What We Know About Sinbad – the Mixer Sanctioned by OFAC for its Use by North Korea

Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control sanctioned bitcoin mixer Sinbad, calling the service “a key money-laundering tool of North Korea’s OFAC-designated Lazarus Group.” 

According to Treasury, “Sinbad has processed millions of dollars’ worth of virtual currency from Lazarus Group heists, including the Horizon Bridge and Axie Infinity heists. Sinbad is also used by cybercriminals to obfuscate transactions linked to malign activities such as sanctions evasion, drug trafficking, the purchase of child sexual abuse materials, and additional illicit sales on darknet marketplaces.”

What We Know About Sinbad

Sinbad, which began advertising in October 2022, is like other on-chain mixing services. The mixer helps users obfuscate transactions by taking in users' cryptocurrency, mixing their coins with those of other users, and returning the same amount. 

TRM’s on-chain analysis shows Sinbad is the second largest mixer by volume this year, receiving close to a fifth of all funds sent to mixers in 2023. In addition, TRM data shows a spike in volume to Sinbad during months in which funds from hacks, including Harmony, Atomic, Alphapo, Coinspaid, and Stake moved through the mixer.

‍North Korea’s laundering evolution 

After ethereum-based mixer Tornado Cash was the target of OFAC sanctions in August 2022 and ChipMixer was taken down by law enforcement earlier this year, TRM analysis shows North Korea used Sinbad to launder the proceeds of its more recent hacks, including the Harmony, Atomic, Alphapo, Coinspaid, and Stake and Ronin Bridge hacks. 

For example, in the Harmony Bridge hack, funds which sat dormant after their initial laundering through Tornado Cash in the summer of 2022, suddenly moved through a variety of services and offloaded to apparent OTC brokers earlier this year. The funds were then laundered through Sinbad before eventually being bridged to TRON and converted to USDT. This new laundering model involves the bridging of funds to Bitcoin via the Avalanche Bridge – a much lower cost and still-functional alternative to the Ren Bridge.

TRM also provides detailed analysis on the Atomic Wallet hack here and the Stake.com hack here.

The sanctions designation comes about a month after the United States Treasury Department’s Financial Crimes Enforcement Network (FinCEN) proposed a rule that would require U.S. financial institutions, including cryptocurrency businesses, to monitor and report on transactions involving cryptocurrency mixing services. In its proposed rule, FinCEN points to the use of mixers by North Korea to launder the proceeds of hacks, writing that “cyber threat actors are responsible for a substantial portion” of illicit or stolen funds set to mixers. In the same paragraph, FinCEN calls out Sinbad as used by North Korea in the June 2023 Atomic Wallet Hack. 

According to TRM, over the past five years, North Korean hackers have stolen over USD $2 billion in cryptocurrencies in over 30 attacks.