In an ongoing effort to combat North Korea’s significant state-sponsored threat group, Lazarus, the US government has taken action against a key player in the group’s money laundering activities. The US Treasury Department’s Office of Foreign Assets Control (OFAC) has imposed sanctions on Sinbad.io, a virtual currency mixer used by the Lazarus Group to launder funds obtained from cybercriminal activities, according to an OFAC press release.
The recently sanctioned Sinbad service, also known as Sinbad, has reportedly facilitated the laundering of millions of dollars in virtual currency stolen by the Lazarus Group from various crypto heists. Following this move, all Sinbad assets and interests within the US or under US control must be blocked and reported to OFAC. Additionally, individuals within the US are prohibited from any association with the service, and those engaging in transactions with Sinbad may face potential sanctions.
Crypto mixing, a method that employs pools of cryptocurrency to complicate the tracking of electronic transactions, is a favored service among cybercriminals seeking to conceal their illicit activities. In the case of Lazarus, Sinbad was utilized to launder crypto obtained from malicious incidents such as the Horizon Bridge and Axie Infinity heist, as per government statements.
The hacker group is notorious for carrying out cyberattacks on behalf of North Korea’s leader, Kim Jong Un. The group engages in widespread crypto theft through various cyber techniques, including targeting crypto engineers and utilizing compromised systems for crypto mining. These illicit activities are conducted to fund government operations and other endeavors. The US government officially sanctioned Lazarus in 2019, criminalizing any form of business dealings with the group or its affiliates.
Crypto Mixing Crack Down
Sinbad isn’t just a tool utilized by the hacking group; other cybercriminal gangs also use it to hide their shady financial dealings, like drug trafficking and buying child pornography, on the Dark Web. But law enforcement worldwide has caught on to these crypto mixers and is now keeping a close eye on them, putting a stop to their activities.
In March, the US Department of Justice (DoJ) led an international effort to shut down another well-known crypto-mixing service called ChipMixer. Then, in May and earlier this month, federal authorities seized one crypto mixer, Blender.io (Blender), and reclassified another, Tornado Cash—both known to be used by Lazarus, according to their statements.
In April, OFAC also took action by imposing sanctions on two over-the-counter virtual currency traders. These traders were helping convert stolen virtual currency into real money for North Korean actors linked to Lazarus.
Deputy Secretary of the Treasury Wally Adeyemo made it clear that, while supporting responsible innovation in the digital asset world, they won’t hesitate to act against those involved in illicit activities. He stated, “Mixing services that enable criminal actors, such as the Lazarus Group, to launder stolen assets will face serious consequences.”
Lazarus’s Crypto Mixer
Over the past decade, Lazarus, an active cyber threat for more than 10 years, is estimated by the US government to have stolen over $2 billion in digital assets through various cryptocurrency heists.
Operating on the Bitcoin blockchain, Sinbad has played a key role in trafficking these ill-gotten funds as Lazarus’s preferred mixing service. Considered by some security experts as Blender’s successor, Sinbad helps cybercriminals by masking the origin, destination, and parties involved in their transactions, making them hard to trace.
Lazarus has laundered substantial amounts through Sinbad, including a significant portion from major crypto heists: $100 million in June from Atomic Wallet customers, $620 million from Axie Infinity in March 2022, and $100 million from Horizon Bridge in June 2022.
Despite facing sanctions and constant scrutiny from security experts and global authorities, Lazarus continues its activities with determination. Recent actions include posing as Meta to install a sophisticated backdoor at an aerospace organization and using fake job postings to attract crypto professionals—a common tactic for the group.
While there are signs that the pressure is affecting Lazarus, as seen in its collaboration with other North Korean state-sponsored threat actors, this alliance also raises concerns about more aggressive and complex cyberattacks. Targets will need strategic defense and response measures to counter these evolving threats.