BITCOIN MIXING: A Survey & Short Guide on How to trace Malicious Transactions

NOTE: This article sheds light on different Bitcoin Mixers/Tumblers available on Dark Web and Surface Web and few techniques to uncover Malicious transactions from Bitcoin Mixers. The methods used in this article are only for Educational Purposes!

Cyber Criminals often outsmart each other for financial gains, though their common target is End User holding Crypto or the Exchanges (in our Case Study). Victims often think that Criminals are jointly extorting their money, however things are a bit different underground(at times). Extorted/Hacked Money often takes a wrong turn from the Criminals while getting channelized underground.

Attackers often battle underground | Img Source: Final Battle of Lucifer( JTBCapital.com)

INTRODUCTION

Cryptocurrency Mixers or Tumblers/Blenders are used to mix tainted or identifiable Crypto transactions with other legit transactions/coins. By this method, the transactions/coins are shielded and hence becomes unidentifiable (though can be traced) in the blockchain. This type of services are often used in various Criminal Scenarios such as:-

1. Wallet Theft/Hacks
2. Dark Web Vendorship
3. Ransomware Payments
4. Offensive Purchases such as Banned Drugs/Weapons/Services
5. Child Pornographic Contents
6. Digital Extortion
7. Stealthy Cryptomining
8. Malicious Use of Mixers by FBI/Other Officials

NOTE: These are often classified under Money Laundering. Apart from the above-listed malicious vectors, there are many more dark areas that are still untapped.

A Typical CoinMixer transaction looks like this

In general, the output transactions from Mixers are clean and are not tainted with other malicious transactions.

Let’s peep into various Bitcoin Tumbling Services.

BITCOIN MIXING: DARKWEB

Though there are many services that appear on DarkWeb as Scams, there are few Mixing Services that slowly gain traction and detect a fair amount of activity. Some of the services are:-

WALLET777

wallet7mmisg6is5qmtywgrum6frljwroev243qygj5exj7p5gb427ad.onion

This is a Bitcoin Mixer popped up in DarkWeb which offers to launder Bitcoin for a nominal fee. The initial transaction (criminal) that made use of this service was tracked to May 23, 2021, and the final transaction was made on September 7, 2021.

The actor makes use of Bitcoin Wallet 37sJ3CEfGnUnDsG5vcTkU38A11icbMgxsv and deposits all the amount (Currently ~$46K) to bc1qc2nmepkeet67swwja5xwsyvl5rga3w903frf90, which can be considered as a Cold Wallet (as no funds are moving ATTOW).

Another interesting fact while dissecting the Bitcoin Transactions here is:- One of the incoming transactions of $55 to the public-facing wallet came from high balance Wallet 1E42NE8dRXp69s55BebPqXNTHsGGHmZ9eg occurred on 22nd June 2021.

Wallet Information

As you can see from the above image, the Wallet has been active since November 2020 and observed hefty transactions. By checking the balance left in the account (34BTC), it would give a clear indication that this could be a Mixing Service Wallet or any malicious service offered on Dark Web.

NOTE: Generally, high balanced wallets belong to various Bitcoin Exchanges and it may have existed for more than 2 to 3 years. Here, the address is relatively new and the same also appeared on other blacklisted services which underline the fact that this Wallet exists for Malicious Intents.

DIAMOND MIXER

jaslzi3nsom7amtlzb575turfv2tytgv2v7j3ywgg5vso5citxmbwdid.onion

This is a Dark Web service, which is active since March 2021 as the Mixer’s first transaction dates back to March 15, 2021, and the last transaction mapped to October 21, 2021 (ATTOW). Their Bitcoin Address is: 1C6UuHQ3Fyojz6dvYAXY9gaTUVwyqHkRLn

BITCOIN WASH

btcwashs2wsnwwwehvzphzeygyvkyaj5t4mkj7fpc3huya5tumsk3zid.onion

Another similar site that offers Bitcoin Laundry is Bitcoin Wash. It can be assumed that the service has been active on the Dark Web since August 2021.

So far, the public-facing wallet (3EChe92f3et9rapJxGBNPf2HmqPFiaP5i) received about $1,100. But the interesting fact to note here is: Wallet Holders dumps all the earnings to a Cold Wallet which can be tracked to bc1qc2nmepkeet67swwja5xwsyvl5rga3w903frf90 which is active since September 2021 and witnessed only a single incoming transaction with $45,700+ as balance.

BITCOIN TUMBLERS: SURFACE WEB

bitcoin-mixer24.com

Home Page

As per the Domain WHOIS Record, this service has been active since June 2021 and collected about $1000 so far in their public-facing Wallet 36ggGq6M6smmUzmaRudDYtExSbpEXEi7eQ. When following the Bitcoin trail, it is found that the defrauded amount is kept in a Cold Wallet bc1qt9qgkhqt6l4djctwm8x4jcwmrq34ucfdmmzqh2 ($151,387) and bc1qj6x3vq5pqwrc8k25p5x7emzs0lwu3h5p0lzy6q ($29,324) which are alive since October 24, 2021.

bestmixer.mx

Landing Page

This service is up for more than a year (June 2020 to be precise) and is among the leading Bitcoin Mixer as the ranking is decent and did not end up on the SCAM list (till now).

