When an attacker manages to monetize a theft, whether it’s ransomware, SIM swapping, phishing, or malware that drains wallets and browser‑saved passwords, the real challenge isn’t cashing out. The critical point is something else entirely: breaking, as quickly as possible, the link between the address that received the stolen funds and the address that will one day attempt to convert them into real money.
It sounds simple, but it’s not. Blockchains are public and permanent ledgers, and every transaction tells a story that analysts can reconstruct over time with the right tools. This is where mixers come into play, services designed to make the relationship between input and output fragile, if not purely probabilistic.
Government agencies have identified them as a strategic choke point in the criminal economy: not because mixers “create” illicit money, but because they make its origin harder to prove and make it easier to reach the final step, turning it into spendable value.
But what is a mixer, really?
Stripped of labels, a mixer is a service that takes cryptocurrencies as input, blends them in a large pool together with coins from other users, and then returns funds that, at least in theory, cannot be linked to the original ones.
There isn’t just one model. In fact, the ecosystem splits into two major families with opposite philosophies.
Custodial Mixers: trust the operator (at your own Risk)
These are the oldest and, paradoxically, still the most widely used by less sophisticated criminals. They work simply: you send funds to the service, it mixes them in a common pool, and it returns the “cleaned” cryptocurrency to one or more addresses previously indicated.
The problem is obvious: you must trust the operator. If the infrastructure is seized, or if someone stores logs they shouldn’t, the promised “privacy” can collapse in minutes.
Non‑Custodial Mixers: privacy becomes a protocol
This second category was created to eliminate the trust dynamic. There is no central operator: everything is governed by smart contracts and cryptography.
The user deposits funds by leaving a cryptographic commitment (a kind of pledge written on‑chain), and later withdraws them by proving, via a cryptographic proof. that they have the right to spend them without revealing which specific deposit they are withdrawing.
Technically, it’s very elegant, but it’s not magic: correlation risks remain, operational mistakes happen, and the real choke points are still the regulated exits like exchanges and brokers.
How obfuscation really works
Mixers don’t erase traces, they change the shape of the transaction graph.
Instead of a linear chain A → B → C, they create a mesh where the connection between inputs and outputs becomes probabilistic and never fully certain.
The core of obfuscation relies on four concepts:
- Pooling: all funds enter a single pool and exit with variable timing and amounts.
- Fragmentation: inputs and outputs never match clearly; standardized denominations often add more confusion.
- Delays and batching: funds are returned hours or days later, often in multiple tranches.
- CoinJoin (for Bitcoin): multiple users jointly create a transaction with many inputs and outputs, making attribution extremely difficult.
In the most advanced systems, zero‑knowledge proofs (ZK) allow users to prove withdrawal rights without revealing anything about the linked deposit. It’s a major advancement, but not perfect: metadata, timing, human errors, and recurring criminal behavior still leak information.
Why criminals use mixers
From real‑world cases, one thing is clear: nobody uses a mixer to become invisible. The goal is far more pragmatic to create uncertainty:
- uncertainty about the link between stolen and reintroduced funds,
- uncertainty about timing,
- uncertainty about the amount to freeze during a seizure.
It’s a pipeline, not a single step: on‑chain obfuscation, chain‑hopping through swaps or bridges, fragmentation across dozens of addresses, final recomposition, and then, when the perceived risk drops, the exit through exchanges, OTC brokers, payment services, or financial mules.
The mixer is just one segment, the part that breaks the most compromising link: the one between the theft address and the cash‑out address.
How the trail can still be reconstructed
Blockchain analysts repeat it often: “mixer = invisibility” is marketing.
Investigations still work, but they take a different shape.
They no longer rely on deterministic certainty, but on probabilistic attributions built from a mosaic of clues: address clustering, consolidation patterns, suspicious re‑aggregation, timing windows, intelligence on recurring wallets, and, most importantly, observing cash‑out points where cryptocurrency meets regulation, controls, and real identities.
Implications for Companies
For companies, studying mixers isn’t academic. It means understanding that criminals’ ability to launder funds fuels the economic sustainability of ransomware and every credential‑theft‑driven ecosystem.
The most effective defenses aren’t about “chasing the mixer of the month”, but about reducing the likelihood that attackers reach the monetization stage:
- strong MFA, hardening, patching, and least privilege;
- defenses against exfiltration and lateral movement (egress control, tool detection, segmentation);
- rapid incident response to disrupt monetization;
- collaboration with Threat Intelligence and service providers to intercept cash‑out paths.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO
