By Jason Nelson and Reza Jafery
8 min read
Coin mixers have captured the attention of both the cryptocurrency community and regulators as the battle for privacy ramps up.
In 2021, the founder of coin mixer Bitcoin Fog was arrested on charges including money laundering and operating a money transmission business without a license. A year later, the U.S. Treasury Department issued sanctions against Tornado Cash, an Ethereum coin mixing service, effectively banning Americans from using it.
But what do coin mixers like Tornado Cash and Bitcoin Fog do—and why do people use them? In this article, we'll examine the technology behind mixers and their legitimate and illegitimate uses.
A coin mixer is a service that allows users to obfuscate the origin and destination of transactions. Users send cryptocurrency to the service, have that crypto mixed with other coins or tokens, and then send the equivalent amount of “mixed” coins to a recipient address, hiding the connection between the sender and recipient.
There are many legitimate uses for this kind of service. Just as you may not want your employer to know the intimate details of every bank or credit card transaction that you've ever made, you may also not want your employer—or anyone else, for that matter—to know every detail of every crypto transaction you've ever made either.
But as the adoption of crypto and blockchain tools grows, real-world identities are becoming increasingly linked to blockchain addresses—with every purchase, transfer, or interaction associated with those addresses laid bare on a public, transparent, distributed ledger. And that's where coin mixers come in.
However, this ability to mask the identity of wallets and obfuscate transactions makes coin mixers an attractive tool for cybercriminals, and thus a target for law enforcement.
While politicians and law enforcement have railed against the use of cryptocurrency in criminal enterprises, coin mixers occupy a gray area between facilitating money laundering and preserving the right to privacy. Because of blockchain's permissionless and transparent nature, some crypto users rely on the added privacy that coin mixers provide.
Privacy advocates argue that coin mixers are especially useful, even necessary, in cases where a person's activities—like journalism, civil disobedience, and protest—can put that person at risk. Because of this, they require greater privacy in their crypto transactions.
On the other hand, law enforcement and government agencies see coin mixers as a way for criminals to launder money using cryptocurrency, and services like Tornado Cash as a means of obscuring where the funds originated.
In its announcement of the sanctions against Tornado Cash, the Treasury Department said that criminals had used Tornado Cash to launder money, saying the service processed more than $7 billion worth of virtual currency since its creation in 2019. According to blockchain analytics firm Elliptic, around $1.5 billion of that figure was connected to illicit activity.
Among those illicit funds, the Treasury said, were a combined $103.8 million stolen from crypto bridging services by Lazarus Group, a state-sponsored North Korean cybercriminal group.
Before Tornado Cash was taken down, it used smart contracts to accept token deposits from one address and enable their withdrawal from a different address.
Other coin mixers operate in a similar way, with smart contracts that work as a pool where all the deposited tokens get mixed together. When funds are withdrawn from those pools, the on-chain link between the source and the destination is broken, anonymizing the transaction.
These kinds of coin mixers are typically non-custodial, meaning there is no third-party control of the wallet and funds, simply the creation of the smart contracts.
Because these services use no intermediary, they are reliably neutral—but that also means they can be a tempting tool for cybercriminals looking to launder stolen crypto, as in the case of Larazus Group.
Let’s say there’s a business owner and crypto enthusiast named Robert who wants to send Ethereum to a hacktivist group operating out of Ukraine. Robert doesn't want his donation to be traced back to him, so he uses a coin mixer.
Robert goes to the coin mixer website and deposits the Ethereum he wants to donate. The sent amount is deposited into the mixer's smart contract and pooled with the other hundred, thousands, or even millions of transactions already in its pool. After receiving confirmation that the deposit was successful, Robert goes to the withdraw tab, enters the recipient's address into the mixer, and sends the Ethereum from the mixer.
The Ethereum is then sent from the mixing to the recipient. On the receiving end, the address shown is that of the mixer and not the original sender’s address, anonymizing the transaction.
If this hypothetical scenario sounds familiar, it's based on a tweet from Ethereum co-founder Vitalik Buterin, posted after the Treasury Department sanctioned Tornado Cash.
The debate over crypto privacy continues to rage, despite the series of legal cases and sanctions against coin mixers. More recent projects like Railgun aim to give users on-chain privacy, but also ensure that they remain compliant in the eyes of the law.
Railgun is not a traditional mixer; it doesn’t mix coins from multiple sources together, and its founders believe it avoids the pitfalls that ultimately led to mixers getting sanctioned or sued.
It also utilizes “Private Proof of Innocence” to ensure bad actors cannot use the platform for illicit purposes. For example, on July 11, 2024, a notorious crypto drainer known as Inferno Drainer attempted to use Railgun to launder 174 ETH. However, Railgun identified that the wallet was tied to a bad actor and blocked the transactions.
Whether crypto privacy projects' efforts to create legally compliant mixing services will mollify lawmakers is open to debate. One thing's for certain, though—privacy advocates will continue to fight to ensure that crypto isn't a panopticon.
As Lia Holland, Campaigns & Communications Director at Fight for the Future, wrote in 2022: “Let us be clear, hackers and cybercriminals, as well as those that support them, are deplorable and should be stopped—but not in a way that compromises human rights and the first amendment.”
This article was first written in August 2022 and updated in July 2024.
Decrypt-a-cookie
This website or its third-party tools use cookies. Cookie policy By clicking the accept button, you agree to the use of cookies.