A federal grand jury in the Northern District of Georgia has charged three Russian individuals with operating cryptocurrency mixing services Blender.io and Sinbad.io, which authorities allege were utilized to launder illegal funds, including money obtained from ransomware attacks and wire fraud.
Roman Vitalyevich Ostapenko, 55, and Alexander Evgenievich Oleynik, 44, were taken into custody on December 1, 2024, almost a year after the online infrastructure of Sinbad.io was dismantled during a coordinated international law enforcement effort involving agencies from the Netherlands, Finland, and the FBI. The third suspect, Anton Vyachlavovich Tarasov, 32, is still evading capture.
According to the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), sanctions were imposed on Sinbad.io. The press release explains, Sinbad.io was utilized by cybercriminals for various illegal activities, such as drug trafficking, evading sanctions, and trading in prohibited goods. This move comes on the heels of previous OFAC sanctions against other mixers like Blender.io and Tornado Cash, which are also tied to the Lazarus Group. In 2022, sanctions were also imposed on Tornado Cash and Blender.io, both of which offered mixing services to the Lazarus Group.
“…..Treasury is sanctioning Tornado Cash, a virtual currency mixer that launders the proceeds of cybercrimes, including those committed against victims in the United States,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks. Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”
Three additional individuals played a role in aiding North Korea’s illegal operations, which encompass cybercrime and the funding of its weapons of mass destruction (WMD) and ballistic missile initiatives. These individuals are Wu Huihui, Cheng Hung Man, and Sim Hyon Sop. Wu Huihui and Cheng Hung Man, both engaged in over-the-counter (OTC) virtual currency trading, helped convert stolen digital assets into traditional currency for North Korean cyber operatives, including the notorious Lazarus Group. In 2021, Wu facilitated transactions worth millions, while Cheng employed front companies to evade financial regulations. Furthermore, Sim Hyon Sop, who serves as a deputy representative for Korea Kwangson Banking Corp (KKBC), was responsible for orchestrating illegal financial transfers to bolster DPRK operations.
The Lazarus Group is a cybercriminal entity established by the North Korean government around 2007. This group has a broad focus, targeting various sectors such as government, military, finance, manufacturing, media, and critical infrastructure. They employ a range of tactics, including cyber espionage, data breaches, financial theft, and the deployment of malware to carry out their nefarious operations. The organization operates under the North Korean 110th Research Center, which is part of the 3rd Bureau of the Reconnaissance General Bureau (RGB), the body responsible for the nation’s cyber initiatives. The RGB, recognized as North Korea’s primary intelligence agency, is also involved in arms trafficking and has been sanctioned by the U.S. Department of the Treasury in 2015 and the United Nations in 2016 due to its participation in illegal activities.
This group has been implicated in the theft of over $2 billion in digital assets, aiding North Korea’s illicit programs. The sanctions effectively froze Sinbad’s assets within the U.S. and forbid U.S. individuals from any dealings with it. The goal of these sanctions were to disrupt unlawful financial operations and promote responsible innovation in the realm of digital assets.
The indictment reveals a concerning narrative about how these mixers—designed to conceal the origins of cryptocurrency transactions—were exploited by cybercriminals worldwide. These services enabled users to obscure the source of their funds, often aiding in the laundering of money acquired through ransomware, virtual currency thefts, and various other illegal activities..
Brent S. Wible, Principal Deputy Assistant Attorney General and head of the Justice Department’s Criminal Division, stressed the severity of the case. “By allegedly operating these mixers, the defendants made it easier for state-sponsored hacking groups and other cybercriminals to profit from offenses that jeopardized both public safety and national security,” Wible said. “This indictment and the arrests announced today demonstrate the power of international partnerships in fighting cybercrime on a global scale.”
Blender.io, active from 2018 to 2022, was succeeded by Sinbad.io after Blender’s closure. Both platforms were created to enable users to send cryptocurrency anonymously, effectively hiding the source of the funds. Although they appeared harmless at first glance, these services were misused by criminals aiming to obscure their activities following offenses like ransomware attacks and fraud.
Blender.io had an extensive reach and was even advertised on an online forum as having a “No Logs Policy,” ensuring that users’ identities and transaction details remained private. The mixer gained notoriety for its role in laundering funds for North Korea-linked hackers and various ransomware groups, including the infamous Lazarus Group. Following its seizure, Sinbad.io took over the same operations and continued to serve as a hub for money laundering until its takedown in late 2023.
Both mixers were penalized by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) because of their connections to criminal organizations and state-sponsored hacking groups. Blender.io received sanctions in May 2022, while Sinbad.io was sanctioned later in November 2023.
The indictment presents serious allegations: Ostapenko is charged with one count of conspiracy to commit money laundering and two counts of running an unlicensed money transmitting operation. Meanwhile, Oleynik and Tarasov each face one count of conspiracy to commit money laundering and one count of operating an unlicensed money transmitting business. If found guilty, the defendants could face up to 20 years in prison for money laundering and a maximum of five years for running an unlicensed operation.
U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia emphasized the significance of the case in the broader fight against cybercrime. “Blender.io and Sinbad.io were used by criminals worldwide to launder funds stolen from victims of ransomware and other crimes,” Buchanan said. “This indictment is a reminder of our commitment to dismantling the infrastructure that allows cybercriminals to profit from their offenses.”
The investigation has been a collaborative effort between law enforcement agencies worldwide, with significant contributions from the Netherlands’ Public Prosecution Service, the Australian Federal Police, and Finland’s National Bureau of Investigation.
As authorities continue their efforts to bring cybercriminals to justice, this case underscores the growing international cooperation needed to combat the rising threat of online crime. The global reach of cryptocurrency, when exploited by bad actors, poses significant challenges to law enforcement—but also highlights the importance of cross-border collaboration in dismantling criminal networks.
As officials strive to hold cybercriminals accountable, this case exemplifies the increasing necessity for international collaboration in tackling the escalating menace of online crime. The worldwide influence of cryptocurrency, when misused by malicious individuals, presents considerable obstacles for law enforcement, yet it also emphasizes the critical need for cross-border teamwork in breaking down criminal organizations.
