Cryptocurrency mixing involves pooling or coordinating user deposits—either through custodial or decentralized protocols—to obscure the on-chain link between illicit funds and their destination. Criminals are increasingly aware that public blockchains are only pseudo-anonymous, and leverage mixing to further mask their activity by blending tainted proceeds with legitimate flows, confounding straightforward tracing. Some mixers, particularly those built on CoinJoin-like mechanisms, shuffle multiple inputs and outputs in a single transaction, making it difficult to map any deposit directly to a given withdrawal. Criminals frequently combine mixing with other layering techniques, adding another layer of anonymity that impedes any single tracing approach. Law enforcement takedowns underscore the scale of these platforms—for example, the 2020 seizure of Bestmixer.io revealed over 25,000 bitcoins allegedly laundered in just one year. Non-compliant mixers such as Tornado Cash have similarly been used by North Korean cybercriminals to launder stolen assets at massive scale. Academic assessments also indicate that despite broad recognition of their illicit applications, mixers continue to be exploited to capitalize on remaining regulatory gaps and mask end-to-end transaction paths.
Cryptocurrency Mixing
Cryptocurrency Mixer
Mixer
Tumbling
Tumbler
Mixing Service
Mixing and Tumbling Services
Crypto Tumblers
Mixing Services
Cryptocurrency Tumbling
Tactics
Criminals use mixers to blend illicit funds with legitimate deposits in pooled or decentralized protocols, explicitly severing the on-chain trail between the source and destination. This tactic distances the illicit proceeds from their origin, exemplifying a core layering strategy.
Risks
Criminals exploit the inherent anonymity features of mixing services by pooling user deposits and obfuscating on-chain transaction links. By blending tainted funds with legitimate flows, mixers circumvent standard AML controls, making it extremely difficult to trace or differentiate illicit proceeds from innocent user activity. This technique directly leverages the product’s core functionality—anonymity and commingling—to defeat routine compliance checks, thereby posing a primary vulnerability.
Offenders intentionally select or develop mixer platforms in jurisdictions with minimal or non-existent AML oversight or exploit decentralized protocols beyond the reach of traditional regulation. This tactic leverages uneven enforcement across borders and capitalizes on regulatory gaps to avoid scrutiny, complicating international cooperation and investigation.
Indicators
Transactions to or from addresses publicly identified as belonging to mixing services.
Consistent usage of anonymity-enhanced cryptocurrencies or privacy-focused features by a customer.
Multiple deposits from diverse cryptocurrency wallets converging into a single address or pool, consistent with typical mixer consolidation patterns.
Rapid consolidation of funds from multiple addresses, followed by immediate dispersal to new addresses, obscuring links between original sources and final recipients.
Transaction chains with repeated splitting and merging of funds in short intervals, consistent with layering via mixing techniques.
Unusually structured deposits and withdrawals (e.g., repeated identical amounts), consistent with typical mixing transaction patterns.
Transactions initiated through privacy wallets employing built-in mixing or anonymizing features (e.g., CoinJoin).
High volumes of inbound or outbound transactions from addresses associated with mixing services.
Customer accounts frequently transacting with known mixer addresses.
Frequent usage of mixing services by a customer with no prior history of such activity, deviating from their normal transaction profile.
Customer profiles lacking a verifiable source of funds while regularly interacting with mixing service platforms.
Transactions with custodial mixing services known to have minimal KYC requirements, hindering ownership traceability.
Frequent mixing transactions within short intervals, consistent with orchestrated layering of funds.
Use of addresses flagged as belonging to high-risk mixing services in multiple related transactions.
Transaction flows routed through mixing platforms spanning multiple jurisdictions, complicating compliance and traceability.
Frequent creation of one-time-use addresses specifically for mixing deposits or withdrawals, limiting any traceable transaction history.
Data Sources
Capture comprehensive financial movements, including deposit and withdrawal records, timestamps, amounts, and counterparties, across banking and cryptocurrency channels. For cryptocurrency mixing, these logs reveal repeated or structured flows to and from high-risk wallets, sudden spikes in outbound transfers, and deviations from a customer’s typical transaction profile indicative of layering or concealment.
Contains detailed logs of digital asset transactions, including amounts, timestamps, and wallet addresses, along with related customer information. This data helps identify interactions with non-compliant mixers or addresses flagged for mixer involvement, monitor KYC gaps, and trace high-volume or repetitive transactions associated with layering via mixing platforms.
Stores verified customer identities, beneficial ownership data, and detailed account transaction histories. Investigators can correlate suspicious on-chain mixer usage with specific customer profiles, identify undisclosed sources of funds, and detect significant deviations from a customer's stated transaction patterns.
Mitigations
For customers whose activity indicates possible interaction with mixers—such as withdrawals or deposits from addresses flagged by blockchain analytics—require in-depth verification of the source of funds, additional identity checks, and documented justification for using any anonymity-focused service. By applying stricter scrutiny and revalidating beneficial ownership, institutions reduce the chance of unknowingly processing layered illicit funds.
