U.S. sanctions Sinbad: North Korean hackers prefer coin mixers, with more than one-third of the funds coming from crypto hackers

Author: Chainalysis

Compilation: Felix, PANews

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced on November 29 that it had imposed sanctions on the cryptocurrency mixing platform Sinbad.io (Sinbad). The Federal Bureau of Investigation (FBI) and the Dutch Financial Information and Investigation Agency (FIOD) and other agencies seized the Sinbad.Io and took it offline. Sinbad is the main money laundering tool used by Lazarus Group. The Lazarus Group is a North Korean-backed cyber hacking group sanctioned by the United States. (Related reading: Doxxing North Korean hacker group Lazarus Group’s attack methods and money laundering patterns)

OFAC’s action is a direct response to Sinbad’s involvement in “laundering” millions of dollars in stolen cryptocurrency, including funds stolen in the attacks on the Harmony Horizon Bridge and Axie Infinity.

What is Sinbad.io?

Sinbad, which runs on the Bitcoin blockchain, is a coin mixing service that hides the flow of funds on the chain by masking transaction details. Cryptocurrency mixing services, while potentially useful for legitimate privacy purposes, have become a prime tool for money laundering by cybercriminals, including North Korea-linked attackers.

Crypto mixers work by taking cryptocurrencies from different users, and after pooling the cryptocurrencies together, redistributing them to the designated recipients. This process is designed to obscure otherwise transparent transactions on the public chain. To date, crypto mixers have helped “launder” billions of dollars in illicit funds.

According to OFAC’s press release, experts consider Sinbad to be an alternative to Blender. Blender is a hybrid services company sanctioned by OFAC in 2022. Overall, more than a third of Sinbad’s funding has come from crypto hackers during its existence. (Note: Blender was founded in 2017 and was the first coin mixer to be sanctioned by the U.S. Treasury Department.) *）

Among them, on June 3, 2023, a significant portion of the $100 million worth of cryptocurrency stolen by Atomic Wallet users was laundered by Sinbad. Sinbad has also previously been involved in “laundering” most of the cryptocurrency from Axie Infinity (worth about $620 million) in March 2022 and Horizon Bridge (worth about $100 million) in June 2022. All of these attacks are linked to the Lazarus Group.

In 2019, Lazarus Group was sanctioned by OFAC for allegedly stealing more than $3 billion worth of cryptocurrency. The cryptocurrency stolen by a team of hackers funded by North Korea is ultimately used to fund North Korea’s weapons program.

On-chain tracking Sinbad.io

Following the banning of Tornado Cash and Blender.io in 2022, Sinbad became the go-to mixer for North Korean hacking groups.

As reported in February, North Korean hackers transferred about 1,429.6 bitcoins, worth about $24.2 million, to the mixer between December 2022 and January 2023. This includes funds converted from ETH to BTC, which were part of the funds stolen by the Axie Infinity hackers.

In addition, Sinbad mixes funds with funds from other nefarious activities, including drug trafficking, purchase of child sexual abuse material (CSAM), illegal sales on dark web marketplaces, and funds related to evading sanctions.

The image below can see some of the illegal services that send and receive funds to and from Sinbad, including ransomware actors, various darknet marketplaces, scams, and even the Russian exchange Garantex, which was sanctioned in April 2022 along with the darknet marketplace Hydra.

The chart below shows the outflow from Sinbad to CSAM-related entities, revealing that users use Sinbad to obfuscate their funding sources before purchasing CSAM material.

Cryptocurrency addresses associated with Sinbad.io

The following Bitcoin addresses associated with Sinbad have been added to the list of Specially Designated Nationals and Blocked Persons (SDN List:) published by OFAC (Note: This list is a list of U.S. sanctions against terrorists, warlords, tyrannical officials, or persons that the U.S. deems to be harming the interests of the U.S. and its allies, as well as international criminals)

• bc1qq7p0es3dv5hcynjjf40f2xjjr6qp5py47d2f6n847vduuq9gvnyq7y9ecd
• 1JHdQHkBZiim1cb4hyUh2PbzEbbg6z2TrF

OFAC is once again cracking down on cryptocurrency money laundering

OFAC’s action follows last year’s sanctions against crypto mixers Blender and Tornado Cash. Previously, both platforms were involved in providing coin mixing services to Lazarus Group.

The U.S. Treasury Department’s move underscores the U.S.'s continued efforts to crack down on financial networks that facilitate illegal activities, particularly those involving hostile state actors.

Related Reading: Tornado Cash Incident Leads to Heated Discussion: Should Crypto Developers Be Held Liable for Using Their Technology in Crimes?