Full Report
The DOJ said the men behind Blender.io and Sinbad.io “made it easier for state-sponsored hacking groups” to profit off their crimes. The post Russian nationals charged with operating crypto mixers that masked cybercrime funds appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Operators of Blender.io and Sinbad.io (Russian Nationals)
## Attribution & Identity
The threat actor cluster involves three Russian nationals indicted by the U.S. Department of Justice (DOJ):
* **Roman Vitalyevich Ostapenko** (55)
* **Alexander Evgenievich Oleynik** (44)
* **Anton Vyachlavovich Tarasov** (32 - still at large)
They are directly attributed to operating the cryptocurrency mixing services Blender.io and Sinbad.io.
## Activity Summary
The individuals managed fee-based cryptocurrency mixing services, **Blender.io** (operational 2018–2022) and **Sinbad.io** (started shortly after Blender.io shut down until November 2023). These services were explicitly used to mask the source of funds generated from criminal activities, including ransomware attacks and crypto thefts. The DOJ stated that these mixers acted as "safe havens" that facilitated profits for other cybercriminals, including state-sponsored hacking groups.
## Tactics, Techniques & Procedures
The primary function described revolves around financial obfuscation rather than traditional network intrusion TTPs:
* **Cryptocurrency Laundering/Mixing:** Using fee-based services to obscure the trail of "criminally derived funds."
* **Operational Security Claims (Blender.io):** Touted a "No Logs Policy" and claimed no personal details were required, assuring anonymity.
## Targeting
* **Sectors:** Cybercrime operations profiting from illicit financing, including ransomware operations.
* **Geography:** The operators are Russian nationals. The services were used globally by those needing to launder crypto.
* **Victims:** Not specific victim organizations, but the services benefited from proceeds generated by ransomware attacks and crypto thefts targeting various entities.
## Tools & Infrastructure
* **Malware families used:** The article does not name specific malware, but the illicit funds originated from **ransomware attacks** and **crypto thefts**.
* **Infrastructure (C2, domains, IPs):**
* **Blender.io** (Operational 2018–2022)
* **Sinbad.io** (Operational until November 2023)
## Implications
This case highlights the successful use of international law enforcement cooperation (involving the FBI, Netherlands’ Financial Intelligence and Investigative Service, and Finland’s National Bureau of Investigation) to dismantle critical infrastructure enabling cybercrime profitability. The services provided by these mixers significantly lowered the barrier for state-sponsored actors and other cybercriminals to monetize their illicit activities without immediate financial tracing.
## Mitigations
* **Financial Sanctions and Enforcement:** Continued application of sanctions against mixing services by bodies like the Treasury Department’s OFAC (both Blender.io and Sinbad.io were previously sanctioned).
* **International Cooperation:** Utilizing international partnerships (as demonstrated by the U.S., Netherlands, and Finland cooperation) to target and dismantle associated criminal infrastructure globally.
* **Cybercrime Investigation:** Focus on financial investigation aspects to disrupt the monetization of ransomware and crypto-related crimes.