Implementation of robust transaction monitoring systems that can identify mixing activity through integration with blockchain analysis tools.
- Use blockchain analytics tools to identify transactions involving mixers and privacy wallets.
- Identify patterns of transactions associated with mixers, such as the use of CoinJoin or other mixing protocols.
- Identify transactions originating from "tainted" sources, such as blacklisted addresses.
- Analyze transaction graph data structures.
- Analyze transaction patterns for laundering activities.
Restrict or block transactions to and from addresses identified as operating or heavily engaged with unlicensed mixing services. Require elevated approval for inbound and outbound flows linked to mixers, ensuring customers justify their usage of anonymity-focused protocols. By actively limiting these high-risk movements, institutions disrupt layering attempts through non-compliant mixers.
Instruments
- Privacy coins (e.g., Monero, Zcash) incorporate stealth addresses, ring signatures, or zero-knowledge proofs, which mask transactions on-chain.
- Criminals exploit mixers that support these coins, compounding the anonymity provided by both the coin’s built-in privacy features and the mixer’s pooling of deposits, thereby making forensic tracing significantly more difficult.
- Some mixers and decentralized protocols accept stablecoins (e.g., USDT, USDC), allowing criminals to maintain a stable value when layering illicit funds.
- By converting illicit proceeds into stablecoins and then depositing them into mixers, they sever straightforward transaction histories, reemerging with assets that no longer appear linked to the original addresses.
- Criminals send or route funds in widely used public cryptocurrencies (e.g., Bitcoin, Ethereum) to mixers that merge multiple user inputs into pooled transactions, obscuring connections between incoming and outgoing addresses.
- Once redistributed by the mixing service, the path from the original (tainted) addresses to the final (clean) outputs is effectively broken, hindering straightforward blockchain analytics.
- This layering process allows criminals to reintroduce illicit proceeds into exchanges or other platforms without clear links to the original unlawful activity.
- Criminals use wrapped tokens (e.g., WBTC on Ethereum) to bridge assets between blockchains, enabling them to leverage mixers on chains that do not directly support the original cryptocurrency.
- This multi-layer approach obscures the trail across different protocols and networks, making it more challenging for investigators to trace the end-to-end path of the funds.
Service & Products
- Criminals leverage DeFi protocols (e.g., Tornado Cash) for decentralized mixing, obscuring the source of funds.
- Liquidity pools and lending platforms allow layered transactions with little oversight, compounding anonymity.
- Criminals engage in trades directly with counterparties, often with minimal identity verification, merging illicit funds with legitimate user activity.
- The direct user-to-user model conceals the original source of funds, making it difficult to isolate tainted transactions.
- Enables near-instant conversions between multiple cryptocurrencies, severing straightforward transactional links.
- Criminals can rapidly rotate assets before or after mixing, defeating basic chain analytics.
- Moves illicit funds between different blockchains, complicating single-chain investigative efforts.
- When combined with mixing, bridging extends layering across multiple chains, further frustrating law enforcement tracing.
Actors
Cybercriminals, including those linked to North Korea, exploit mixing services to launder stolen or illicitly obtained cryptocurrency. They:
- Combine mixing with other layering techniques, complicating chain analytics and regulatory scrutiny.
- Use decentralized or custodial mixers (e.g., Tornado Cash) to conceal transaction trails, making it difficult for financial institutions to trace the origin of funds.
Virtual asset service providers, including exchanges or custodial wallet platforms, are exploited in cryptocurrency mixing by:
- Allowing criminals to deposit, withdraw, or transfer funds that have passed through mixers, obscuring the transaction trail.
- Operating with potentially limited KYC or AML checks, enabling illicit actors to layer funds through multiple wallets or accounts.
References
Lam, K. Y., Chan, B.H., Hartel, P., van Staalduinen, M. (2020, June). Combatting cyber-enabled financial crimes in the era of virtual asset and darknet service providers. INTERPOL. http://www.interpol.int
OECD. (2021). Fighting tax crime – The ten global principles, second edition. OECD Publishing. https://doi.org/10.1787/006a6512-en
O'Neill, A. (2024). Upholding North Korea Sanctions in the Age of Decentralised Finance. Royal United Services Institute for Defence and Security Studies.https://static.rusi.org/north-korea-sanctions-and-cryptomixers-op-march-2024.pdf
Kenneth, S.(2023) The Satoshi Laundromat: A Review on the Money Laundering Open Door of Bitcoin Mixers. Journal of Financial Crime, Vol. 31 No. 2, pp. 416-426, 2024 DOI: 10.1108/JFC-11-2022-0269, Available at SSRN: https://ssrn.com/abstract=4281625 or http://dx.doi.org/10.2139/ssrn.4281625
Hayes A. (2024). CoinJoin: What It Is, How It Works, and Privacy Considerations. Investopedia. https://www.investopedia.com/terms/c/coinjoin.asp