$100 Million In Stolen Crypto Disguised in Lazarus New Mixer

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Feb 14, 2023 04:51 am PST

Blockchain analysts have uncovered evidence that North Korean hackers have found a way to get around U.S. sanctions to launder the bitcoin gains from their heists. Through a single crypto-mixing business named Sinbad, The Lazarus Group, as the threat actor is often known, has laundered nearly $100 million in stolen Bitcoin since October 2022.

The American government’s OFAC (Office of Foreign Assets Control) Treasury issued sanctions against Blender and Tornado Cash last year after learning that Lazarus had used them to conceal nearly $500 million in cryptocurrencies that had been gained illegally.

The action was initiated in response to the theft of more than $600 million worth of cryptocurrency from the cross-chain bridge of Axie Infinity, which was ultimately linked to the North Korean Lazarus gang. Because they allow for a fee to conceal the source and owners of the funds by combining the assets of many users, bitcoin mixers/tumblers are frequently used by hackers.


The OFAC sanctions did not stop Tornado Cash, but they did stop Blender, whose operator vanished after allegedly stealing about $22 million in Bitcoin from the mixer. Elliptic, a blockchain analysis firm, claims that Blender’s operator very likely launched Sinbad, a new service being utilized by Lazarus to launder money, at the beginning of October 2022.

Lazarus Is Responsible For Significant Crypto Heists

Elliptic’s co-founder and chief scientist, Tom Robinson, says the relationship became apparent following the Harmony Horizon crypt theft in June 2022, resulting in roughly $100 million in losses.

The FBI earlier this year validated Elliptic’s discovery of solid connections to Lazarus by tracking the money through the Tornado Cash mixing service shortly after the hack.

Typically, the actor paired a custodial-based service, such as Blender, with Tornado Cash crypto mixing. But this time, they made use of Sinbad, another Bitcoin mixer.

Robinson claims that despite being “very tiny,” the Sinbad service has been utilized to re-route the money that the Lazarus organization has embezzled. “Tens of millions of dollars have already and are still being sent through Sinbad from Horizon, and other North Korea-related hacks, displaying faith and trust in the new mixer.” The elliptic

Sinbad Mixer Functions Just Like Blender

Blender and Sinbad, in contrast to Tornado Cash, are custodial mixers, meaning that the operator controls every coin that enters the service. As a result, owners feel confident enough to relinquish custody of their funds.

The results of Elliptic’s investigation provide strong evidence that Blender’s operators are also responsible for Sinbad. The researchers revealed a “service” address on the Sinbad website to have received Bitcoin from a wallet that was thought to be linked to the Blender developer.

The $22 million worth of initial transactions going to Sinbad was nearly all funded by the same wallet, which was also used to pay for advertising the new cryptocurrency mixer. A comparable on-chain pattern behavior for both mixers, which includes particular transaction features, was also observed by the researchers in addition to the wallet.

The ten-digit mixer codes, assurance letters signed by the service address, and a maximum seven-day transaction delay are all ways in which the Sinbad mixer functions just like Blender. The usage of name conventions, language, and “a clear nexus to Russia, with Russian-language support and webpages” are other parallels the researchers found in the websites.

Despite being characterized as a single entity, Lazarus really refers to a number of North Korean operators tasked by the leadership with gathering information and embezzling cash to promote priorities and goals at the national level.

Along with concentrating on cryptocurrency exchanges, North Korean threat actors additionally attacked health sector businesses in the US and South Korea with ransomware attacks utilizing several malware strains.


According to Elliptic, a sanctioned cryptocurrency mixer was relaunched under a different name to avoid US investigation and has since been used to clean digital cash for North Korea. The Blender cryptocurrency mixer, which the US sanctioned after Pyongyang used it to launder funds from its Axie Infinity attack, was renamed Sinbad, according to the blockchain analysis firm. Sinbad was first used to launder money from the $100 million Horizon theft after its inception in October 2022, and it has since cleaned tens of millions in stolen crypto-cash for the hermit kingdom. The company Blender and Sinbad are comparable in a number of ways. The Blender operator’s wallet had funds that were used to pay Sinbad promoters in Bitcoin. In order to test the service ahead of launch, Bitcoin was sent to a service address on the Sinbad website from a wallet connected to the Blender operator.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x