Crypto mixer Sinbad looks uncannily like a remix of North Korea's notorious Blender
Lazarus Group’s favorite digi-dollar launderer may have risen again
Notorious cryptocurrency anonymization service Blender, which the US Department of the Treasury last year sanctioned for helping to launder hundreds of millions of dollars in digital assets stolen by the North Korean-linked gang Lazarus Group, appears to have relaunched..
In a report on Monday, blockchain analysis biz Elliptic said that a cryptocurrency mixer called "Sinbad" that has already laundered at least $100 million from attacks linked to Lazarus, is likely a Blender reboot.
Among the signs of links between Sinbad and Blender are links to a digital wallet used by the latter code, similar on-chain behavior, and website structures. This makes it "highly likely" that the two are closely intertwined.
"Blender may have been motivated to re-brand in order to avoid sanctions, and OFAC [Treasury's Office of Foreign Assets Control] could now seek to impose further sanctions on Sinbad," Elliptic's analysts wrote. "It may also have done so in order to gain trust from users, following Blender's abrupt closure last year, and the disappearance of significant amounts of funds from the mixer."
Cryptocurrency blenders – also known as crypto tumblers – are legitimate tools that some use to protect their privacy, but miscreants also use them to launder digital assets they've stolen or ransom payments. Mixers blend crypto holdings from multiple sources and users can withdraw their balance later, complete with new and hard-to-track addresses.
According to Chainalysis, another blockchain company, almost 10 percent of crypto held by cybercriminals were run through a mixer in 2022. Treasury last year said mixers are a national threat to the US.
The US has been targeting high-profile ransomware threat groups and others – including those like Lazarus, who steal crypto – with sanctions and criminal charges. North Korea is known for using cybercrime groups to steal money to get around international sanctions and fund programs like its weapons of mass destruction efforts.
Lazarus has stolen billions in crypto-assets, including $540 million in the hack of Axie Infinity's cross-chain bridge and $100 million in June 2022 from Horizon's Harmony Bridge. Soon after that attack, Elliptic identified Lazarus Group as the perpetrators, a conclusion the FBI reached in January 2023.
- FBI catches up with infosec and crypto communities, blames Lazarus Group for $100 million heist
- Feds freeze $30m in cryptocurrency stolen from Axie Infinity
- Dutch authorities arrest 29-year-old dev with suspected ties to Tornado Cash
- US treasury whips up sanctions for crypto mixer Tornado Cash
While putting a target on threat groups, the US government last year also began targeting mixers, first Blender and three months later Tornado Cash.
Elliptic said that Blender shut down operations in April 2022 – before the sanctions hit – while Tornado Cash is still operating.
"Once again, the proceeds [from the Horizon attack] were laundered through a complex series of transactions involving exchanges, cross-chain bridges and mixers," the analysts wrote. "Tornado Cash was used once again, but in place of Blender, another Bitcoin mixer was used: Sinbad."
Follow the money
Sinbad began operating in October 2022, tumbling tens of millions of dollars in digital assets from Lazarus and other North Korean-linked groups. Sinbad – like Blender – is a custodial mixer, with the operator having full control over deposits.
Other clues linking Blender and Sinbad include a service address on the site receiving Bitcoin from a wallet that Elliptic says was controlled by Blender's operator - probably to test the service. In addition, a Bitcoin wallet that was used to pay those who promoted Sinbad received Bitcoin from the Blender wallet.
$22 million in early incoming transactions to Sinbad also suggest links, as they came from the same Blender wallet. The similar on-chain behaviors include specific transaction characteristics and the use of other services to obfuscate where the digicash is now.
Like Blender, Sinbad uses 10-digit mixer codes, a guarantee letter signed by the service address, and seven-day transaction delay. The two services also use similar language and naming patterns. The code also offers an option of a Russian version with support services in the same language.
While mixers and tumblers make it difficult to track stolen cryptocurrencies, both government and cybersecurity experts are getting better at tracking hidden digital assets. In July 2022, the US Department of Justice and FBI announced they had recovered $500,000 in Bitcoin that healthcare institutions in the United States paid to the Maui ransomware group.
Two months later, federal investigators and private firms like Chainalysis announced the recovery of $30 million in digital assets stolen in the Axie Infinity heist. ®