By The cryptocurrency mixer Coinomize.biz has been active since 2019, operating as a Bitcoin tumbler that obscures the origins of transactions. While such services claim to enhance privacy, they are often exploited by cybercriminals to launder stolen or illicit funds.
Coinomize’s Russian Hosting and Infrastructure
Coinomize operates across three surface web domains, all hosted on servers by DDoS-GUARD LTD, a known Russian bulletproof infrastructure provider, that protects illicit platforms from takedowns. Below is a breakdown of Coinomize’s domain registrations:
| Domain | Creation Date | Registrar | IP Address / ISP |
| coinomize.biz | 18 Nov 2019 | WebNic.cc (Malaysia) | 186.2.163.238, DDoS-Guard, Russia |
| coinomize.is | 20 Dec 2019 | NETIM (France) | 186.2.163.228, DDoS-Guard, Russia |
| coinomize.co | 18 Nov 2019 | NETIM (France) | 185.178.208.78, DDoS-Guard, Russia |
Notably, these websites, and their TOR onion site share the same Google Analytics tracking code (UA-156835383-1), confirming their connection.
Coinomize’s Online Footprint and Marketing Strategies
Despite maintaining a low public profile, Coinomize aggressively promotes itself through black hat SEO and underground forums.
Key details of its online activity include:
| Platform | Username / ID | Notes |
| X.com | CoinomizeMixer / 1303952850150723585 | Registration: September 2020 Website: coinomize.biz |
| YouTube | kellyfreeman6942 | Registration: 29 September 2022 Display Name: “Kelly Freeman” Website: coinomize.biz |
| YouTube | mahiraminnkasnkinfbksg9636 | Registration: 29 April 2020 Posts: 8 videos Website: coinomize.biz |
| Telegram (channel) | Coinomize / -1001157099747 | Registration: 3 January 2020 Subscribers: +1,000 |
| Altcoinstalks.com | Coinomize.biz / 97299 | Registration: 11 December 2023, 08:48:45 AM Website: Coinomize.biz |
| Altcoinstalks.com | Vx1 / 29103 | Registration: 28 May 2018, 06:51:07 PM Gender: Male Website: Coinomize.biz |
| Altcoinstalks.com | Zed0X / 2483 | Registration: 30 October 2017, 07:31:02 AM Website: Coinomize.biz |
| Spotify | Awhondyn | Website: coinomize.biz Profile Url: open.spotify.com/show/24i0fnArIM66siAYm1Vfkg |
| bitcointalk.org | Coinomize.biz / 2803348 | Registration: 06 May 2020, 06:12:44 PM Bitcoin address: 1CrywjDEzzpEMxdWzCDgtmZ3Tr57XrnANV Gender: Male |
| Bcpip.org | Coinomize.biz / 2803348 | Registration Date: 5/6/2020 6:12:44 PM Profile Url: bpip.org/Profile?p=Coinomize.biz |
| GitHub | ColaterCode / 68321640 | Registration Date: 15 July 2020 Repository: github.com/ColaterCode/coinomize |
Coinomize APK: Clues from Metadata Analysis
Coinomize offers an Android APK application that can be downloaded directly from its websites. Metadata analysis conducted via VirusTotal has uncovered that the historic certificate subject for the “coinomize.apk” was issued to Peter Schelter, linked to Coinomize AG, and based in Moscow, Russia.
The following table provides the Indicators of Compromise (IOCs):
| IOC | Details |
| SHA-256 | 90a126155f380a8f40545c88c9296df0f8b71f9232c86ec1a05f122f87453e7a |
| Common Name | Peter Schelter |
| Organization | Coinomize AG |
| Organizational Unit | Coinomize AG |
| Country Code | RU |
| Locality | Moscow |
| Certificate Attributes | Valid From: 2020-01-13 14:10:24 |
| Android Type & Package Name | APK / com.coinomize.app |
| IP Address | 185.178.208.78, DDoS-Guard, Russia |
Extensive searches for Coinomize AG in Swiss, Austrian, and German business registries have not identified any officially registered legal entity. However, the possibility remains that an individual may be operating under the trade name Coinomize in these jurisdictions.
Additionally, investigations into Peter Schelter have not established a direct link to Coinomize, though certain findings suggest that Germany could be a potential location of operation.
A data breach search for the name Peter Schelter uncovered an association with the email agentberni@gmail.com, linked to a registered account under “Schelter Peter” on 23 October 2017. The account’s registration IP address, 95.90.220.120, geolocates to Berlin, Germany, with the ISP listed as Vodafone Deutschland GmbH. This leaked record originates from the tabletop role-playing game site Roll20, which suffered a data breach in 2018.
