red 
Cryptocurrency mixers and other privacy-enhancing technologies – such as privacy wallets – have been a long-standing feature of the crypto space.
Because the open and transparent nature of the blockchain makes crypto transactions easily traceable, crypto innovators have spent much of crypto history looking for ways to improve privacy—including the development of cryptoasset mixers and privacy wallets, which are services that seek to obscure the origin of funds on the blockchain.
This desire for increased confidentiality in crypto certainly includes legitimate goals. Individuals may want to improve the privacy of their transactions if they earn a salary in cryptocurrency, donate to charity, or undertake other activities where confidentiality is both desirable and legitimate.
Unfortunately, privacy-enhancing technologies in the crypto space are also routinely abused by criminal actors trying to avoid detection from law enforcement agencies and regulated businesses. While in some cases the developers of these services have legitimate goals and even condemn users who abuse them for illegal purposes, some of the platforms have knowingly given their obfuscation capabilities directly to criminal actors.
That was the case with the prolific mixing service Helix, whose founder pleaded guilty in August 2021 to charges of money laundering on behalf of dark web marketplace sellers and other criminals, and was fined $60 million by the US Treasury for failing to implement anti- – money laundering claims (AML).
Anti-money laundering watchdogs, such as the Financial Action Task Force (FATF) and the US Treasury’s Financial Crimes Enforcement Network (FinCEN), have warned that the frequent use of blending and other similar services is a red flag for companies to regulate. they should have been careful.
Crypto asset exchanges and financial institutions often rely on blockchain’s analytical capabilities to identify whether their clients’ transactions involve the use of mixers and other obfuscating services. Where this is the case, regulated firms can manage risks appropriately, including performing enhanced due diligence or reporting suspicious activity where warranted.
Transactions involving mixers are increasingly relevant not only for AML compliance purposes, but also for ensuring compliance with financial and economic sanctions requirements. It is critical that compliance teams understand the sanction risks associated with mixers and privacy-enhancing protocols, and take steps to appropriately address the risks as part of their compliance frameworks.
Mixers in OFAC’s crosshairs
Beginning in 2022, the US Treasury’s Office of Foreign Assets Control (OFAC) began imposing sanctions on interference services that facilitated illegal activities.
In May of that year, OFAC sanctioned Blender – a blending service used by North Korea’s Lazarus Group to launder bitcoins – a sanctioned cybercrime organization.
Blockchain analysis shows that the Lazarus Group laundered more than $20.5 million worth of Bitcoin through Blender after hacking Ronin Bridge, a decentralized finance (DeFi) service in March 2022. Axie Infinity blockchain-based gaming platform, resulting in the theft of more than $540 million in cryptoassets.
By imposing sanctions on Blender, OFAC prohibited US persons – including US crypto exchanges – from processing transactions with Blender, which shut down around the time of the sanctions.
In August 2022, OFAC targeted another mixer, this time sanctioning the Tornado Cash mixer on Ethereum and other blockchains. As with Blender, OFAC targeted Tornado Cash because it was used by the Lazarus group to launder funds from Axie Infinity hacking and other cyber crime incidents.
Ellptic’s research shows that the Lazarus group laundered more than $518 million through Tornado Cash, which accounted for roughly 5.8% of the total $9 billion in funds that were commingled through it.
Unlike Blender – which was a centralized service – Tornado Cash is a DeFi mixer, meaning it works using smart contracts, with its mixing capabilities decentralized and automated. OFAC’s sanctions, therefore, could not cause Tornado Cash to disappear, as it will continue to run on the blockchain indefinitely.
However, after the OFAC sanctions, the volume of transactions sent through Tornado Cash dropped by more than 50%, as it became banned and exchanges were forced to block all transactions with it.
This had the effect of undermining Tornado Cash’s liquidity, which in turn undermined its usefulness as a mixer, since a mixer’s effectiveness is determined by the volume of transactions it processes that can act as effective cover for user funds.
While OFAC’s actions against Blender and Tornado Cash served to undermine those mixers, North Korea, unsurprisingly, sought to circumvent the sanctions by using alternative obfuscation services.
In January 2023, Lazarus Group sent approximately $58 million through an Ethereum-based privacy-enhancing service known as Railgun, which Elliptic had previously identified as a possible alternative to Tornado Cash for those seeking to conceal transactions. The funds in question are related to the hacking of the Harmony Horizon bridge, another DeFi service from which the Lazarus group stole about 100 million dollars in the summer of 2022.
In February 2023, Elliptic identified that the Lazarus Group had also sent Bitcoin totaling more than $100 million through Sinbad Mixer, a new service established in October 2022.
