In the ever-evolving world of blockchain and crypto assets, one of the latest hot topics is crypto "mixers” (or “tumblers”). Mixers have been the subject of intense debate: Are they heroes of privacy or villains enabling financial crime? Are mixers merely open-source, decentralized code, or are they tools for criminals and bad actors to launder illicit funds? The truth likely lies somewhere in between.
Rather than diving into this debate, this article will focus on the recent history of Convertible Virtual Currency (or CVC) mixers and their impact on compliance requirements. In today's era of real-time money movement, crypto-based transactions can occur in seconds but take weeks to investigate, analyze, and report.
With many financial institutions relying on baseline regulatory guidance, this article aims to provide a concise overview of how mixers facilitate illicit money movement, the ongoing battle between regulators and mixers, and why updating mindsets and software around CVC mixer due diligence should be a top priority for compliance professionals.
Mixers, also known as tumblers, are a relatively simple concept. They take coins from different users, pool them together, and then redistribute the same value back to the original users after "mixing" them. This process obscures the origin of the coins. In the context of blockchain, where the ledger is immutable and anyone can trace the origin of tokens in a wallet, mixers provide a turnkey solution to break up that trace and obscure the origin of the funds.
On the surface, mixers sound like the new age of money laundering (i.e. layering of funds). However, those most active in the space argue that the goal of anonymity provided by the mixers is just as much about protecting themselves as it is about obscuring the use of funds.
In the day and age where wallet hacks are an endless threat, those with larger pools of investments use mixers to hide the original wallet source from those that would be thieves. In the case of journalists or activists, the mixers again hide the origin wallet from authoritarian regimes who may be monitoring wallets of known activists or charities that they seek to repress. The argument of anonymous money movement is doubtlessly an endless one, and not the purpose of this article. Instead, we’ll look at the other side of this coin: why are CVC mixers a concern for the real world, how have regulators responded, and what does the future hold for this popular byproduct in the ever expanding integration of crypto into Traditional Finance (or TradFi) channels?
For the purposes of this discussion, we must first establish that there are two different forms of mixers: centralized and decentralized. As the name suggests, centralized mixers are those operated by a third-party service that collects and mixes cryptocurrency; while decentralized mixers utilize smart contracts and decentralized applications (dApps) on blockchain networks, eliminating the need for trust in a single third-party entity. The following discussions will be focusing primarily on the decentralized mixer category as those seeking to use mixers for illicit activity are actively avoiding oversight of any kind.
The most powerful tool in geopolitics isn't a military force, a spy agency, or international law—it's sanctions. The ability to prevent, freeze, or disrupt money movement is the single most effective response to any action. Specifically, controlling money flow can finance war, terrorism, oppression, war profiteering, oligarchs, and corruption, to name a few.
However, to achieve this, all these activities require moving money through major economic banks to handle the necessary scale and volume. Since the 1980s and the war on narco-trafficking financing, the TradFi space has become highly regulated to enforce sanctions. As a result, when sanctions are imposed on Russia for its invasion of Ukraine, isolating it from the global financial system, the effects are immediate and crippling. This is where mixers come into play, offering a solution not only for journalists and activists seeking privacy but also for those with more nefarious intentions.
Two of the most heavily sanctioned countries in the world - North Korea and Russia - are currently exploiting mixers to evade sanctions and finance real world military spending.
North Korea, whose Lazarus Group is considered the most successful cyber thieves in history, were responsible for $1.7 billion USD in stolen crypto in 2022 (equivalent to one quarter of their defense budget) of which $455 million USD was funneled through Tornado Cash. It is speculated that some of this funding is used to finance nuclear weapons testing and others to fund a military industrial complex that intelligence reports suggest are providing arms and ammunition to the Russian invasion of Ukraine.
Russia employs a mix of legal (mining operations), illegal (DeFi exchanges and marketplaces), and criminal (ransomware) activities. They used ChipMixer to launder funds from ransomware attacks and to purchase infrastructure for persistent monitoring malware, similar to that used in the United States election hack of 2016.
