Bitcoin Magazine

Europol, Swiss Police Dismantle ‘Cryptomixer’ in Major Bitcoin Laundering Crackdown

Law enforcement agencies in Switzerland and Germany have shut down Cryptomixer.io, one of Europe’s largest illicit Bitcoin-mixing operations. 

The takedown unfolded between Nov. 24 and 28 in Zurich, with Europol coordinating cross-border support.

Authorities seized three servers, the cryptomixer.io domain, more than EUR 25 million in bitcoin and over 12 terabytes of data. A seizure banner (see below) now replaces the site. Investigators say the disruption will fuel new leads tied to ransomware groups, dark-web marketplaces and cross-border money-laundering schemes.

Cryptomixer launched in 2016. It quickly became a go-to service for cybercriminals who needed to hide their tracks, Europol said. The platform operated on both the clear web and dark web. Its hybrid design attracted users from ransomware crews, underground forums and online drug markets.

Mixers work by pooling user deposits, shuffling them for long, randomised intervals and redistributing them to new addresses. The process breaks the on-chain trail, making it difficult for analysts to trace specific coins. 

Authorities say Cryptomixer moved more than EUR 1.3 billion worth of bitcoin for clients seeking to wash criminal proceeds. The service was frequently used before funds were pushed to exchanges, ATMs or bank accounts.

German federal investigators said the operation generated “billions of euros in revenues,” much of it tied to illegal activity. The Frankfurt Prosecutor General’s Office and the German Federal Criminal Police Office (BKA) worked alongside Zurich city and cantonal police to lead the on-site action. 

Europol and Eurojust had support from The Hague.

Details of the cryptomixer shutdown

On the action day, Europol deployed cybercrime specialists to Zurich for forensic assistance and real-time coordination. The agency said its Joint Cybercrime Action Taskforce played a central role in connecting investigators across borders. 

Europol also noted similarities to its 2023 takedown of ChipMixer, at the time the largest mixer ever dismantled.

Swiss authorities said the volume of data seized—over 12 terabytes—will be crucial for mapping wider criminal networks. Investigators believe it contains transaction logs, operational documentation and communication records that may link multiple cybercrime groups.

Cryptomixing services have long drawn scrutiny for enabling ransomware payouts, drug sales, weapons trafficking and payment-card fraud.

Regulators and agencies across the EU and U.S. have increasingly targeted mixers that advertise anonymity. High-profile precedents include sanctions and criminal charges against Tornado Cash founders in the U.S. and Netherlands.

Germany’s BKA said the findings from Cryptomixer “will contribute to the investigation of further cybercrimes.” Both countries signaled that more actions against crypto-laundering infrastructure may follow as forensic teams dig through the seized servers and blockchain data.

This post Europol, Swiss Police Dismantle ‘Cryptomixer’ in Major Bitcoin Laundering Crackdown first appeared on Bitcoin Magazine and is written by Micah Zimmerman.

Europol announced the seizure of Cryptomixer’s official website, as well as 25 million euros and 12 terabytes of data from the mixer's service.

Europol and law enforcement agencies in Germany and Switzerland have shut down one of Europe’s largest illicit crypto-mixing operations, seizing €25 million ($27 million) in Bitcoin and confiscating more than 12 terabytes of user data.

The takedown, announced on December 1, marks one of the most extensive actions yet under the EU’s ongoing effort to dismantle services that obscure the flow of criminal funds.

Europol supports Germany and Switzerland in taking down 'Cryptomixer', seizing EUR 25 million in Bitcoin. This illicit mixing service facilitated money laundering of proceeds from a variety of criminal activities.

Details https://t.co/d3oTlbrDzd pic.twitter.com/Qtml6nhGlX

— Europol (@Europol) December 1, 2025

Six-Year-Old Crypto Laundering Service Taken Offline

The operation took place between November 24 and 28 in Zurich, with Europol supporting authorities on the ground throughout the action week.

Investigators seized three servers, took control of the cryptomixer(dot)io domain, and replaced the site with a law-enforcement seizure banner.

According to Europol, the platform, known as “Cryptomixer,” functioned as a hybrid mixing service on both the clear web and the dark web.

Since its launch in 2016, the service has processed more than €1.3 billion in Bitcoin linked to a wide range of illegal activity.

Authorities say the mixer was used heavily by ransomware groups, underground cybercrime forums, and operators on dark-web markets.

Its software pooled deposits for long, randomized periods, then redistributed funds to new addresses designed to break transaction trails.

This method helped conceal proceeds of drug trafficking, weapons trafficking, payment-card fraud, and cyberattacks, allowing criminals to convert “cleaned” assets back into other cryptocurrencies or fiat currency through exchanges, ATMs, and bank accounts.

Europol coordinated intelligence sharing through its Joint Cybercrime Action Taskforce and provided forensic specialists during the raids.

The agency has been involved in several major anti-mixing operations in recent years, including the March 2023 takedown of ChipMixer, then the largest service of its kind.

The shutdown comes as the EU tightens its anti-money-laundering framework ahead of major regulatory deadlines. Under new AML rules tied to MiCA, crypto-mixing services are banned across the bloc, and anonymity-enhancing coins such as Monero and Zcash will be prohibited by 2027.

Crypto-asset service providers are required to apply strict KYC checks, identify the sender and receiver of all transfers, and conduct enhanced due diligence on transactions above €1,000.

These measures aim to close regulatory gaps that have historically allowed laundering networks to operate across borders with minimal oversight.

Europol Leads Wave of Digital Crime Takedowns as Mixer Scrutiny Grows

The enforcement climate around mixers has intensified globally. In January 2025, a U.S. federal grand jury indicted three Russian nationals accused of running Blender(dot)io and its successor, Sinbad(dot)io, mixers the Department of Justice says were used by the North Korean Lazarus Group.

A federal grand jury in Georgia has indicted three Russian nationals for operating cryptocurrency mixing services https://t.co/O4zvAPMnTQ and https://t.co/2yKHniWPLK.#Mixer #Russianhttps://t.co/6fgsHt1UjR

— Cryptonews.com (@cryptonews) January 12, 2025

In November, a New York court sentenced Samourai Wallet co-developer Keonne Rodriguez to five years in prison after prosecutors said the service laundered more than $237 million in illicit funds.

The ruling has accelerated scrutiny of privacy-focused and non-custodial crypto tools.

Notably, Samourai Wallet’s chief technology officer, William Lonergan Hill, was also sentenced to four years in federal prison for his role in the mixer activities.

@SamouraiWallet founders Keonne Rodriguez and William Hill are set to reverse their plea to “guilty” in a high-profile crypto privacy case, according to New York court filings.#SamouraiWallet #CryptoMixers https://t.co/8aHVgJKESf

— Cryptonews.com (@cryptonews) July 30, 2025

The Cryptomixer takedown also arrives during one of Europol’s most active enforcement years in the digital-crime ecosystem.

In October, European investigators dismantled a cybercrime syndicate responsible for creating more than 49 million fake online accounts.

The network provided temporary SIM-based phone numbers that allowed criminals to bypass two-factor authentication and mass-produce fraudulent identities used to exploit exchanges, banks, and e-commerce platforms.

Seven suspects were arrested, and hundreds of SIM servers and routers were seized.

Earlier in June, Europol led raids against Archetyp Market, one of the dark web’s longest-running drug marketplaces.

Europol has dismantled one of the dark web’s longest-running marketplaces, Archetyp Market, following coordinated raids across six countries. #Archetyp #Darknethttps://t.co/sweGIyi2if

— Cryptonews.com (@cryptonews) June 18, 2025

Authorities seized core infrastructure in the Netherlands and arrested suspects across Europe, though experts noted that operators often regroup on decentralized platforms.

The post Europol Authorities Bust $1.4B Cryptomixer, Seizing $27M and 12TB of User Data appeared first on Cryptonews.

Swiss and German police shut down Cryptomixer, seizing servers, domains and 28M dollars in Bitcoin during an Europol backed action targeting crypto laundering.

