North Korean hackers have found a way around sanctions imposed by the United States to launder cryptocurrency proceeds from their heists, according to evidence uncovered by blockchain analysts.

The Lazarus Group, as the threat actor is commonly known, has laundered approximately $100 million worth of stolen Bitcoin since October 2022 through a single crypto-mixing service called Sinbad.

Lazarus behind major crypto heists

Last year, the US Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against cryptocurrency mixing services Blender and Tornado Cash, which Lazarus had used to launder nearly $500 million in crypto – money obtained illegally.

The measurement was taken after more than $600 million in crypto assets were stolen from the cross-chain bridge of Axie Infinity in a hack later attributed to the North Korean group Lazarus.

Hackers often use cryptocurrency mixers/tumblers because, for a fee, they allow hiding the origin and owners of funds by mixing the assets of a larger number of users.

While OFAC sanctions didn’t stop Tornado Cash, they did put an end to Blender, whose operator disappeared after apparently withdrawing nearly $22 million in Bitcoin from the blender.

According to blockchain analytics company Ellipticalthe operator of Blender most likely launched in early October 2022 a new service called Sinbad, which is used by Lazarus to launder assets.

Switching to the new mixer

Tom Robinsonco-founder and chief scientist of Elliptic, told BleepingComputer the connection emerged after the Harmony Horizon Crypt heist in June 2022, which resulted in losses of approximately $100 million.

Shortly after the hack, Elliptic has found strong ties with Lazarussomething that the The FBI confirmed earlier this yearby tracking funds through the Tornado Cash mixing service.

Typically, the actor has combined Tornado Cash crypto mixing with a custodial-based service, like Blender. This time however, they used another Bitcoin mixer called Sinbad.

Robinson says that although the Sinbad service is “relatively small”, it has been used to launder funds stolen from the Lazarus Group.

Strong links between Blender and Sinbad mixers

Unlike Tornado Cash, Blender and Sinbad are custodial mixers, which means that all cryptocurrencies that enter the service are under the control of the operator; so owners feel confident enough to relinquish control of their funds.

Elliptic’s analysis shows with great confidence that Sinbad is operated by the same individual or group that was behind Blender.

The researchers discovered that a “service” address on the Sinbad site was receiving Bitcoins from a wallet believed to belong to the operator of Blender.

The same wallet was used to pay for the promotion of the new crypto mixer and to fund almost all of the initial transactions to Sinbad, around $22 million.

Besides the wallet, the researchers also noticed a similar on-chain pattern behavior for both mixers, which includes transaction-specific features.

Other commonalities the researchers observed include strong similarities in websites, use of naming conventions, language, and “a clear connection to Russia, with support and websites in Russian.”

Although considered a single group, Lazarus defines several North Korean operators commissioned by the government to collect intelligence and steal money to support national priorities and goals.

In addition to targeting cryptocurrency exchanges, North Korean threat actors have also engaged in ransomware attacks using multiple strains of lockers against healthcare organizations in the United States and South Korea.