In 2022, following Russia’s invasion of Ukraine, the Financial Crimes Enforcement Network (or FinCEN) released an alert advising financial institutions, virtual currency exchangers and administrators to identify and report suspicious activity associated with potential Russian sanctions evasion. The alert directly identifies transfers involving mixing services as risky and warranting extra attention.
More recently, the US Treasury has noted that Russia is increasingly turning to alternative payment mechanisms, including the stablecoin Tether (USDT), which is pegged to the U.S. dollar, in an effort to circumvent western sanctions and finance its military campaigns. For example, a Russian smuggler, acting as an intermediary, facilitated the purchase of military technology from a Hong Kong-based entity on behalf of Kalashnikov Concern to develop drones for the Russian military for use in Ukraine.
As highlighted by the dates mentioned earlier, the majority of OFAC sanctions and available information focus on 2022. This emphasis is driven by two key events: the Russian invasion of Ukraine and the North Korean DeFi hacks of Axie Infinity, worth $620 million.
In response to the rising threat to their sanctions program and the national security concerns noted earlier, the Office of Foreign Assets Control (OFAC) began issuing a series of designations against crypto mixers, leading to international law enforcement actions and arrests of those responsible for developing these programs. The first-ever OFAC designation in 2022 targeted Blender.io, which appears to have rebranded itself as Sinbad.io following its shutdown.
Blender.io, a Russian-centric crypto mixer launched in 2017, was responsible for laundering over $500 million USD during its five years of activity. According to the Department of Treasury, Blender.io was sanctioned for its role in laundering $20.5 million from the Axie Infinity hack and serving as a primary laundering channel for Russian ransomware groups. Research from industry experts suggests that following the sanctioning, Blender.io reincarnated itself as Sinbad.io. The two mixers not only share similarities, but wallets identified as belonging to Blender.io moved funds directly to the new Sinbad.io.
Sinbad.io was sanctioned by OFAC within a year of launching. The Department of Treasury's investigation found that it was used to launder a significant portion of the $100 million from the Atomic Wallet hack, a large amount of virtual currency from the Axie Infinity hack, and approximately $100 million from the Horizon Bridge heist in June 2022, all of which have been attributed to the Lazarus Group of North Korea.
Sanctions have armed blockchain intelligence firms with the necessary tools to flag OFAC-sanctioned wallets and funds, aiding institutions in staying compliant with international laws. However, there's a critical loose end: accountability. While sanctions target developers, the effectiveness of these measures is questionable. For instance, the creator of Sinbad - an individual known only as "Mehdi" - remains unidentified and unarrested. Do these sanctions effectively deter criminal activities or merely delay them?
The Blender/Sinbad case provides a clear answer, but other cases complicate the narrative. Developers like Roman Sterlingov (Bitcoin Fog) and Minh Quốc Nguyễn (ChipMixer) were arrested and charged with money laundering. Their centralized mixing services operated in blatant violation of financial laws, leading to their convictions—Sterlingov in March 2024 and Nguyễn in March 2023.
The Tornado Cash case, however, raises the most significant questions about personal liability. Developers Roman Storm, Roman Semenov, and Alexey Pertsev were indicted for their roles in laundering over $455 million USD for the Lazarus Group. While Tornado Cash's role in money laundering is undeniable, its decentralized nature presents a legal quandary. The dApp runs on smart contracts without oversight of the funds' origins or destinations, suggesting developers merely wrote the code and did not directly participate in illicit activities.
This situation posits a critical legal question: Should developers be held accountable if they did not actively facilitate the laundering post-designation? Prosecutors argue that if the developers took any actions to aid the laundering after being aware of its misuse, they become accomplices. This is akin to a manufacturer knowingly releasing a self-driving car with a fatal error in its code. Despite industry outcry, the Tornado Cash case underscores that decentralized finance (DeFi) is not exempt from legal scrutiny.
Was Tornado Cash Truly Decentralized?
According to data, more than $331 million has been channeled through Tornado Cash. While Tornado Cash operated on decentralized smart contracts, the actions of its three developers suggest a more centralized approach. The developers ran Tornado Cash as a business, exerting direct influence over the user interface, website, and GitHub repository. They maintained some level of control over the contracts until 2022 and actively promoted the TORN token for personal profit. This operational model raises questions about the true decentralization of Tornado Cash.
