Treasury Department
treasury-building

US Treasury sanctions cryptocurrency mixer for first time, citing Ronin Network hack

The U.S. Treasury Department on Friday sanctioned a cryptocurrency mixing service for the first time, citing evidence that it was used to launder funds stolen by North Korean state-backed hackers.

The department's Office of Foreign Assets Control (OFAC) said the Blender.io service was used to process more than $20.5 million in illicit proceeds from a March attack on the Ronin Network, which connects the Axie Infinity online game to the Ethereum blockchain. That incident, which cost the company more than $620 million at the time, was linked to North Korean hackers known as the Lazarus Group.

“Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests," said Brian E. Nelson, undersecretary of the Treasury for terrorism and financial intelligence. "We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered.”

Blender.io has services that operate in English and Russian, and cybercrime researchers have cited it as one of the most popular mixers. The operators had not posted anything on the website or their Telegram channels about the sanctions as of Friday morning. The service did not immediately reply to an email from The Record. In the past, Blender.io has provided information through the bitcointalk.org forum. Its most recent post was about a temporary shutdown on April 5.

The Blender.io website was unavailable as of 10 a.m. Eastern time.

The Treasury attributed the Ronin Network hack to the Lazarus Group in mid-April. On Friday, OFAC added more Lazarus Group-linked cryptocurrency wallets to its list of sanctioned entities. OFAC initially sanctioned the group in September 2019.

Friday's announcement takes a dim view of cryptocurrency mixers, which are often touted as a way for coin owners to protect their privacy.

"Blender.io (Blender) is a virtual currency mixer that operates on the Bitcoin blockchain and indiscriminately facilitates illicit transactions by obfuscating their origin, destination, and counterparties," OFAC said. "Blender receives a variety of transactions and mixes them together before transmitting them to their ultimate destinations." 

The investigation also found links to transactions by Russia-linked ransomware groups "including Trickbot, Conti, Ryuk, Sodinokibi, and Gandcrab," OFAC said. Cryptocurrency-tracking company Elliptic noted Friday in a blog post that Blender.io also was probably used "to launder funds from Hydra market, a Russian language darknet market which was sanctioned by OFAC earlier this month." 

Authorities and cryptocurrency exchanges continue to track the proceeds from the Ronin Network heist. In late April the Binance exchange said it was freezing $5.8 million in funds linked to the attack. When OFAC first attributed the attack to Lazarus, analysts at Elliptic noted that millions of dollars' worth of digital assets from the incident already had moved through various services.

Andrew Fierman, head of sanctions strategy at crypto-tracking company Chainalysis, said the OFAC announcement means North Korea-linked hackers "have one less place to turn" for moving cryptocurrency.

"Thanks to the transparency of the blockchain, authorities are making it more and more difficult for illicit actors to launder and cash out their ill-gotten gains," Fierman said.

Lazarus Group's interest in cryptocurrency has increased in recent years as the North Korean government continues to look for ways to bring in money while evading global sanctions for its nuclear program and other offenses.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Joe Warminsky

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.