Lazarus Group Uses New Mixer to Launder $100 Million in Stolen Crypto Assets

Lazarus Group, the notorious cybercrime gang, has been spotted circumventing US crypto mixers restrictions by using a newly available service to launder stolen crypto assets.

According to blockchain analysis company Elliptic, the North Korean cybercrime posse has obfuscated transfers amounting to roughly $100 million in pillaged Bitcoin since October.

Crypto mixers, also referred to as tumblers, are a service that blends many users' crypto assets, attempting to obfuscate the owners and origins of the funds.

Last year, the US Treasury’s Office of Foreign Assets Control (OFAC) issued a series of sanctions against crypto mixing services such as Tornado Cash and Blender. The restrictions were imposed due to the $600 million Axie Infinity cross-chain bridge hack, which was attributed to Lazarus Group.

After the restrictions took effect, Blender’s operator reportedly retrieved nearly $22 million in Bitcoin from the service and paused the operation. However, new analysis from Elliptic suggests the defunct Blender may have been resurrected under the Sinbad moniker; the revamped service is likely being run by the same operator.

“Tens of millions of dollars from Horizon and other North Korea-linked hacks have been passed through Sinbad to date and continue to do so, demonstrating confidence and trust in the new mixer,” reads Elliptic’s announcement. “Like Blender, Sinbad is a custodial mixer, meaning that its operator has full control over the cryptoassets deposited within it. Elliptic analysis indicates that Sinbad is in fact highly likely to be a rebrand of Blender, with the same individual or group responsible for it.”

Several compelling arguments have led the blockchain analysis firm to believe that Blender and Sinbad are operated by the same shady hand. These include:

• The services share similar infrastructures, naming conventions and language usage
• Certain operation modes are identical, including transaction delays, mixer codes length and guarantee letters
• Similar on-chain behavior patterns, such as transaction characteristics and transaction obfuscation via third-party services
• Early incoming transactions to Sinbad adding up to nearly $22 million originated from the suspected Blender operator’s wallet
• Many Sinbad-related asset transactions, including test transactions and service promotion payments, came from the wallet of Blender’s suspected operator