On each session, new wallet addresses are generated (At the time of Mixing). Following are the few addresses captured with different parameters:-

19QAF6CZHPDf6HqQF71xUNB33i9fuRfbVS
12TiRhkm4Dj4jyd9Hfaw9U2bMYNhDtUqug
17pkGyVw3xHhGRDG66tT6CD8gtjkbnGAWc
1PN4JNPaP8jAor4xQbxriA4bTxvfDp1gA6
1HCjvP8oiJzjRXLpPaPpaWq48VPLALy2pb
1GYV4tczVooHa9Tn8SssAxs2xTusxVTLDP
1DBBvSYrEzm2aXVfg89DKHBi1pQKi4Dm7i
12G4PaP88CSH4LdoEn6QoZDtSZZKYxhdDk

While untangling a few transactions, I found a pattern of this mixer as:-

Transaction Analysis

From the above image, it is clear that the 244 Addresses (in total) are created to tumble bitcoins in which 107 Addresses are newly created and 56% of addresses are repeatedly used for mixing for 17 inputted addresses, in order to mask the real Bitcoin Wallets.

Another notable thing which I had found is:- Bitcoin Mixers make use of Trading platforms in order to tumble Bitcoins. One such platform uncovered during this Transaction Digging was Sky Crypto Trading. This Mixer service uses Sky Crypto Trading as one of its channels to mix tainted bitcoins.

NOTE: It is not sure whether the mixer uses the same hosts or changes their mixer channels regularly for tainted transactions. The above scenario was observed while doing a transaction dug up.

There are many mixer sites available on Surface/Dark Web and there are many SCAM sites being operational as well. Moving forward, we are going to uncover a Bitcoin Mixing SCAM which has been operational for more than a year, without getting busted.

Active BTC Mixing Scam EXPOSED!

While investigating various Bitcoin Mixing/Tumbling Services, I came across 2 sites whose Registration Details and Bitcoin Wallets are the same. The sites were:-

bitmix.online
anonymix.org

This is a proven scam running by the same group who runs Anonymix as their Bitcoin address is the same i.e. 1HtV8k2Pj4y5bRR1NbjF2uEq8DZjJF2pJk which observed about 37BTC (incoming tx). As per the Blockchain details, the wallet has been active since October 2, 2020, and the final transaction occurred on October 25, 2021(ATTOW).

Wallet Information

With the available 2 Websites (which are not popularly ranked in Google Search Index), it was skeptical to guess how the transactions were actively incoming on a larger scale. To debunk the mystery, I delve into the public-facing Wallet ID & found the following 34 Websites (maybe more)!

bitmix.online
anonymix.org
smartcoinmix.com
crypto-mixer.cc
blenderbit.com
chipbitmixer.com
bitcoin-laundry.online
smartbitmix.com
blender-coin-mixer.com
blenderbitcoin.com
blenderio.to
cryptobank.co
bitblender.in
blenderbtc.to
blenderbtc.com
crypt-mixer.com
laundry-bitcoin.com
blender.ws
blenderbtc.io
blender.pw
blender.cx
blender.so
blendar.io
anonymixx.com
anonymix.cc
anonymix-mixer.com
blenderio.com
bitcoin-mix.org
bitblender.in
blenderiopnzbuvtva6d2ddiedrbf6fbekh5axomzho6wrulowcludad.online
mixerbit.ru
smartmix-blender.com
coinmixer.shop
blenderiocpxfema.onl

Yes, Scammers had set up various fake Bitcoin Mixer sites using keywords such as “mixer”, “blender”, “anonymix”, “bitmixer” etc to spread across the internet in order to reap maximum profit from the criminals!

This proves to be an active scam dating back to 1 year and is thriving at a greater pace.

The Fun Fact is: Criminals who rely on such services get defrauded by the Scammers.

OTHER WAYS OF BITCOIN MIXING

1. Criminals often use easy-go methods such as Bitcoin Mixers/Tumblers to get rid of tainted transactions.
2. They make use of various other Crypto projects such as DeFi Tokens in order to swap Bitcoins.
3. DeFi tokens such as RenBTC, WBTC (Wrapped), tBTC (Trustless) etc are used to swap tainted coins. Ragnarok Ransomware Operators had used RenBTC service to evade malicious trails.
4. Uniswap Tokens (built on ERC20) is also a viable option for criminals to mask their transactions.
5. Tainted coins are traded on Shady Bitcoin Exchanges by the attackers.

It is also possible that the funds sent to a mixer would give tainted transactions from another hack/malicious event to the end-user (if the Mixer Service is Unreliable).

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)

NOTE:- The article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.

#bitcoinmixing #bitcoin #mixing #hacked #infosec #cybersecurity #OSINT #darkweb #deepweb #tor #darknet #hack #tutorial #blockchain #bitcoinexchange #hacking #investigation #research #cryptocurrency #crypto #cryptolaundery #bitcoinlaundery #FBI #cybercommand