North Korea's Lazarus Group rebrands Crypto mixer Blender to Sinbad, says Elliptic

Hackers affiliated with North Korean government, who are sometimes referred to as the Lazarus Group, are using a new tool to launder stolen virtual currency, according to crypto-tracing firm Elliptic Enterprises, which said that the threat actor has laundered about $100 million in stolen Bitcoin since October 2022 through a single crypto-mixing service called 'Sinbad'. 

The new laundering tool 'Sinbad', is likely to be a related successor to another crypto mixer called 'Blender', which was sanctioned by the US Treasury Department in May 2022, said the blockchain analytics firm, which believes that the sanctioned “coin mixer” used by criminals to launder money appears to have been relaunched under a different name.  

“Blender is back”, crypto researchers Elliptic said, explaining that the app that was sanctioned last year by the US Treasury Department’s Office of Foreign Assets Control (OFAC) had “highly likely” been re-launched as Sinbad and is being used by North Korean state-sponsored hacking group Lazarus Group, said Elliptic, adding that after Blender was shut down, Sinbad “soon began to be used to launder the proceeds of Lazarus hacks”.   

As the name implies, mixers — also known as tumblers — pool together cryptocurrency deposited by many users and mix them. These are platforms that allow people to anonymously send and receive cryptocurrencies like Bitcoin or Ethereum by combining them to obfuscate their source and destination. Criminals who want to launder money or cover their tracks after stealing crypto typically use coin mixers to cover their tracks.  

Coin mixers made headlines last year when OFAC blacklisted US citizens from using Tornado Cash, an Ethereum coin mixer also used by Lazarus. According to OFAC, Blender was used by hackers in North Korea to “support its malicious cyber activities and money-laundering of stolen virtual currency”. The app closed in April 2022, but since then, Sinbad has since been active.   

The Federal Bureau of Investigation (FBI) said that Lazarus is the group behind a number of crypto hacks, such as the Horizon hack of June 2022 (the cross-chain Horizon bridge feature enables crypto holders to move assets between Harmony's network and the Ethereum network, Binance Chain and Bitcoin), where thieves took $100 million and Bangladesh Bank Heist of 2016, to name a few.   

Elliptic claimed today that “tens of millions of dollars from Horizon and other North Korea-linked hacks have been passed through Sinbad to date and continue to do so, demonstrating confidence and trust in the new mixer”.   

While privacy advocates tout cryptocurrency mixers as an important way to protect individual users’ identities, a new report from blockchain intelligence firm Chainalysis says that the largest portion of crypto sent to mixers in 2022 has been from cybercriminals and nation states.  

"Illicit addresses account for 23% of funds sent to mixers so far in 2022, up from 12% in 2021," a report published in July 2022 by Chainalysis.  

The report added that mixers' core functionality, combined with the fact that they rarely, if ever, ask for KYC [Know Your Customer] information, makes them naturally attractive to cybercriminals. That said, cryptocurrency mixers allow users to erase the digital money trail left by most transactions on blockchain networks like Bitcoin and Ethereum and therefore make it harder to follow the trail that would be publicly and easily accessible on the blockchain.  

Cyber criminals have also used other novel ways to carry out hacks and exploits, with over $2.8 billion of cryptocurrency stolen in the first six months of 2022. A report by CoinGecko using data sourced from DeFiYield’s REKT Database also noted that these methods include bypassing verification processes, market manipulation, and ‘crowd looting’ as well as smart contract and bridge exploits.