Full Report
The U.S. announced indictments of three Russian nationals who allegedly ran the cryptocurrency mixers Blender.io and Sinbad.io in support of cybercriminal operations. Two have reportedly been arrested.
Analysis Summary
# Threat Actor: Operators of Blender.io and Sinbad.io (Russian Nationals)
## Attribution & Identity
* **Identified Individuals (Russian Nationals):** Roman Vitalyevich Ostapenko (arrested), Alexander Evgenievich Oleynik (arrested), and Anton Vyachlavovich Tarasov (at large).
* **Associated Groups/Users:** Primarily used by nation-state actors, specifically North Korea’s **Lazarus Group**, as well as various cybercriminals, including ransomware groups (e.g., Trickbot, Conti, Ryuk, Sodinokibi, Gandcrab).
* **Known Aliases:** The platforms themselves, **Blender.io** (operated 2018–2022) and **Sinbad.io** (operated subsequently, considered a likely successor to Blender.io).
## Activity Summary
The article focuses on the indictment of the three Russian operators for running the cryptocurrency mixing services Blender.io and Sinbad.io. These mixers were used extensively to launder illicitly obtained cryptocurrency, notably funds stolen by North Korean state-sponsored hackers (Lazarus Group) and proceeds from ransomware attacks. Sinbad.io was officially sanctioned by the U.S. Treasury in November 2023.
**Key Campaigns/Usage:**
* Laundering proceeds from major crypto thefts attributed to Lazarus Group, including the **Atomic Wallet heist ($100M)**, **Axie Infinity ($620M+)**, and **Horizon Bridge ($100M)**.
* Laundering funds stolen from ransomware operations (Trickbot, Conti, Ryuk, etc.) and wire fraud.
* Blender.io was also used to launder funds from the Russian language darknet market **Hydra**.
* Sinbad was also implicated in laundering funds from major hacks against **Stake.com ($41M)**, **CoinEx ($70M)**, **FTX ($477M)**, and **BadgerDAO ($120M)**.
## Tactics, Techniques & Procedures
* **Obfuscation of Transactions:** The core service offered was the obfuscation of the origin, destination, and parties involved in cryptocurrency transactions, effectively laundering the funds.
* **No-Logging Policy:** Blender.io specifically advertised a policy of having **no logs** tracking user activity.
* **Minimal KYC:** Advertisements for Blender promised users would not have to provide "any kind of detail except the receiving address!"
* **Infrastructure Persistence:** Evidence showed infrastructure ties between Blender.io and Sinbad.io, including shared cryptocurrency wallets.
* **Monetization:** Facilitating illicit finance for high-profile criminal and state-sponsored actors.
## Targeting
* **Sectors:** Financially motivated cybercrime (ransomware victims), organizations targeted by state-sponsored hacking groups.
* **Geography:** Operators are stated as Russian nationals. The services were used globally by various cybercriminal entities.
* **Victims:** Victims of significant cryptocurrency thefts and ransomware incidents (specific victims listed in Activity Summary).
## Tools & Infrastructure
* **Malware Families Used (by utilizing actors):** Trickbot, Conti, Ryuk, Sodinokibi, Gandcrab.
* **Infrastructure (Mixer Platforms):** Blender.io and Sinbad.io.
* **Infrastructure (Operational):** Shared cryptocurrency wallets noted between the two platforms.
## Implications
The successful indictment and dismantling of these mixers represent a significant regulatory and law enforcement victory against the financial pipelines enabling major ransomware groups and North Korean state-sponsored cyber espionage/theft operations. It signals continued commitment by the DOJ and Treasury to target the infrastructure supporting illicit crypto finance, even when used by nation-state actors.
## Mitigations
* **Transaction Monitoring:** Implement robust blockchain tracing and monitoring tools capable of identifying relationships between known sanctioned addresses (like those associated with Lazarus Group) and newly mixed funds.
* **Supply Chain Risk Management:** Recognize that ransomware groups are often funded via these pathways; disruptions to mixer services impose friction on threat actors.
* **Regulatory Compliance/Sanctions Awareness:** Organizations dealing with cryptocurrency should adhere strictly to OFAC sanctions lists targeting crypto mixers and associated entities.