Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
The U.S. Treasury Department has sanctioned Blender, a cryptocurrency mixing service used by North Korea as part of its hacking and money laundering campaigns, according to an announcement from the agency published on Friday.
The move is the first time the Treasury Department has sanctioned a cryptocurrency mixer, which are services that mix tokens with a larger pool in order to obscure their origins. While these services are general-purpose privacy tools similar to Tor, they’ve also become a fixture of crypto hacking campaigns. The move signals that the U.S. government won’t stop at only sanctioning rogue cryptocurrency exchanges or individual wallets, but will also target other parts of the cryptocurrency supply chain that don’t comply with its sanctions regime.
“Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests. We are taking action against illicit financial activity by the DPRK [Democratic People’s Republic of Korea] and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered,” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in a statement published with the announcement. The DPRK has an established pattern of launching large scale, financially motivated hacks to then provide funding for its nuclear program.
Do you work for a cryptocurrency mixing service? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Blender has existed since 2017 and has helped transfer more than $500 million worth of Bitcoin, according to the Treasury Department’s announcement. On its website, Blender tells users they “will be able to conduct completely anonymous transactions without using VPN.” The service takes a fee ranging from 0.6 percent to 2.5 percent for each operation, and an extra 0.0003 BTC for each target address, its website adds.
Although a third-party may have more difficulty following who was behind a certain set of transactions if they use a mixer than if they hadn’t, cryptocurrency exchanges may see any Bitcoin coming to them from a mixer as suspicious.
“The mixer neither cleans bitcoins nor guarantees that the mixing result will have a low scoring risk and will not be blocked by an exchange. Sometimes the mixing result has a low scoring risk; however, it is not guaranteed and achieving a low risk is not the mixer’s primary function. The main goal of the mixer is to anonymize bitcoins by breaking the link between your transactions before and after the mixing,” Blender’s website adds.
Blender.io did not immediately respond to a request for comment.
Specifically, the Treasury Department’s announcement pointed to the recent hack of Ronin, a bridge used by the play-to-earn cryptocurrency game Axie Infinity. During that incident, hackers stole around $620 million worth of cryptocurrency. The U.S. government later attributed the theft to Lazarus Group, a hacking outfit commonly believed to be sponsored by the North Korean state. The announcement said that Blender was used to launder over $20.5 million of those stolen funds.
The Treasury Department said it has found Russian-linked ransomware groups such as Conti and Trickbot have also used Blender.
As for what the sanctions mean, all transactions by U.S. persons or within the United States with Blender are prohibited unless approved by the Treasury Department.
Blender isn’t the only mixer used by criminals, or even North Korea. Tornado Cash is another popular mixing service for Ethereum, and millions of dollars worth of cryptocurrency linked to North Korean hackers have been moved through it in recent months. While the developers behind Tornado Cash say they have no control over the software—having disposed of their cryptographic keys—it did implement a tool to block sanctioned addresses from accessing the service’s front end.