Crypto mixer Blender sanctioned by US Treasury for involvement in $600m Ronin theft

The United States Treasury has hit cryptocurrency mixing service Blender.io with sanctions, preventing transactions with US persons, off the back of it providing services for the attackers that made off with $600 million from the Ronin sidechain in March.

Last month, Treasury said the theft was conducted by the North Korean Lazarus group, which it first sanctioned in 2019, and updated its listed cryptocurrency addresses at that time, and again on Friday.

After the attack, Blender was used to process $20.5 million.

“For the first time ever, Treasury is sanctioning a virtual currency mixer,” Under Secretary of the Treasury for terrorism and financial intelligence Brian Nelson said.

“Virtual currency mixers that assist illicit transactions pose a threat to US national security interests. We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered.”

Treasury added that Blender was also involved in laundering for Russian-linked ransomware groups including Trickbot, Conti, Ryuk, Sodinokibi, and Gandcrab.

“Blender.io is a virtual currency mixer that operates on the Bitcoin blockchain and indiscriminately facilitates illicit transactions by obfuscating their origin, destination, and counterparties. Blender receives a variety of transactions and mixes them together before transmitting them to their ultimate destinations,” Treasury said.

“While the purported purpose is to increase privacy, mixers like Blender are commonly used by illicit actors.”

The sanctions mean any Blender or majority Blender-owned property that is in the US must be reported, and all transaction by Americans within the US are blocked unless a licence to do so is issued. The sanctions cover funds, goods, and services.

The attack on the Ronin sidechain garnered 173,600 in Ethereum and 25.5 million in US coin, which was only noticed a week later. Ronin was announced in mid-2020 by play-to-earn game Axie Infinity created by Vietnamese blockchain game maker Sky Mavis as a way to overcome Ethereum network congestion.

For the attack to occur, the attacker gained control of the four validators operated by Sky Mavis, and one operated by Axie DAO.

In a post mortem, the company conceded it did not have a proper tracking system in place. The replacement system will involve human interaction for large amounts, it said.

Through a combination of spear-phishing, and an allowlist on the Axie DAO validator not being removed, Lazarus was able to take control of the sidechain.

The sidechain is having its number of validators increased, with a goal of 21 in three months, and a long-term one of 100 validators.

It added the Ronin bridge should reopen in mid to late May, and that all user funds were being restored.

Related Coverage

• SEC nearly doubles size of crypto and cyber enforcement unit
• Wikimedia Foundation dumps ability to accept cryptocurrency for donations
• UK finance regulator warns against illegal crypto ATMs
• Crypto.com is significantly lowering the rewards of its popular debit cards