Operation Endgame targeted the infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet ecosystem known as Elysium.

The post Europol Leads Major Strike on Global Cybercrime Infrastructure appeared first on TechRepublic.

Operation Endgame targeted the infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet ecosystem known as Elysium.

The post Europol Leads Major Strike on Global Cybercrime Infrastructure appeared first on TechRepublic.

An individual believed to have been involved in the operation of VenomRAT was arrested recently in Greece.

The post 1,000+ Servers Hit in Law Enforcement Takedown of Rhadamanthys, VenomRAT, Elysium appeared first on SecurityWeek.

Between 2016 and 2021, the suspects defrauded 4.3 million cardholders in 193 countries of €300 million (~$346 million).

The post 18 Arrested in Crackdown on Credit Card Fraud Rings appeared first on SecurityWeek.

Law enforcement authorities from over a dozen countries in Europe and North America have taken part in disrupting the activities of the Hive ransomware group, the U.S. Justice Department and Europol announced. Hive is believed to have targeted various organizations worldwide in the past couple of years, often extorting payments in cryptocurrency.

Captured Decryption Keys Helped Hive Victims Avoid Paying $130 Million in Ransom

Ransomware network Hive, which has had around 1,500 victims in more than 80 countries, has been hit in a months-long disruption campaign, the U.S. Department of Justice (DOJ) and the European Union Agency for Law Enforcement Cooperation (Europol) revealed. A total of 13 nations participated in the operation, including EU member states, the U.K. and Canada.

Hive has been identified as a major cybersecurity threat as the ransomware has been used by affiliated actors to compromise and encrypt data and computer systems of government facilities, oil multinationals, IT and telecom companies in the EU and U.S., Europol said. Hospitals, schools, financial firms, and critical infrastructure have been targeted, the DOJ noted.

It has been one of the most prolific ransomware strains, Chainalysis pointed out, which has collected at least $100 million from victims since its launch in 2021. A recent report by the blockchain forensics company unveiled that revenue from such attacks has decreased last year, with a growing number of affected organizations refusing to pay the demanded ransoms.

According to the announcements by the law enforcement authorities, the U.S. Federal Bureau of Investigation (FBI) penetrated Hive’s computers in July 2022 and captured its decryption keys, providing them to victims around the world which prevented them from paying another $130 million.

Working with the German Federal Police and the Dutch High Tech Crime Unit, the Bureau has now seized control over the servers and websites that Hive used to communicate with its members and the victims, including the darknet domain where the stolen data was sometimes posted. FBI Director Christopher Wray was quoted as stating:

The coordinated disruption of Hive’s computer networks … shows what we can accomplish by combining a relentless search for useful technical information to share with victims.

The Hive ransomware was created, maintained and updated by developers while being employed by affiliates in a ‘ransomware-as-a-service’ (RaaS) double extortion model, Europol explained. The affiliates would initially copy the data and then encrypt the files before asking for a ransom to decrypt the information and not publish it on the leak site.

The attackers exploited various vulnerabilities and used a number of methods, including single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols as well as phishing emails with malicious attachments, the law enforcement agencies detailed.

Do you expect police authorities around the world to dismantle more ransomware networks in the near future? Tell us in the comments section below.

216 questioned, 15 arrested, 4 fake call centres searched, millions seized...

EXECUTIVE SUMMARY:

In a recent international law enforcement effort, agencies dismantled the infrastructure supporting Emotet. As of July 2020, a global threat index showed that Emotet impacted 5% of organizations, worldwide. By early 2021, Emotet had disrupted 19% of organizations around the world.

Check Point expert Lotem Finklestein says calls Emotet, “The most successful and prevalent malware of 2020 by a long shot.” Emotet earned its reputation due to its dynamic nature, technical features, and the organized business model supporting it.

When did Emotet first emerge on the scene?

Emotet is known as one of the world’s largest botnets. It has existed since 2014. Initially a banking trojan, Emotet was created to spy on victims’ banking login credentials.

