On November 29, 2023, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Bitcoin mixer Sinbad.io for its links to money laundering in North Korea. In addition to this tag, Sinbad’s website now displays a seizure notice.
Two Bitcoin addresses associated with Sinbad were listed by OFAC as part of this flag; however, Elliptic is aware of thousands of additional addresses associated with this mixer.
In a press release announcing the appointment, the Treasury said Sinbad was a key money laundering vehicle used by the Lazarus Group – a state-sponsored cyber hacking group from North Korea – and was used to launder the funds stolen from Harmony’s Horizon bridge and the Axie Infinity bridge hack, both of which took place in 2022.
In addition to the hacks mentioned by the US Treasury Department in the press release, Sinbad was also used to launder some of the proceeds of other major hacks, including thefts from Stake.com (September 2023, $41 million), CoinEx (September 2023, $70 million), FTX ($477 million November 2022), BadgerDAO ($120 million December 2021) and more.
Earlier this year, Elliptic was the first to post that Sinbad is likely to be a rebranding of Blender.io, which was the first ever cryptocurrency mixer approved by OFAC in May 2022.
Blender.io was also sanctioned for its role in laundering millions of dollars in cryptocurrency on behalf of the North Korean Lazarus Group. Noting this connection, today’s press release notes, “Some industry experts believe that Sinbad is the successor to the Blender.io mixer, which OFAC designated for providing mixing services to the Lazarus Group.”
Elliptical analysis indicated that it was highly likely that the same individual or group was responsible for both Sinbad and Blender, based on a number of factors. especially:
- Analysis of blockchain transactions shows that, before it was made public, the “service” address on the Sinbad website received Bitcoin from a wallet believed to be controlled by the operator of Blender – presumably to test the service.
- Analysis of blockchain transactions shows that the Bitcoin wallet used to pay the individuals promoting Sinbad was itself receiving Bitcoin from the suspected Blender operator’s wallet.
- Analysis of blockchain transactions shows that almost all of the early incoming transactions to Sinbad originated from the suspicious wallet of Blender operator.
- The pattern of on-chain behavior is very similar for both mixers, including specific transaction characteristics and the use of other services to mask their transactions.
- The way the Sinbad mixer works is identical to Blender in several ways, including a ten-digit mixer code, warranty letters signed from the service address, and a maximum seven-day transaction delay.
- There are great similarities in the structure of the web pages of both services, as well as in their use of language and naming conventions.
- Both services have a clear connection to Russia, with Russian language support and websites.
Analysis of blockchain transactions shows clear links between Blender and Sinbad.
In addition to its connection to money laundering activities in North Korea, the Treasury Department noted that Sinbad was also used by cybercriminals associated with “sanctions evasion, drug trafficking, purchase of child sexual abuse materials and additional illegal sales on darknet markets.”
How we can help
Elliptic clients can now screen crypto transactions and explore wallets with links to all addresses controlled by this sanctioned actor.
Also, to learn more about how to stay safe, you can download our new “Cryptocurrency Sanctions Compliance 2023” report.
Prominent crypto crime regulators and government