OFAC Adds Crypto Mixer ‘Blender.io’ To SDN List

Earlier this month, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned virtual currency mixer Blender.io over its links to North Korean state-sponsored malicious cyber group Lazarus Group.  

OFAC sanctioned Blender due to its alleged role in processing $20.5 million of illicit proceeds from the Axie Infinity heist.  The theft, which occurred in March 2022, saw Lazarus steal over $600 million in virtual currency (173,600 ETH and 25.5 million USDC) from the play-to-earn game Axie Infinity by hacking private keys to its sidechain Ronin and forging fake withdrawals.  

Created by the North Korean government in the mid-2000s, Lazarus has been involved in several high-profile attacks against Western targets, including most notably the WannaCry 2.0 ransomware attack that caused an estimated $4 billion in losses worldwide in 2017.  

Since first sanctioning Lazarus in September 2019, OFAC has tied numerous virtual currency addresses to the group. This time, OFAC listed over 40 BTC and ETH addresses.  All BTC addresses were added to Blender’s entry in the SDN list; four new ETH addresses were added to Lazarus’ existing entry.

According to OFAC, Blender “indiscriminately facilitates illicit transactions by obfuscating their origin, destination, and counterparties.”  While not in themselves illegal, mixers like Blender – also known as cryptocurrency tumblers – are frequently used to provide anonymity to users, but also to obscure illicit activity.  

Mixers work by pooling together funds from multiple sources and distributing them out at random times, obscuring the path of virtual currency transactions.  As such, they are prone to being used for money-laundering.  But they are by no means fool proof.

As shown by OFAC’s sanctioning of Blender, it is possible to trace the origin of cryptocurrency transactions that have gone through mixers using blockchain data.  

This has been demonstrated in recent cases involving the Ethereum-based Tornado.cash mixer.  Earlier in May crypto investigators were able to follow funds routed through Tornado by a perpetrator of an alleged pump-and-dump scheme.  They did this by linking the size of deposits to withdrawals from the service.  They then follow the thread to a centralised exchange service where they raised the alarm.  That case has resulted in an active investigation with the FBI.  

Notably, Tornado Cash was reportedly used to process 21,000 ETH ($56 million) in proceeds from the Axie Infinity heist.  It is highly likely that investigators were able to follow traces from the service once stolen funds were deposited.  

It is possible that Lazarus knew this.  Data shows it used a variety of methods to cover its tracks, including decentralised exchanges - where KYC is not required - to swap USDC for ETH.  

So what can we tell from this?  Certainly that the speed of innovation in crypto is driving threats; but that very same innovation is creating new opportunities for crime fighters.  Expect more updates from OFAC!

All ETH addresses have been added to our Ethereum red flag checker: ethscamcheck.io
All BTC addresses have been added to Hoptrail’s databases.

‍