Elliptical analysis shows that Blender – sanctioned for helping North Korea’s Lazarus group launder tens of millions of dollars in Bitcoin – is very likely relaunched as Sinbad. To date, Sinbad has laundered close to $100 million in Bitcoin from hacks attributed to Lazarus.
The Lazarus Group
When the crypto game Axie Infinity‘s cross-chain bridge was hacked in March 2022, $540 million in crypto assets were stolen. Soon after, the US Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against the thief’s Ethereum address and identified the owner as the Lazarus Group. This is a North Korean-controlled cybercrime group believed to be responsible for stealing billions of dollars worth of cryptoassets.
Despite the sanctions, the stolen funds were quickly moved between different cryptoassets and blockchains, using decentralized and centralized exchanges and cross-bridges. This type of cross-laundering and cross-asset laundering has become very common, and Elliptic has developed new technologies to track the proceeds of crime that are transferred in this way.
In addition to moving stolen proceeds between different blockchains and cryptoassets, mixers have also been used to cover the blockchain trail. In response, OFAC imposed sanctions on two used mixers – Tornado Cash and Blender – which it claimed were responsible for laundering more than $475 million from the Axie hack.
Blender website.
Tornado Cash continues to operate, while Blender ceased operations in April 2022. Blender’s operator is believed to have taken around $22 million in Bitcoin from the mixer before disappearing.
In June 2022, another major crypto heist occurred, with $100 million stolen from another cross-chain bridge: Horizon. Elliptic was able to attribute the theft to Lazarus shortly thereafter, and the FBI confirmed this in January 2023. Once again, the proceeds were laundered through a complex series of transactions involving exchanges, cross-bridges, and mixers. Tornado Cash was used again, but instead of Blender, another Bitcoin mixer was used: Sinbad.
Sinbad site.
Sinbad launched in early October 2022 and despite its relatively small size, it soon began to be used to launder Lazarus hack revenue. Tens of millions of dollars from Horizon and other North Korea-related hacks have flowed through Sinbad to date and continue to do so, showing confidence and trust in the new mixer. Like Blender, Sinbad is a custodial mixer, meaning that its operator has full control over the cryptoassets deposited in it.
Elliptical analysis shows that Sinbad is in fact very likely to be a rebrand of Blender, for which the same individual or group is responsible. especially:
- Analysis of blockchain transactions shows that, before it was made public, the “service” address on the Sinbad website received Bitcoin from a wallet believed to be controlled by the operator of Blender – presumably to test the service.
- Analysis of blockchain transactions shows that the Bitcoin wallet used to pay the individuals promoting Sinbad was itself receiving Bitcoin from the suspected Blender operator’s wallet.
- Analysis of blockchain transactions shows that almost all of the early incoming transactions to Sinbad (about $22 million) originated from the suspicious wallet of Blender operator.
- The pattern of on-chain behavior is very similar for both mixers, including specific transaction characteristics and the use of other services to mask their transactions.
- The way the Sinbad mixer works is identical to Blender in several ways, including a ten-digit mixer code, warranty letters signed from the service address, and a maximum seven-day transaction delay.
- There are great similarities in the structure of the web pages of both services, as well as in their use of language and naming conventions.
- Both services have a clear connection to Russia, with Russian language support and websites.
Analysis of blockchain transactions shows clear links between Blender and Sinbad.
Blender may have been motivated to rebrand to avoid sanctions, and OFAC may now seek additional sanctions against Sinbad. Perhaps he did it to gain the trust of users, after the sudden shutdown of Blender last year and the disappearance of significant amounts of funds from the mixer.
Wallets belonging to both Blender and Sinbad are identified in Elliptic’s solutions, helping businesses detect any exposure to these services and avoid transactions with sanctioned entities.
APAC Crypto Crime Compliance