The DOJ has presented evidence indicating that despite claiming compliance with OFAC guidance on the Tornado Cash website, the developers continued discussing ways to assist in laundering funds for illicit actors. This evidence includes messages that suggest an ongoing effort to facilitate illegal activities even after public assurances of compliance.
The core issue in the Tornado Cash indictment is not the decentralized nature of the software but the direct actions taken by the developers to engage in money laundering. According to FinCEN’s guidance, simply developing anonymizing software does not constitute a crime.
However, actively promoting, profiting from, and using these smart contracts for illicit purposes does. The indictment focuses on these actions, highlighting the distinction between creating decentralized software and actively facilitating criminal activities through its use.
Having explored the current state of the mixer landscape, the pressing question remains: how does this affect everyday compliance officers? The crypto market has seen significant declines over the past year, with the FTX scandal emblematic of its broader challenges. National security risks and consumer fraud have pushed federal regulators to scrutinize the market intensely. In particular, the crypto mixer market faces substantial regulatory attention, highlighted by FinCEN's 2023 Notice of Proposed Rulemaking, which identifies international Convertible Virtual Currency Mixing (CVC mixing) as a "primary money laundering concern."
This regulatory focus has drawn considerable attention from the media, but it's important to note that several regulatory bodies and industry associations, including FinCEN, OFAC, JMLSG, AUSTRAC, FINTRAC, and EBA, already have established rules for reporting requirements. The Financial Action Task Force (FATF), which oversees and guides international regulatory collaboration, has an entire subsection dedicated to technologies that enhance anonymity, such as peer-to-peer exchanges, mixing services, and anonymity-enhanced cryptocurrencies. These technologies, according to FATF, complicate law enforcement investigations and could indicate illicit activity.
FATF has outlined 13 red flags that could suggest illicit use of virtual assets, with six specifically overlapping with mixing services. One of these red flags includes “Virtual assets traded to or from wallets that indicated the use of mixing or tumbling services or peer-to-peer platforms.”
As a compliance officer, monitoring for red flags indicating the use of a mixing or tumbling service is challenging. Manual monitoring is impractical due to the sheer volume and lack of AML-required information available on public blockchains. Utilizing an analytics tool could help, but setting up controls to flag transactions from mixing services often results in numerous false positives or excessive SARs, overburdening staff and potentially missing actual red flags.
The solution lies in deploying advanced technology, specifically AI and Machine Learning. These technologies are more than just buzzwords; they offer substantial capabilities when implemented correctly. Merkle Science, for example, represents the next generation of risk mitigation, compliance, and forensics for crypto-native businesses, DeFi participants, financial institutions, and government agencies.
Merkle Science goes beyond standard forensic tools by integrating predictive analytics to identify patterns and behaviors that traditional controls might miss. Our transaction monitoring tool Compass features deep learning-based behavior analysis models that can detect suspicious wallet addresses before they are flagged by other providers. For instance, the engine can identify "young addresses" that transfer or receive large amounts within hours of creation but are not associated with any flagged entities.
Reflecting on the cause, effect, response, and outcome of CVC mixers raises several questions. As geopolitical tensions escalate globally, sanctions have become a primary tool to manage conflicts. This increase in sanctions drives the desire to bypass the traditional financial regime using alternative payment solutions. Without a return to commodity-based trading systems, the crypto market continues to provide a shadow economy for those seeking to exploit its fundamental values.
As the crypto asset industry evolves rapidly, financial institutions and crypto asset service providers must adapt to meet their clients' latest needs while maintaining robust compliance programs. While regulators and the judiciary strive to target and shut down mixers that facilitate money laundering, those on the front lines must stay informed about the latest trends and protect their organizations from becoming unwitting accomplices in financial crimes. The future of mixers likely involves regulatory compliance, similar to previous regulations imposed on exchanges. Those that comply will dominate the legitimate business market.
Interested in learning more about how Merkle Science’s tools help detect crypto crime? Check out our whitepaper.