Further searches for agentberni@gmail.com revealed registered accounts on the following platforms:
| Platform | Username / ID | Notes |
| Breached.vc | N/A | Registered email: |
| ID: 106722887386082815704 | Name: Luca Schlotte | |
| Apple | N/A | Phone Hint: ***** *****13 |
| N/A | N/A | |
| N/A | N/A | |
| Microsoft | ID: B53CE691F7A5D0E2 | Name: Luca Schlotte ID: B53CE691F7A5D0E2 Location: Germany |
Additional searches found a related eBay account “agentberni” based in Germany.
Further investigations have revealed a broader online presence for Luca Schlotte. A summary table is provided below.
| Platform | Username / ID | Notes |
| ID: 107361767047775537597 | Name: Luca Schlotte Registered Email: lucaschlotte@gmail.com | |
| AirBnB | N/A | Phone Number Hints +49 **** ***2113 (Uncovered: +4915209122113) Name: Luca Schlotte Registered Email: lucaschlotte@gmail.com |
| Apple | N/A | Phone Number Hints: ***** *****13 Registered Email: lucaschlotte@gmail.com |
| Strava | 58346417 | Registration: 15 May 2020 Name: Luca Schlotte Last Seen: 1/8/2024 3:31:47 PM Language: German Location: Schönbrunn, Bayern Registered Email: lucaschlotte@gmail.com |
| Microsoft | ID: 62C10BCA6AB982ED | Registration: 12 June 2019 Email hints: ag *** @gmail.com Name: Luca Schlotte Location: Germany Registered Email: lucaschlotte@gmail.com |
| PayPal | N/A | Phone Number Hints: +491 *** 22113 (Uncovered: +4915209122113) Registered Email: lucaschlotte@gmail.com |
| eBay | lucschlott0 | Registration: 27 September 2016 Phone Number Hints: 1********13 (Uncovered: +4915209122113) Location: Germany Registered Email: lucaschlotte@gmail.com |
| +4915209122113 (Vodafone) | Luca Schlotte |
Luca’s profile indicates that he is a gamer; however, no direct connection to cryptocurrency has been identified.
Further investigation is needed to verify whether Luca Schlotte has any ties to Coinomize.
Dark Money: Tracking Coinomize’s Bitcoin Activity
Using AMLBot, a blockchain analysis tool, investigators analyzed the Bitcoin addresses associated with Coinomize:
- BTC Address 1: 1CrywjDEzzpEMxdWzCDgtmZ3Tr57XrnANV
- Total Transactions: $400,065.66 (USD) received between June 2022 – May 2024
- Risk Score: 92% (high risk, linked to darknet markets and stolen funds)
- Incoming Funds: 79.7% from stolen coins
- Outgoing Funds: 71% transferred to other illicit wallets
A second Bitcoin address was also identified through OSINT:
- BTC Address 2: 121ziULPwxdtkfXETwqNnun9DvpkgoPEjy
The second Bitcoin address (BTC Address 2) is flagged as Stolen Assets in AMLBot.
Below is a summary chart of the incoming transactions to BTC Address 2, categorized by relevant income sources:
A breakdown by income category is provided below, using conversion from BTC to USD based on an exchange rate of $81,355 per BTC.
| INCOME CATEGORY | AMOUNT (BTC) | AMOUNT (USD) | INCOME % |
| STOLEN COINS | 89.7657533 | $7,278,182.01 | 7.38% |
| P2P EXCHANGE LICENSED | 59.92972318 | $4,867,013.74 | 4.93% |
| PAYMENTS | 7.65095277 | $617,000.23 | 0.63% |
| SCAMS | 1.62453288 | $131,328.57 | 0.13% |
| ENFORCEMENT ACTIONS | 8.89264065 | $723,872.92 | 0.73% |
| EXCHANGE UNLICENSED | 51.79802924 | $4,220,717.35 | 4.26% |
| DARK MARKETS | 13.52845754 | $1,089,262.65 | 1.11% |
| EXCHANGE FRAUDULENT | 0.002026 | $164.08 | 0.00% |
| GAMBLING | 0.0520977 | $4,223.97 | 0.00% |
| SANCTIONS | 1.03136473 | $84,231.85 | 0.08% |
| MINERS | 0.03916788 | $3,182.90 | 0.00% |
| WALLETS | 2.22657056 | $180,973.04 | 0.18% |
| P2P EXCHANGE UNLICENSED | 0.61443059 | $49,794.59 | 0.05% |
| EXCHANGE LICENSED | 128.842543 | $10,544,870.75 | 10.60% |
| TRANSPARENT | 7.88992107 | $640,819.13 | 0.65% |
| ATM | 0.43252802 | $35,064.74 | 0.04% |
| ILLEGAL SERVICES | 0.02580742 | $2,100.53 | 0.00% |
| UNKNOWN CLUSTERS | 3.99074877 | $324,763.46 | 0.33% |
| UNNAMED ENTITIES | 327.7078281 | $26,687,748.99 | 26.96% |
Below is a summary of the incoming transactions involving key illicit entities associated with BTC Address 2.