While easily discoverable by malware tools, Emotet evolved into a malware-as-a-service platform that saw extensive use.

The US Department of Homeland Security estimates that incidents involving Emotet cost organizations over $1M, on average.

How did Emotet work? 

Emotet launched malspam campaigns. These campaigns included malicious attachments. The attachments would leverage a PowerShell to move the Emotet binary from remote websites and machines, adding them to the botnet.

The botnet grew in size and capabilities over time.

Emotet also retained worm-like capabilities. Moving from machine to machine across a network was one of its strengths. Emotet was difficult to detect. Most victims could not detect it until long after the infection.

What made the Emotet botnet so successful? 

Emotet is considered an advanced, self-propagating and modular Trojan. In a single year, the botnet managed to deliver phishing emails with more than 150,000 unique subject lines and 100,000 different file names for the attachments.

The internationally coordinated response

Authorities were able to disrupt Emotet from the inside. “This operation is the result of a collaborative effort between…the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Eropol and Eurojust,” stated Europol.

Two of the three Emotet command and control servers were located in the Netherlands. The Dutch police report that an operation is in place to “reset Emotet“.

Newly deployed software is expected to release a time-bomb-like code that will uninstall Emotet malware on all computers, worldwide, on April 25th, 2021.

Who created Emotet?

The Emotet botnet was controlled by a group known as TA452, which provided the software to the group that runs TrickBot. Those who run TrickBot are known for disseminating business-destroying Ryuk ransomware.

Emotet’s operators are unique in that they collaborated with other organized crime groups. This allowed them to net higher gains. It’s also part of how Emotet’s operators gained a foothold in so many organizations.

An investigation into the identity of the criminals responsible for running Emotet is still ongoing.

An under-the-radar Emotet botnet attack? 

Do you suspect that your organization may have been compromised by Emotet?  Visit the Dutch website that can help you check. The website was established by the Dutch national police. The text can be translated into English.

For organizations that have been hit by Emotet

“As part of the global remediation strategy…information was distributed worldwide via the network of so-called Computer Emergency Response Teams (CERTs),” says Europol.

For more on botnets and Emotet, visit the BBC.

The post International botnet takedown, Emotet botnet gone from internet appeared first on CyberTalk.

EXECUTIVE SUMMARY:

Authorities stop illicit commerce and DarkMarket

In a Europol-coordinated event, the world’s largest dark web marketplace, known as DarkMarket, has been dismantled. German authorities arrested a 34 year-old Australian man who is allegedly behind the dark website. Authorities have also seized 20 of the servers connected to the nefarious operations.

Prior to the takedown, DarkMarket hosted nearly 500,000 users. More than 320,000 transactions transpired across its network. Most of the transactions occurred via bitcoin or monero, which were considered largely untraceable forms of payment.

In addition to investigating the website’s operator, Europol has announced plans to investigate the buyers and sellers who frequented the site.

How much money changed hands on DarkMarket?

• 4,6500 bitcoin
• 12,800 monero
• A total of more than €140 million

Governments getting more aggressive in taking down dark web

On the part of federal agencies, dark website takedowns have grown increasingly aggressive and sophisticated. In 2020, a European investigation led to the take down of sites like Empire Market. As governments have ramped up their efforts, cyber criminals have wound down some of their operations. Fear of prosecution is high and some operators are cutting their losses, taking the money and running.

In the case of the Alphabay marketplace, taken down in 2017, federal agents continued to make arrests for several years after. Dark web marketplace technology can no longer easily outpace law enforcement.

The coordinated approach by European Cybercrime Centre (EC3)

In a comprehensive, coordinated, international program EC2 is:

• Sharing intelligence
• Developing new tools and techniques to improve dark web investigations
• Elevating its threat detection and target detection initiatives

The scale of EC3’s efforts reflect the organization’s commitment to tackle the use of the dark web as a façade for criminal activities.

For more on the removal of DarkMarket, visit The Verge.

The post World’s largest dark web marketplace, how authorities removed it from the internet appeared first on CyberTalk.