getting the information from a tightly regulated bank could be a different story to getting it from an anonymous service on Tor though. They probably don't even store it.
completely unrelated as in if you follow the transaction graph they haven't crossed paths, so you'd need the mixer log to break the mixing.
It's difficult to know what they do with the coins, but they could be selling them on an exchange to move onto a different currency and then buy bitcoin again.
actually the best practice is not writing your own code and using thoroughly audited industry standards. Writing your own smart contracts for things that other people have already done and secured is akin to rolling out your own cryptography. Obviously, just like it's happened with openssl in the cryptography equivalency, this can also go wrong, but it's less likely.
If you write your own you should get your code audited by a specialist, or many, before deploying.