The coin mixer Blender has likely rebranded and could still be in use among North Korean groups, according to a report from analytics firm Elliptic on Feb. 13.
Elliptic says that although Blender stopped operating in April 2022, it has likely rebranded as “Sinbad” based on several facts and patterns it has observed.
Blender’s operator is suspected of sending $22 million of early Bitcoin transactions to Sinbad, plus a separate amount sent to a “service” address. Blender’s operator likely sent Bitcoin to a wallet that also paid Sinbad’s promoters.
Elliptic also noted several similarities between Sinbad and Blender by comparing their on-chain behavior, various features, and respective websites. The firm noted that both mixers could be tied to Russia through their supported languages and websites.
Elliptic also observed that Blender and Sinbad were used in two blockchain attacks by North Korea’s state-sponsored Lazarus Group.
Lazarus attacked Ronin Bridge (associated with the blockchain game Axie Infinity) for more than $540 million in March 2022. Following that attack, Lazarus managed to launder $475 million of that amount through various coin mixers, one of which was Blender.
Lazarus then attacked the cross-chain bridge Horizon in June 2022, stealing $100 million. When Sinbad went live months later in October, Lazarus used it to launder nearly $100 million stolen from Horizon and other targets, Elliptic said.
A separate mixer — Tornado Cash — was also used in both attacks. It continues to operate despite the sanctions imposed by the U.S. Treasury and its Office of Foreign Assets Control (OFAC) in August 2022. Elliptic said that Sinbad could face similar sanctions, adding that Blender and Sinbad addresses are already flagged in its compliance services.
Despite their use in money laundering and recent attention from enforcement, coin mixers have legitimate uses and can be used to perform private transactions.