Cryptocurrency mixer sanctioned over Lazarus Group ties

North Korea's Lazarus Group is accused of stealing more than $600 million in the Axie Infinity hack and laundering a chunk through the Blender.io mixing service.

The U.S. Treasury Department issued sanctions against a cryptocurrency mixer accused of helping North Korean state-sponsored hackers launder cryptocurrency stolen from an attack on the Axie Infinity multiplayer game.

Investigators with the Treasury's Office of Foreign Assets Control believe that hackers associated with North Korea's infamous Lazarus Group transferred around $20.5 million worth of money from hacked accounts through the Blender.io service as part of a cryptocurrency laundering scheme.

Under the terms of the sanctions, U.S. companies are blocked from doing business with Blender.io, and the company's U.S.-based assets have been frozen.

The sanctions come as investigators pry into the March attack on Sky Mavis, the makers of the NFT-focused game Axie Infinity, that is said to have lost some $600 million worth of cryptocurrency taken out of central accounts and moved into outside bankrolls.

Authorities attributed the Sky Mavis hack to North Korean state-sponsored hackers, who typically steal cryptocurrencies as a way to generate cash for military programs.

The state-sponsored Lazarus Group dates back more than half a decade, conducting sophisticated hacking operations for both propaganda purposes and fundraising opportunities.

Central to that effort is the use of cryptocurrency funds, which operate outside of the jurisdiction of global banking authorities. By obtaining money that can be laundered through cryptocurrency exchanges and mixers, the North Korean government can move funds without the worry of seizure by outside authorities under the extensive global sanctions imposed against the authoritarian regime.

Blender's $20.5 million of alleged laundering is only a small fraction of the $620 million stolen from Sky Mavis.

"Today, for the first time ever, Treasury is sanctioning a virtual currency mixer," said Brian E. Nelson, undersecretary of the treasury for terrorism and financial intelligence, in a press release Friday.

"Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests. We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered."

A key to making the pilfered funds look legitimate is the use of cryptocurrency mixers, and that is where the likes of Blender.io come in. By passing funds over multiple transactions, mixers are designed to obfuscate transactions and make it harder to track activity.

While there could be legitimate uses for mixer services, threats actors use them for money laundering and obfuscating the path of stolen funds from the source to the recipient by bouncing the transactions across multiple accounts and nodes.

This is what the Treasury Department believes Blender was doing with the Lazarus Group. The mixer is believed to have allowed the hackers to use the 'blending' service to make the movement of cryptocurrency stolen from hacked Axie Infinity servers appear to investigators as normal fund transfers.

As a result, Blender now finds itself under siege from the U.S. government and the site is classified as a "significant threat to national security."

"The virtual currency mixers that assist criminals are a threat to U.S. national security interests," the department said in the press release.

"Treasury will continue to investigate the use of mixers for illicit purposes and consider the range of authorities Treasury has to respond to illicit financing risks in the virtual currency ecosystem."

Dig Deeper on Threat detection and response