Meet the creator of North Korea’s favorite crypto privacy service
In the cryptocurrency economy, there is often a fine line between financial privacy and money laundering. Now a Bitcoin “mixer” service called Sinbad.io is walking the tightrope in full public view: Just a few months after launching on the open web, it appears it has already become the preferred laundering site for the world’s most prolific stat- sponsored crypto thieves.
In part of its annual crime report published last week, blockchain analytics firm Chainalysis noted that Sinbad – which, like other mixing services, offers to thwart attempts to trace cryptocurrency by taking users’ cryptocurrency, mixing their coins with other coins of other users , and returned the same amount—had received $25 million in stolen cryptocurrency from North Korean hackers in December and January alone, more than any other mixing service had received.
These funds, according to Chainalysis, include part of the thieves’ proceeds from massive heists that targeted the Harmony Bridge service, from which the North Koreans stole approximately $100 million, as well as the Ronin Bridge service, from which the hackers stole a staggering $650. million. Chainalysis’ vice president of research, Erin Plante, says North Korea’s crypto-thieves cybercriminals began funneling their profits bit by bit through Sinbad almost immediately after the mixer’s launch in October, hoping to hide the origin of the loot before cashing it out on a stock exchange. Sinbad “hit the radar of North Korea quickly,” says Plante, “and it’s become their favorite.”
That has put the fledgling service in a difficult position: Just weeks after its debut, Sinbad became a publicly operating tool – with a traditional website running openly in addition to a dark website running on the Tor anonymity network – and yet some of the earliest adopters of high volume is also the crypto world’s most notorious cybercriminal. North Korean hackers, according to Chainalysis’ findings, stole no less than $1.7 billion in cryptocurrency last year, helping to make the year the worst on record for total crypto theft.
Sinbad’s founder, meanwhile, argues in an email interview with WIRED that the service has no reason to hide. “Sinbad is present in the clearnet because it doesn’t do anything bad,” writes the service’s creator and administrator, who asked to be called “Mehdi,” using the term “clearnet” to mean a site that is not hidden on the Tor network .
“I am against total surveillance, control over internet users, against autocracies and dictatorships,” Mehdi adds. “Every living person has a right to privacy.”
Mehdi, who declined to reveal his real name or where he or Sinbad are based, says he created Sinbad as a response to the increasing centralization of cryptocurrency and the erosion of the privacy promises it once seemed to offer. He named his mixer service after the fictional Middle Eastern sailor who, as Mehdi puts it, “traded goods all over the world.” Mehdi describes Sinbad as a legitimate privacy-preserving technology project, comparing it to privacy-focused cryptocurrencies like Monero or Zcash, anonymity-enhancing crypto-wallet software like Wasabi, and the Tor browser, which encrypts user traffic and routes it through multiple servers to hide people’s identities.
As for the tens of millions of dollars that North Korean hackers laundered through Sinbad? “Your magazine is the first to ever contact me regarding this issue,” Mehdi writes. “In case I receive a request from [Chainalysis] or any other institution, I will investigate the matter and give my opinion on it.”
Sinbad’s position highlights a strange tension in the world of cryptocurrency. The cryptocurrency obfuscation tools like Monero, Zcash, and Wasabi that Mehdi compares Sinbad to have legitimate and legal uses—for example, a store that wants to accept cryptocurrency payments without disclosing its earnings to a competitor, or dissidents in an oppressive regime that want to fund the opposition movement their through international cryptocurrency donations without being tracked. Mixed services are among these privacy services. They can in some cases protect users’ funds from being tracked on blockchains, where transactions are often far too easy to monitor. But mixers also often enable money laundering by gangs, fraudsters, black-web vendors and thieves who have long exploited the crypto-economy.
In recent years, Western law enforcement has cracked down on a number of mixer services, a law enforcement effort that has provided fewer money-laundering opportunities for cybercriminals than at any time in the past decade, according to Chainalysis. The US Department of Justice indicted the alleged administrators of mixing services Bitcoin Fog and Helix in 2020, and Dutch prosecutors late last year launched similar charges against the creator of another crypto mixing service, Tornado Cash. The US Treasury’s Office of Foreign Asset Controls also imposed sanctions on Tornado Cash and the mixing service Blender, both of which, according to Chainalysis, were previously used by North Korean hackers to launder millions of dollars in stolen crypto.
But in the US criminal cases against blending service administrators, at least the Justice Department has argued that the services knowingly conspired with criminals. In the Bitcoin Fog cases, for example, prosecutors say undercover agents told the service they were trying to launder profits from dark-web drug sales, and Bitcoin Fog completed their transactions anyway. Helix advertised its services on the website of dark-web drug marketplace AlphaBay.
Mehdi, on the other hand, claims he was unaware that the $25 million in allegedly dirty crypto-chain analysis was sent to Sinbad by North Korean hackers: These funds were stolen, Mehdi points out, in the form of the cryptocurrency Ether and only later. exchanged for bitcoins, the only cryptocurrency Sinbad accepts. “I could not possibly have known about the funds’ sources,” writes Mehdi.
Chainalysis’ Plante speculates that the North Korean hackers may have chosen Sinbad in part because of the novelty. Because it only recently appeared online, she says many investigators have yet to identify the Bitcoin addresses, making the mix-up much more difficult to trace. Plante declined to say whether Chainalysis had been able to defeat the service’s own mixing, potentially tracking users’ coins despite Sinbad’s privacy assurances — a feat the company says it has achieved with some other cryptocurrency mixing services in the past.
But Nick Carlsen, an investigator at another cryptocurrency tracking firm, TRM Labs, argues that Sinbad is probably too small to act as an effective mixer: The fewer users and the smaller the money supply, the easier it is to separate the transactions and track them . the money. And that thin layer of temporary anonymity may be all North Korean hackers seek, given that they are usually based in North Korea or China, well beyond the reach of Western law enforcement. “The typical MO of the North Koreans is not to achieve the kind of anonymity that any other hacker needs,” says Carlsen. “They’re usually just trying to buy themselves a few hours of breathing space to carry out the next phase of the money laundering.”
As for whether Mehdi himself might be identified, prosecuted, arrested or sanctioned, he told WIRED that he remains relatively confident about his own fate. He shared a long list of cryptocurrency mixing services on the BitcoinTalk forum, pointing out that relatively few have met these results. “It would be foolish not to worry about it at all. I take all necessary precautions to protect my anonymity,” he writes, but “I expect to remain part of the market and not become one of the unfortunate exceptions. “
Amid an ongoing crackdown on crypto-laundering services, there’s no doubt that Sinbad’s high-wire act is riskier than ever – especially as the North Korean users paint an ever-larger target on their backs.