| Income Source | Category | Amount (BTC) | Amount (USD) |
| Victim report | Stolen coins | 81.12176646 | $6,994,930.58 |
| ChipMixer.com | Enforcement action | 5.40474879 | $466,079.37 |
| Wasabi wallet | Mixer | 2.89491100 | $249,630.47 |
| Victim report | Stolen coins | 2.40408811 | $207,268.58 |
| MEGA DARKNET MARKET | Dark market | 2.14705803 | $185,063.12 |
| FTX Thief 2022 | Stolen coins | 1.66557972 | $143,544.78 |
| Garantex | Sanctions; enforcement action | 1.53348745 | $132,178.92 |
| Bitzlato (prev. BTC Banker) | Enforcement action | 1.47931875 | $127,563.12 |
| Black Sprut | Dark market | 0.72124743 | $62,178.35 |
| OMG!OMG! | Dark market | 0.60025242 | $51,758.52 |
| Hydra Marketplace | Sanctions (OFAC) | 0.40149895 | $34,598.12 |
| Ransom extortioner | Ransom | 0.06221909 | $5,361.58 |
| ASAP Market | Dark market | 0.00124861 | $107.65 |
| Vought | Dark market | 0.00027896 | $24.04 |
| Incognito Market | Dark market | 0.00005883 | $5.07 |
| Brians Cards | Dark market | 0.00003177 | $2.74 |
| Child exploitation | Child exploitation | 0.00002999 | $2.58 |
Note: The USD amounts are calculated using the exchange rate 1 BTC = $86,215.63 USD as of 8 March 2025.
Garantex, Bitzlato, and Hydra Marketplace are three Russian-affiliated entities involved in illicit financial activities. Garantex, a Moscow-based cryptocurrency exchange, was recently seized by U.S. law enforcement for laundering funds tied to cybercriminals. Bitzlato, formerly BTC Banker, was another Russia-linked crypto exchange that faced enforcement actions for facilitating illicit transactions. Hydra Marketplace, once the largest darknet marketplace, was known for illegal drug sales and money laundering before being sanctioned by the U.S. Treasury’s OFAC and subsequently shut down.
An overview chart detailing the identified outcome categories is presented below.
A breakdown by outcome category is provided below, using conversion from BTC to USD based on an exchange rate of $81,355 per BTC.
| OUTCOME CATEGORY | AMOUNT (BTC) | AMOUNT (USD) | OUTCOME % |
| REWARDS/FEES | 0.37472974 | $30,485.92 | 0.02% |
| EXCHANGE UNLICENSED | 57.12345678 | $4,646,456.00 | 3.01% |
| EXCHANGE LICENSED | 143.9876543 | $11,713,456.00 | 7.59% |
| PAYMENTS | 2.3456789 | $190,789.00 | 0.12% |
| MINERS | 4.4675782 | $363,456.00 | 0.24% |
| DARK MARKETS | 0.12345678 | $10,045.00 | 0.01% |
| ENFORCEMENT ACTIONS | 101.3197712 | $8,242,456.00 | 5.34% |
| OTHER | 1.76463106 | $143,567.00 | 0.09% |
| DARK SERVICES | 0.00039967 | $32.52 | 0.00% |
| SANCTIONS | 5.51297285 | $448,456.00 | 0.29% |
| STOLEN COINS | 546.8793125 | $44,486,456.00 | 28.83% |
| SCAMS | 443.8954083 | $36,108,567.00 | 23.40% |
| WALLETS | 2.3456789 | $190,789.00 | 0.12% |
| TRANSPARENT | 12.40646299 | $1,009,297.71 | 0.65% |
| GAMBLING | 0.2109819 | $17,163.00 | 0.01% |
| MIXERS | 24.96561871 | $2,030,456.00 | 1.32% |
| ILLEGAL SERVICES | 0.13129033 | $10,680.00 | 0.01% |
| ATM | 0.04724235 | $3,842.00 | 0.00% |
| SETTLED | 41.68852119 | $3,391,456.00 | 2.20% |
| UNNAMED | 137.5546024 | $11,189,456.00 | 8.60% |
| UNKNOWN CLUSTERS | 0.95989696 | $78,078.00 | 0.05% |
Below is a summary of the outgoing transactions from BTC Address 2 involving key illicit entities.
