The US Treasury Department announced on Friday that it is sanctioning Blender.io, essentially cutting the Bitcoin blender out of the US financial system (legally speaking, anyway). The department alleges that North Korea used the service, which allows people to obfuscate the record usually maintained by the blockchain, to “support its malicious cyber activities and money laundering of stolen virtual currency.”
According to the Treasury press release, the Lazarus hacking group used Blender.io to launder $20.5 million of cryptocurrency it allegedly stole from the crypto-based game. axie infinity. The entire proceeds of the hack, which Treasury linked to Lazarus and North Korea in April, were estimated to be worth about $625 million at the time, though a few million dollars in funds have been recovered. The Treasury says that Lazarus is sponsored by the North Korean government and that the country uses hackers to “generate revenue for its illegal weapons of mass destruction (WMD) and ballistic missile programs.”
The Treasury press release says this is the first time it has imposed sanctions against a virtual currency mixer. (It has, however, carried out other crypto-related sanctions, notably last year issuing its first sanction against an exchange.) However, Blender.io wasn’t the only tool the hackers used: funds stolen from axie infinityRonin’s network was originally on Ethereum and USDC, and Blender is powered by Bitcoin; at some point, there had to be a conversion. There are also reports that hackers leaked some of the funds through Tornado Cash, a service meant to make it harder to track transactions.
The US Treasury also alleges that Blender laundered money for ransomware organizations such as Conti, Trickbot, and Sodinokibi (also known as REvil). Now that you are sanctioned, you will not be able to access any of your funds that were stored inside the US, nor will you be able to transact with US companies or citizens.
Blender and other mixers work by pooling deposited funds and then distributing them randomly. Because transactions are recorded on the blockchain, it can be very difficult to use stolen funds without using these kinds of services. The stolen coins go into the blender, and in theory the hackers will get the clean coins back. (And whoever ends up with the stolen coins can point to the blender and say “Well, you can see I didn’t get it out of the wallet myself.”)
As it happened with the axie hacking, governments can sanction wallets that are affiliated with hacking groups, and researchers can track the movement of stolen crypto. If criminals want to convert their ill-gotten cryptocurrencies into, say, Lamborghinis, they need to make sure they don’t get tracked.
Of course, as the Treasury points out, there are perfectly legal uses for this type of service: people could use it to gain some semblance of privacy when making purchases with crypto, for example. But with the department keeping such a close eye on crypto crimes, it is starting to look like companies will have to be very careful about whose money they take and dispose of.