Full Report
The U.S. Department of Justice (DoJ) on Friday indicted three Russian nationals for their alleged involvement in operating the cryptocurrency mixing services Blender.io and Sinbad.io. Roman Vitalyevich Ostapenko and Alexander Evgenievich Oleynik were arrested on December 1, 2024, in coordination with the Netherlands' Financial Intelligence and Investigative Service, Finland's National Bureau of
Analysis Summary
# Threat Actor: Operators of Blender.io and Sinbad.io (Attributed to Russian Nationals)
## Attribution & Identity
The individuals charged are three Russian nationals:
* **Roman Vitalyevich Ostapenko** (Arrested December 1, 2024)
* **Alexander Evgenievich Oleynik** (Arrested December 1, 2024)
* **Anton Vyachlavovich Tarasov** (Still at large)
They are accused of operating the cryptocurrency mixing services **Blender.io** and **Sinbad.io**.
## Activity Summary
The primary activity described involves the operation of cryptocurrency mixers to launder funds derived from criminal activities.
* **Blender.io:** Launched in 2018, this mixer was sanctioned by the U.S. Treasury Department in May 2022. It was known to have been used by the Lazarus Group and Russia-aligned ransomware gangs (TrickBot, Conti, Sodinokibi/REvil, Gandcrab). Blender ceased operations shortly before its sanction, but allegedly rebranded.
* **Sinbad.io:** Elliptic suggested this service was the rebranded relaunch of Blender, appearing in early October 2022. Its online infrastructure was seized and it was sanctioned by the U.S. Treasury for processing millions from Lazarus Group heists.
* The services functioned as "safe havens" designed to obfuscate the source of cryptocurrency derived from ransomware and wire fraud proceeds.
## Tactics, Techniques & Procedures
The core TTP leveraged by the operators/service was **cryptocurrency mixing/tumbling** to obfuscate transaction origins.
* **Obfuscation of Source:** Allowing paying users to send cryptocurrency to designated recipients in a manner designed to obscure the funds' criminal origins.
* **A-Laundering:** Facilitating money laundering for organized cybercrime groups.
* **Policy Exploitation:** Blender advertised a "No Logs Policy" and deleted traces of user transactions and required minimal onboarding ("not requiring users to sign up, register, or provide any kind of detail except the receiving address").
## Targeting
* **Sectors:** The service supported criminals targeting various sectors via ransomware and wire fraud, including victims of **ransomware** and **virtual currency thefts**.
* **Geography:** Operators are Russian nationals; the service was used globally by various cybercriminal groups.
* **Victims:** Mentioned victims include those impacted by breaches that utilized Lazarus Group (e.g., Ronin Bridge hack) and ransomware gangs like Conti and REvil.
## Tools & Infrastructure
* **Malware/Services:** Blender.io, Sinbad.io (Cryptocurrency Mixers/Tumblers).
* **Infrastructure:** The tools focus on cryptocurrency infrastructure manipulation rather than traditional C2 infrastructure. Specific domain/IP details are not provided in the summary, other than the service names.
## Implications
The indictment highlights successful international law enforcement coordination (US DoJ, Netherlands FIIS, Finland NBJ, FBI) against the critical financial infrastructure used by ransomware gangs and state-sponsored actors (like Lazarus Group) to monetize their activities. The continued operation of mixers under new branding (Blender rebranding as Sinbad) demonstrates the persistence of these money laundering facilitators.
## Mitigations
* **Blockchain Forensics/Intelligence:** Utilizing chain analysis firms (like Elliptic and Chainalysis) to trace funds moved through mixers.
* **Regulatory Action:** Sanctioning and seizing the infrastructure of known mixing services (as seen with Blender and Sinbad).
* **Law Enforcement Coordination:** International collaboration is essential for arresting operators across jurisdictions.