| Outcome | Category | Amount (BTC) | Amount (USD) |
| Victim report | Scam | 443.88923107 | $38,283,178.14 |
| Victim report | Stolen coins | 102.38538835 | $8,823,437.50 |
| Jambler.io | Mixer | 18.40589247 | $1,585,965.47 |
| Garantex | Sanctions; enforcement action | 5.44016514 | $468,694.57 |
| Wasabi wallet | Mixer | 5.31461429 | $456,421.87 |
| BitPapa | Sanctions | 3.74919532 | $323,207.97 |
| Victim report | Stolen coins | 3.49727594 | $301,804.68 |
| THORChain | Mixer | 1.28016995 | $110,405.69 |
| Bitzlato (prev. BTC Banker) | Enforcement action | 0.53565976 | $46,187.22 |
| ChipMixer.com | Enforcement action | 0.36590495 | $31,545.12 |
| Perfect Money | payment service (RU) | 0.32506323 | $28,019.22 |
| Hydra Marketplace | Sanctions (OFAC); enforcement action | 0.07227623 | $6,230.64 |
| MEGA DARKNET MARKET | Dark market | 0.04556972 | $3,928.36 |
| Shinjiru | Bulletproof hosting provider | 0.00353820 | $305.00 |
| MagBo[.]CC | Dark market; fraud | 0.00333880 | $288.00 |
| Kraken Darknet | Dark market | 0.00255977 | $220.68 |
| The Fresh Stuff | Dark market | 0.00226875 | $195.57 |
| Infinity | Dark market | 0.00144303 | $124.40 |
| ASAP Market | Dark market | 0.00086921 | $74.94 |
Note: USD values were calculated using 1 BTC = $86,215.63 USD.
Garantex, Bitpapa, Bitzlato, Perfect Money, and Hydra Marketplace are Russian-affiliated entities linked to illicit financial activities. Bitpapa, another Russian crypto exchange, was sanctioned by the U.S. Treasury for its role in the Russian financial sector. Perfect Money, a well-known electronic payment system, recently ceased operations for Russian clients as of December 2024, marking a shift in its services amid increasing financial restrictions on Russia.
A third Bitcoin address was also identified:
- 13NwJwNDx1t8J3HrdaD3myVg8GnPJH1G6F (identified through OSINT)
An overview chart detailing the identified income categories is presented below.
A breakdown by income category is provided below, using conversion from BTC to USD based on an exchange rate of $85,775 per BTC as of 2 April 2025.
| Income Source | Amount (BTC) | Amount (USD) | Income % |
| ATM | 0.012859 | $1,103 | 0.01% |
| Dark Market | 2.291316 | $196,704 | 2.16% |
| Exchange Licensed | 21.686163 | $1,860,589 | 20.45% |
| Exchange Unlicensed | 7.423699 | $636,959 | 7.00% |
| Illegal Service | 16.93855 | $1,453,678 | 15.97% |
| Mixer | 0.925307 | $79,455 | 0.87% |
| Own | 4.836512 | $415,146 | 4.56% |
| P2P Exchange Unlicensed | 0.033861 | $2,906 | 0.03% |
| Payment | 0.037586 | $3,225 | 0.04% |
| Stolen Coins | 24.253641 | $2,080,667 | 22.87% |
| Transparent | 5.667465 | $486,658 | 5.34% |
| Unknown Clusters | 5.643691 | $484,282 | 5.32% |
| Unnamed | 16.220866 | $1,391,453 | 15.30% |
| Wallet | 0.077503 | $6,653 | 0.07% |
Below is a summary of the incoming transactions involving key illicit entities associated with BTC Address 3.
