According to a report by analytics firm Elliptic, the coin mixer Blender has likely rebranded and may still be in use among North Korean groups. February 13th.
Elliptic says Blender ceased operations in April 2022, but was likely rebranded as ‘Sinbad’ based on some facts and patterns observed.
Blender’s operator is suspected of sending an initial Bitcoin transaction of $22 million to Sinbad and another amount to a ‘service’ address. The Blender operator may have sent bitcoin to a wallet that also paid for the Sinbad promoter.
Elliptic also pointed out some similarities between Sinbad and Blender by comparing their on-chain behavior, different features, and their respective websites. The company noted that both mixers can be connected to Russia through supported languages and websites.
Elliptic also confirmed that Blender and Sinbad were used in two blockchain attacks by the North Korean-backed Lazarus Group.
Lazarus attacked Ronin Bridge (related to blockchain game Axie Infinity) in March 2022 for over $540 million. Following that attack, Lazarus was able to launder his $475 million in that amount through his mixer of various coins. One of them he was Blender.
Lazarus then attacked cross-chain bridge Horizon in June 2022 and stole $100 million. Months later, when Sinbad went live in October, Lazarus used it to launder about $100 million stolen from Horizon and other targets, Elliptic said.
Another mixer, Tornado Cash, was also used in both attacks. It continues to operate despite sanctions imposed by the US Treasury Department and its Office of Foreign Assets Control (OFAC) in August 2022. Elliptic said Sinbad could face similar sanctions, adding that Blender and Sinbad addresses have already been flagged with compliance services.
Despite their use in money laundering and recent law enforcement attention, coin mixers have legitimate uses and can be used to conduct personal transactions.