While researching Sinbad, Elliptic found that the new service appears to be acting as a replacement for Blender following the OFAC sanctions. Analysis of Bitcoin transactions showed that Sinbad’s activity is closely related to Blender through common transactions, and showed that a disproportionate number of transactions for such a new blending service appear to be related to facilitating transactions with the Lazarus Group.
Risks and red flags
Cryptocurrency businesses and financial institutions therefore face a range of sanctions risks when it comes to mixers and other privacy-enhancing services.
It is important to note that OFAC’s actions mentioned above apply only to specifically named mixers and do not prevent transactions with all mixers and privacy protocols. Compliance teams need not assume that every single transaction involving mixers or other privacy-enhancing services is illegal or related to sanctioned activity. Legitimate customers may very well try to use mixing services for legitimate reasons.
However, in addition to the risks they may face from engaging in direct transactions with sanctioned services such as Blender and Tornado Cash, crypto exchanges and financial institutions should be alert to other signs of sanctions risk involving similar services.
For example, compliance teams should be particularly alert to signs of transactions involving Sinbad and Railgun services, given the high likelihood that funds from them could be linked to the Lazarus Group.
The Lazarus Group has also previously relied on Wasabi Wallet – a Bitcoin privacy wallet service – to launder funds from its hacks. Following the KuCoin cryptocurrency hack in Singapore in September 2020, which the United Nations later acknowledged was attributed to North Korea, Elliptic revealed that some of the stolen Bitcoin was laundered through the Wasabi Wallet.
Compliance teams should be alert for unusual or unexpected transaction volumes involving Wasabi or other obfuscating services that sanctioned actors may attempt to use, and should apply appropriate due diligence to determine whether any sanctions risks exist.
Other sanctions-related red flags and risk indicators that compliance teams should be alert to include:
- A client whose transactions involve interactions with mixers or other obfuscation services has also engaged in transactions with entities located in sanctioned jurisdictions or on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) list.
- The client’s transactions show frequent and significant exposure to mixers that the client is unable or unwilling to explain, especially when exposure to mixers occurs in close proximity to major incidents of cyber theft or other crimes.
- A customer who receives a large incoming transfer from a mixing service immediately tries to exchange the funds for another crypto-asset and move it from the platform in a short period of time (an indicator of the “chain-hopping” money laundering typology).
- A client who frequently transacts with mixers or other similar services presents other sanctions risks, such as logging into their account from high-risk or sanctioned jurisdictions.
We’ve highlighted these and other mixer-related red flags in Elliptic’s 2022 typologies report.
Using blockchain analytics for risk management
Cryptoasset exchanges and financial institutions should take proactive steps to identify and manage the risks associated with sanctions involving mixing and other cloaking services. They can achieve this by using blockchain analytics solutions – such as those offered by Elliptic – at various stages of the compliance journey.
First, using a wallet verification solution like Elliptic Lens, companies can identify if their customers intend to withdraw funds to a blacklisted blending service like Blender, or a seemingly related service like Sinbad, and can block those transactions – ensuring compliance with sanctions requirements.
Second, compliance teams can use transaction screening software like Elliptic Navigator to identify where they have customers who have indirectly interacted with mixers. It is common for illegal actors like the Lazarus Group to send funds through a number of intermediary wallets (or “hops”) before or after the funds pass through the mixer – a technique known as “chain peeling” designed to try to further disguise the origin of the funds.
Using Elliptic’s exposure-based monitoring methodology that uses holistic screening, compliance teams can identify exposures to sanctioned or high-risk mixers even when related assets have gone through multiple jumps, or have been replaced by different assets or blockchains, ensuring they can identify and address risk exposures from indirect sanctions.
Finally, compliance teams should be equipped with the capabilities to conduct in-depth investigations into suspected sanctions violations involving mixers and other covert services. Using Elliptic Investigator, our multi-asset crypto-forensics tool, analysts can map the flow of funds to visualize complex transactions involving mixers, helping them determine whether sanctions evasion is possible.
The image above from Elliptic investigators shows the flow of funds from the Lazarus Group’s crypto wallet linked to the $100 million Harmony Horizon Bridge hack. Arrows show where funds were sent via other wallets (indicated by white circles) before being sent via Tornado Cash.
Transactions involving mixers and other cloaking services can pose significant penalties for compliance teams. Contact us to learn more about how to manage your cryptoasset sanctions risks using Elliptic’s blockchain analytics solutions.
Key takeaways
- Ensure you use a wallet verification solution to identify potential cryptoasset wallets associated with sanctioned mixing services.
- Ensure your compliance team is equipped with cryptoasset transaction verification capabilities to identify even indirect exposure to sanctioned and high-risk cloaking services.
- Make sure your business uses a cryptoasset investigative solution to cover up and map suspected sanctions evasion cases involving mixers.