| Income Source | Category | Amount (BTC) | Amount (USD) |
| eXch Exchange | illegal service | 16.93855014 | $1,452,904.16 |
| Potential BTCTurk Thief 2024 | stolen coins | 12.9243666 | $1,108,647.00 |
| Victim report | stolen coins | 11.32851051 | $971,726.00 |
| Wasabi wallet | mixer | 5.52447533 | $473,848.00 |
| Black Sprut | dark market | 1.76559303 | $151,525.00 |
| ChipMixer.com | enforcement action | 1.07226722 | $91,975.00 |
| THORChain | mixer | 0.92530728 | $79,367.00 |
| HHIDE | dark market | 0.49691565 | $42,580.00 |
| Garantex | sanctions | 0.3230207 | $27,707.00 |
| WazirX Thief 2024 | stolen coins | 0.23386016 | $20,061.00 |
| MEGA DARKNET MARKET | dark market | 0.20559601 | $17,626.00 |
| Kraken Darknet | dark market | 0.19656226 | $16,860.00 |
| ChangeHero | exchange unlicensed | 0.18813798 | $16,139.00 |
| Bybit Thief 2025 | stolen coins | 0.15056245 | $12,914.00 |
| Samourai Wallet | enforcement action | 0.14371956 | $12,327.00 |
| OMG!OMG! | dark market | 0.10680596 | $9,162.00 |
| Deribit Thief 2022 | stolen coins | 0.10371038 | $8,896.00 |
| Victim report | stolen coins | 0.09128436 | $7,831.00 |
| BTC-e | enforcement action | 0.01782143 | $1,529.00 |
| MGM Grand | dark market | 0.01675896 | $1,437.00 |
| Hydra Marketplace | sanctions | 0.01320533 | $1,133.00 |
| Victim report | stolen coins | 0.00076354 | $65.46 |
| BitPapa | sanctions | 0.00037259 | $31.90 |
An overview chart detailing the identified outcome categories is presented below.
A breakdown by outcome category is provided below, using conversion from BTC to USD based on an exchange rate of $85,775 per BTC as of 2 April 2025.
| Outcome | Amount (BTC) | Amount (USD) | Outcome % |
| Illegal service | 59.94673339 | $5,141,931.06 | 47.52% |
| Settled | 31.68460125 | $2,717,746.67 | 25.12% |
| Mixer | 16.73747636 | $1,435,657.03 | 13.27% |
| Own | 4.86154823 | $416,999.30 | 3.85% |
| Exchange licensed | 3.38723299 | $290,539.91 | 2.69% |
| Unnamed | 2.84087831 | $243,676.34 | 2.25% |
| Stolen coins | 2.5972332 | $222,777.68 | 2.06% |
| Exchange unlicensed | 2.12028364 | $181,867.33 | 1.68% |
| Other | 1.24108847 | $106,454.36 | 0.98% |
| Gambling | 0.31685395 | $27,178.15 | 0.25% |
| Sanctions | 0.18193811 | $15,605.74 | 0.14% |
| Unknown clusters | 0.07840292 | $6,725.01 | 0.06% |
| Payment | 0.05912345 | $5,071.31 | 0.05% |
| Transparent | 0.038452 | $3,298.22 | 0.03% |
| ATM | 0.01844744 | $1,582.33 | 0.01% |
| Rewards fees | 0.01308509 | $1,122.37 | 0.01% |
| P2P exchange licensed | 0.00689871 | $591.74 | 0.01% |
| Wallet | 0.00473625 | $406.25 | 0.00% |
| P2P exchange unlicensed | 0.00320261 | $274.70 | 0.00% |
Below is a summary of the outgoing transactions involving key illicit entities associated with BTC Address 3.
| Outcome | Category | Amount (BTC) | Amount (USD) |
| eXch Exchange | illegal service | 59.94673339 | $5,141,931.44 |
| THORChain | mixer | 16.5153823 | $1,416,598.46 |
| Bybit Thief 2025 | stolen coins | 1.78196457 | $152,778 |
| WazirX Thief 2024 | stolen coins | 0.81526863 | $69,920 |
| Garantex | sanctions | 0.18193811 | $15,605 |
A fourth Bitcoin address was also identified:
- BTC Address 4: 164KygsvvDzXMwjzVkSLogrubqsNsMgLRP (listed on bitcoinqrcodemaker.com)
The third Bitcoin address (BTC Address 3) has received transactions from THORChain (4.95768006 BTC) and eXch[.]cx (0.00749521 BTC). Transfers from THORChain took place on 2nd and 3rd March 2025, while the transfer from eXch[.]cx was routed via 8 addresses, with the last transaction taking place on 8th March 2025 via bc1qfmdhjx55envz3my3rqdwphvj0l4a5f4jexnd9u.
Final Thoughts: The Ongoing Investigation into Coinomize
Coinomize presents itself as a privacy-enhancing tool, but blockchain analysis shows a high-risk financial profile, with the majority of its funds linked to stolen coins, dark markets, and enforcement actions.
While its infrastructure points to Russia, connections to Germany suggest a possible European link. Further investigations are needed to uncover the full extent of Coinomize’s operations and its key players.
