Crypto mixer Sinbad looks eerily like a remix of North Korea’s infamous Blender • The Register
Infamous cryptocurrency anonymization service Blender, which the US Treasury Department sanctioned last year for helping to launder hundreds of millions of dollars in digital assets stolen by the North Korean-linked gang Lazarus Group, appears to have relaunched.
In a report on Monday, blockchain analytics biz Elliptic said a cryptocurrency mixer dubbed “Sinbad” that has already laundered at least $100 million from attacks linked to Lazarus is likely a Blender reboot.
Among the signs of links between Sinbad and Blender are links to a digital wallet used by the latter’s code, similar on-chain behavior and website structures. This makes it “highly likely” that the two are closely intertwined.
“Blender may have been motivated to re-brand to avoid sanctions, and OFAC [Treasury’s Office of Foreign Assets Control] could now seek to impose further sanctions against Sinbad,” Elliptic’s analysts wrote. “It may also have done so to gain user confidence, following Blender’s abrupt shutdown last year, and the disappearance of significant amounts of funds from the mixer.”
Tool for two uses
Cryptocurrency mixers – also known as crypto tumblers – are legitimate tools that some people use to protect their privacy, but criminals also use them to launder stolen digital assets or ransom money. Mixers mix crypto holdings from multiple sources and users can withdraw their balance later, complete with new and hard-to-trace addresses.
According to Chainalysis, another blockchain company, nearly 10 percent of crypto held by cybercriminals was run through a mixer by 2022. The Treasury Department said last year that mixers are a national threat to the United States.
The US has targeted high-profile ransomware threat groups and others – including those like Lazarus, which steals crypto – with sanctions and criminal charges. North Korea is known for using cybercrime groups to steal money to evade international sanctions and finance programs such as weapons of mass destruction.
Lazarus has stolen billions in crypto assets, including $540 million in the hack of Axie Infinity’s cross-chain bridge and $100 million in June 2022 from Horizon’s Harmony Bridge. Shortly after the attack, Elliptic identified the Lazarus Group as the perpetrators, a conclusion the FBI reached in January 2023.
While targeting threat groups, the US government last year also began targeting mixers, first Blender and three months later Tornado Cash.
Elliptic said Blender ceased operations in April 2022 – before the sanctions hit – while Tornado Cash is still operating.
“Once again, the revenue [from the Horizon attack] was laundered through a complex series of transactions involving exchanges, cross-chain bridges and mixers,” the analysts wrote. “Tornado Cash was used once again, but instead of Blender, another Bitcoin mixer was used: Sinbad.”
Follow the money
Sinbad began operating in October 2022, siphoning tens of millions of dollars in digital assets from Lazarus and other North Korean-affiliated groups. Sinbad – like Blender – is a deposit mixer, where the operator has full control over deposits.
Other clues connecting Blender and Sinbad include a service address on the website that receives Bitcoin from a wallet that Elliptic says was controlled by Blender’s operator — likely to test the service. Additionally, a Bitcoin wallet used to pay those who promoted Sinbad received Bitcoin from the Blender wallet.
The $22 million in early incoming transactions to Sinbad also suggest links, as they came from the same Blender wallet. The similar on-chain behavior includes specific transaction characteristics and the use of other services to hide where the digicash is now.
Like Blender, Sinbad uses 10-digit mixer codes, a warranty letter signed by the service address, and a seven-day transaction delay. The two services also use similar language and naming patterns. The code also offers an option for a Russian version with support services in the same language.
While mixers and tumblers make it difficult to trace stolen cryptocurrencies, both authorities and cybersecurity experts are getting better at tracking hidden digital assets. In July 2022, the US Department of Justice and the FBI announced that they had recovered $500,000 in Bitcoin that healthcare facilities in the US paid to the Maui ransom group.
Two months later, federal investigators and private firms such as Chainalysis announced the recovery of $30 million in digital assets stolen in the Axie Infinity heist. ®