Cyber Defense Advisors

U.S. Treasury Sanctions Sinbad Cryptocurrency Mixer Used by North Korean Hackers

The U.S. Treasury Department on Wednesday imposed sanctions against Sinbad, a virtual currency mixer that has been put to use by the North Korea-linked Lazarus Group to launder ill-gotten proceeds.

“Sinbad has processed millions of dollars’ worth of virtual currency from Lazarus Group heists, including the Horizon Bridge and Axie Infinity heists,” the department said.

“Sinbad is also used by cybercriminals to obfuscate transactions linked to malign activities such as sanctions evasion, drug trafficking, the purchase of child sexual abuse materials, and additional illicit sales on darknet marketplaces.”

In addition to the sanctions, Sinbad had its website seized as part of a coordinated law enforcement action between agencies in the U.S., Finland, and the Netherlands.

The development builds on prior actions undertaken by governments in Europe and the U.S. to blockade mixers such as Blender, Tornado Cash, and ChipMixer, all of which have been accused of providing “material support” to the hacking crew by laundering the stolen assets through their services.

Sinbad, created by an individual who goes by the alias “Mehdi” in September 2022, told WIRED earlier this February that it was a legitimate privacy-preserving initiative and that it was launched as a response to the “growing centralization of cryptocurrency and the erosion of the privacy promises it once appeared to offer.”

It also emerged as a replacement for Blender, with the Lazarus Group using it to launder virtual currency plundered following the hacks of Atomic Wallet and Harmony Horizon Bridge.

“Overall, more than one third of funds sent to Sinbad during its lifetime have come from crypto hacks,” Chainalysis said. “Following the takedown of Tornado Cash and Blender.io last year, Sinbad emerged as the mixer of choice for DPRK-based hacking activities.”

Sinbad has also been used by ransomware actors, darknet markets, and scammers, leveraging it to facilitate illicit transactions by obfuscating their origin, destination, and counterparties.

Blockchain analytics firm Elliptic said there is evidence to suggest that the same individual or group is highly likely behind both Sinbad and Blender based on an examination of on-chain patterns, the way in which the two mixers operate, similarities in their websites, and their connections to Russia.

“Analysis of blockchain transactions shows that, before it was publicly launched, a ‘service’ address on the Sinbad website received Bitcoin from a wallet believed to be controlled by the operator of Blender – presumably in order to test the service,” the company noted.

“A Bitcoin wallet used to pay individuals who promoted Sinbad, itself received Bitcoin from the suspected Blender operator wallet. Almost all of the early incoming transactions to Sinbad originated from the suspected Blender operator wallet.”

The development comes as Vitalii Chychasov, a 37-year-old administrator of the now-dismantled online marketplace named SSNDOB, was sentenced to eight years in federal prison in the U.S. for selling personal information, including the names, dates of birth, and Social Security numbers.

Chychasov, an Ukrainian national, was arrested in March 2022 while attempting to enter Hungary. He was subsequently extradited to the U.S. in July 2022. SSNDOB was taken down in a joint operation led by the U.S., Cyprus, and Latvia in June 2022.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.