Feds Seize 'Sinbad' Crypto Mixer Used by North Korea's Lazarus

The prolific threat actor has laundered hundreds of millions of dollars in stolen virtual currency through the service.

Keyboard with a red-and-white North Korean flag drawn out by the various character keys
Source: Yogesh More via Alamy Stock Photo

In its continued efforts to crack down on North Korea's most formidable state-sponsored threat group, the US government has seized a virtual currency mixer that has been serving as the principal way the group launders money stolen from its cybercriminal activity.

The US Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned Sinbad.io, or just Sinbad, a crypto-mixing service that the feds said has processed millions of dollars worth of virtual currency from crypto heists by the Lazarus Group, according to a press release from OFAC.

As a result of the action, all Sinbad property and interests in property in the US or controlled by anyone in the US must be blocked and reported to OFAC, and people in the US are prohibited from having any involvement with the service. Further, anyone who engages in transactions with the service also may be exposed to sanctions.  

Crypto mixing — a technique that uses pools of cryptocurrency to complicate the tracking of electronic transactions — is a popular service tapped by cybercriminals to obscure their illegal transactions. In the case of Lazarus, the group used Sinbad to launder crypto from various malicious incidents, including the Horizon Bridge and Axie Infinity heist, the government said.

The prolific threat actor is well known for conducting cyberattacks on behalf of the regime of North Korea's leader, Kim Jong Un, engaging in widespread crypto theft through various cyberattacks — including targeting crypto engineers or using compromised systems to mine crypto — to fund government activities, among other endeavors. The US government officially sanctioned Lazarus in 2019, effectively making it a crime to do any kind of business with the group or its associates.

Crackdown on Crypto Mixing

Other cybercriminal groups also use Sinbad to keep various illegal financial activities such as drug trafficking, buying child pornography, and other Dark Web transactions away from the prying eyes of law enforcement. However, global authorities have caught on to the use of crypto mixers and are now starting to monitor and block the activity.

In March, an international law enforcement effort led by the US Department of Justice (DoJ) led to the shuttering another known crypto-mixing service, ChipMixer. Then in May and earlier this month, respectively, the feds also seized one crypto mixer, Blender.io (Blender), and redesignated another, Tornado Cash — both known to be used by Lazarus, they said.

OFAC in April also sanctioned two over-the-counter virtual currency traders who facilitated the conversion of stolen virtual currency to fiat currency for North Korean actors associated with Lazarus.

“While we encourage responsible innovation in the digital asset ecosystem, we will not hesitate to take action against illicit actors," said Deputy Secretary of the Treasury Wally Adeyemo, in a statement. "Mixing services that enable criminal actors, such as the Lazarus Group, to launder stolen assets will face serious consequences.”

Crypto Mixer of Choice

All told, Lazarus, which has been active for more than 10 years, is believed to have stolen more than $2 billion worth of digital assets across multiple cryptocurrency heists, according to the US government.

Sinbad, which operates on the Bitcoin blockchain, has been one of the primary facilitators of the trafficking of these funds as the group's preferred mixing service. The service, which some security experts believe is the successor to Blender, aids cybercriminal transactions by obfuscating their origin, destination, and counterparties, so they are difficult to track.

Some of the larger sums that Lazarus has laundered through the crypto mixer include "a significant portion" of the following crypto heists: $100 million stolen in June from customers of Atomic Wallet; $620 million stolen from Axie Infinity in March 2022; and $100 million nabbed from Horizon Bridge in June 2022. 

Despite being sanctioned and constantly monitored by security researchers and global authorities alike, Lazarus remains undaunted and shows little sign of slowing down. Some of the group's most recent activity includes posing as Meta to deploy a complex backdoor at an aerospace organization, and aiming to lure crypto pros with fake job postings — the latter a common tactic of the group.

There are signs that the mounting pressure on the group has affected them, though. Lazarus recently aligned with other North Korean state-sponsored threat actors to make them collectively harder to track. However, this collaboration also sets the stage for more aggressive and complex cyberattacks that will demand strategic defense and response on the part of targets.

About the Author

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights