Full Report
Three Russian men have been indicted on money laundering charges connected to cryptocurrency mixers
Analysis Summary
# Threat Actor: Operators of Blender.io and Sinbad.io (Alleged Russian Trio)
## Attribution & Identity
* **Identified Individuals:** Roman Vitalyevich Ostapenko, Alexander Evgenievich Oleynik, and Anton Vyachlavovich Tarasov.
* **Attribution:** Alleged Russian nationals charged by a U.S. federal grand jury with money laundering offenses.
* **Associated Groups/Platforms:** Operators of the cryptocurrency mixers **Blender.io** and **Sinbad.io**. These platforms were previously sanctioned by the Treasury’s Office of Foreign Assets Control (OFAC).
## Activity Summary
The individuals were allegedly involved in operating and managing the cryptocurrency mixing services Blender.io and Sinbad.io, which were specifically used to launder stolen cryptocurrency funds.
* **Blender.io:** Operated from 2018 to 2022. Promoted a "No Logs Policy" to delete transaction traces.
* **Sinbad.io:** Emerged a few months after Blender.io shut down, offering similar mixing services. It was taken offline on November 27, 2023, following law enforcement action.
## Tactics, Techniques & Procedures
The primary TTP described relates to financial obfuscation:
* **Financial Obfuscation:** Operating cryptocurrency mixers (Blender.io and Sinbad.io) to break the link between illicitly obtained funds and their origins.
* **Deceptive Policies:** Advertising a "No Logs Policy" to assure users (including illicit actors) that their transaction history would not be retained.
* **Platform Cycling:** Shutting down one service (Blender.io) only to promptly launch a successor (Sinbad.io) to maintain operations.
* **Exploitation of Sanctioned Entities:** The mixers were revealed *after* the fact to have been heavily used by ransomware actors and North Korean hackers for laundering stolen funds. (Specific MITRE ATT&CK IDs related to the mixer operation itself are not provided in the text, but T1567.002 - Exfiltration Over C2 Channel via Cryptocurrency would be relevant to their clients' activities, and T1529 - Interception of Network Traffic might relate to laundering techniques if data flow was manipulated).
## Targeting
* **Sectors:** Primarily relevant to the **Cybercrime/Laundering sector**, as the mixers served malicious actors, including ransomware groups and state-sponsored actors (North Korean hackers).
* **Geography:** The alleged operators are Russian citizens. The services had global reach via the cryptocurrency ecosystem.
* **Victims:** The ultimate victims are those whose cryptocurrency was stolen and subsequently laundered through these mixers (e.g., victims of ransomware attacks).
## Tools & Infrastructure
* **Malware Families Used:** Not specified, but their services were utilized by providers of ransomware.
* **Infrastructure:**
* Cryptocurrency mixing platforms: **Blender.io** and **Sinbad.io**.
* (No specific C2 domains or IPs were provided in the summary text.)
## Implications
The charging of the operators represents a significant step in disrupting the financial infrastructure supporting major cybercrime, particularly state-sponsored hacking groups (like those from North Korea) attempting to cash out stolen digital assets. The successful shutdown of both services indicates increasing international law enforcement cooperation against virtual asset obfuscation services.
## Mitigations
* **Enhanced Monitoring:** Increased scrutiny and enhanced due diligence on high-volume cryptocurrency flows originating from or destined for known mixing services.
* **Sanctions Compliance:** Strict adherence to OFAC sanctions, particularly concerning entities linked to known threat actors or illicit finance facilitators.
* **Zero-Trust Financial Controls:** Implementing controls to analyze and flag complex transactional chains indicative of coin mixing or tumbling.