For years, the illegal mixing service, Cryptomixer, aided the anonymity of hackers alongside traffickers by scrambling transactions of digital assets. That digital laundromat just got raided.
The raid occurred in Zurich, Switzerland, between November 24 and 28. A collaboration of authorities from Switzerland, Germany, and Europol helped pull the rug on the service. They confiscated three servers and impounded the “cryptomixer.io” domain, hauling €25 million worth of BTC and more than 12 terabytes (TB) of data.
How the cryptomixer worked
Bad actors use mixers to conceal stolen funds, then funnel the ‘cleaned’ assets into legitimate exchanges. From there, they can trade Bitcoin for other cryptocurrencies or cash it out via ATMs or bank accounts.
Cryptomixer operated as a hybrid service. One could access it through both the regular internet and the dark web. This flexibility made it incredibly popular with criminals. The service particularly served underground economy forums, ransomware groups, as well as dark web bazaars.
When bad actors earn money via drug deals or ransomware attacks, the blockchain sees its trail. All transactions are recorded so tracing them becomes possible. Cryptomixer’s software blocked this traceability. It mixed and shuffled funds around until the original source became nearly impossible to identify.
This made it the go-to platform for cybercriminals laundering illegal proceeds. Drug trafficking, weapons sales, ransomware attacks, payment card fraud—all of it flowed through Cryptomixer at some point. The scale is staggering. Since its creation in 2016, over €1.3 billion (approximately $1.4 billion USD) in Bitcoin has passed through the service.
A pattern of international takedowns
This is not the first rodeo of Europol with virtual asset mixers. In March 2023, a similar mixing service, ChipMixer, caught the interest of authorities. Putting hands together, German and US authorities joined the investigation, and had support from Belgium, Switzerland, Poland, as well as Europol.
The ChipMixer operation was similarly successful. This crackdown is part of a broader (and intensifying global) campaign against the financial plumbing of the dark web. In October, his year, a coordinated international effort led to the dismantling of a major dark web crypto hub by the AFM (Kazakhstan’s Financial Monitoring Agency). That highlighted the systematic targeting of these critical criminal services.
This time around, law enforcement took down the entire infrastructure and seized four servers. They impounded data up to 7 terabytes and seized 1909.4 BTC worth approximately $47.3 million at the time, across 55 different transactions.
Following the crackdown of Cryptomixer, law enforcement put up a “seizure banner” on the web page, sending a clear notice to anyone attempting to access the service. At the same time, it serves as a warning to other operators within this sector.
Taking down Cryptomixer deals a huge blow to the infrastructure of cybercrime. A key hideout for bad actors like ransomware groups is lost. Extorting money may become a hassle. For dark web bazaars, it’s a loss of a “sure-plug” laundering channel. On the other hand, authorities retrieved 12TB of data. In the long run, this could lead to further and multiple investigations given the content of the data.
These international operations show that whether the dark web exists or not, anonymity has loopholes. Working together, authorities can fish out, track, and take down these services irrespective of their operational jurisdiction. This strategy is being applied consistently, as seen in the 2024 takedown of the Safe-Inet VPN service by Europol and the FBI, which removed another key tool from the cybercriminal toolkit.
