficial owner of a VA [virtual asset],” FATF wrote. “If the VASP cannot manage and mitigate the risks posed by engaging in such activities, then the VASP should not be permitted to engage in such activities.”
The U.K.’s National Crime Agency said earlier this month that protocols like crypto mixers that allow people to hide their transactions should be regulated, and involve proof of identity.
The Financial Crimes Enforcement Network, or FinCEN, the U.S. federal agency that deals with safeguarding financial systems and money laundering, did not return Fortune’s request for comment.
Tornado Cash did not respond to Fortune’s request for comment.
Alongside mixers, there’s also been an uptick in the use of what’s called “privacy wallets” and “privacy coins” that can also work to hide the origin of cryptocurrency, DePow said.
Privacy wallets separate any connection between cryptocurrency holders and their identity.
“Privacy wallets, like Wasabi Wallet … have largely supplanted mixers as the prefered method of Bitcoin activity obfuscation. Certain crypto assets, known as privacy coins like Monero, are entirely opaque and are completely private by default,” DePow said.
They’re pretty much untraceable and in turn, frequently used by bad actors in the space, he added.
“Ransomware attackers, for instance, will often offer a discount for a payment made in Monero instead of Bitcoin, due to its untraceable nature.”
This story was originally featured on Fortune.com
