Search Inside Bitcoins

The Man Behind the New Favorite Crypto Privacy Service for North Korean Hackers

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Join Our Telegram channel to stay up to date on breaking news coverage

There is frequently a thin line between financial privacy and money laundering in the cryptoeconomic system. Currently, a Bitcoin “mixer” service by the name of is treading that fine line in full view of the public: It looks to have already established itself as the favored means of money laundering for the most active state-sponsored cryptocurrency criminals in the world just a few months after becoming live on the open web.

Blockchain analysis company Chainalysis noted that Sinbad had received $25 million in stolen cryptocurrency from North Korean hackers in just December and January, more than any other mixing service had ever received. Like other mixer services, Sinbad offers to thwart cryptocurrency tracing efforts by taking in users’ coins, mixing their coins with those of other users, and returning the same amount.

According to Chainalysis, some of those monies came from large-scale heists that targeted the Harmony Bridge service, from which the North Koreans stole about $100 million, and the Ronin Bridge service, from which the hackers stole an astounding $650 million. Erin Plante, vice president of investigations at Chainalysis, claims that shortly after Sinbad’s launch in October, North Korean cybercriminals started slowly funneling their stolen cryptocurrency profits through the mixer in an effort to hide the source of their loot before cashing it out at an exchange. According to Plante, Sinbad “caught the radar for North Korea rapidly and it’s become their favorite.”

This has put the new service in a difficult situation: With a standard website running in the open alongside a dark website running on the anonymity network Tor, Sinbad quickly became a tool that runs publicly. However, some of its early, most active users also happen to be some of the most infamous fraudsters in the crypto world. According to Chainalysis’ research, North Korean hackers stole at least $1.7 billion worth of cryptocurrencies last year, contributing to the worst year ever for overall crypto thefts.

Meanwhile, the founder of Sinbad contends that the service has nothing to conceal in an email interview with Wired. The service’s founder and administrator, who requested the name “Mehdi,” uses the word “clearnet” to refer to a website that is not concealed on the Tor network, saying that “Sinbad is present in clearnet because it doesn’t do anything bad.”

Mehdi continues,

I am against complete surveillance, control over internet users, autocracies, and dictatorships. The right to privacy is guaranteed to every human being.

Mehdi, who chose not to give his true identity or the location of either himself or Sinbad, claims that he developed Sinbad in response to the escalating centralization of cryptocurrencies and the deterioration of the privacy guarantees they formerly seemed to provide. After the fictitious Middle Eastern sailor who, in Mehdi’s words, “sold products all around the world,” he named his mixer service.

Mehdi compares Sinbad to the Tor browser, which encrypts user traffic and routes it through numerous servers to conceal users’ identities, as well as privacy-focused cryptocurrencies like Monero or Zcash, anonymity-enhancing crypto wallet software like Wasabi, as a legitimate privacy-preserving technology project.

What happened to the tens of millions of dollars that North Korean hackers used Sinbad to launder? Mehdi writes that he never had to think about it before. “In the event that I receive a request from [Chainalysis] or any other organization, I will look into the situation and offer my judgment.”

Sinbad’s stance draws attention to an odd conflict that exists in the bitcoin community. The cryptocurrency obfuscation tools Mehdi compares Sinbad to, like Monero, Zcash, and Wasabi, do have legitimate and legal uses, like when a retailer wants to accept cryptocurrency payments without disclosing its revenue to a rival, or when dissidents in a repressive regime want to use international cryptocurrency donations to support their opposition movement without being discovered. One of such privacy services is mixer services. In other circumstances, they can prevent customers’ money from being tracked on blockchains, where transactions are all too frequently easily monitored. But mixers also frequently help the widespread ransomware gangs, con artists, black market sellers on the dark web, and thieves who have long taken advantage of the crypto currency.

Legal action against crypto mixing services

According to Chainalysis, Western law enforcement has clamped down on a number of mixing services recently, which has resulted in less opportunities for hackers to launder money than at any other point in the previous ten years. The suspected administrators of the cryptocurrency mixing services Bitcoin Fog and Helix were indicted by the US Department of Justice in 2020, and late last year, Dutch authorities filed similar accusations against the developer of another mixing service for cryptocurrencies, Tornado Cash. Sanctions were also placed on Tornado Cash and the mixing service Blender by the US Treasury’s Office of Foreign Asset Controls. According to Chainalysis, both of these services were previously used by North Korean hackers to launder millions of dollars in stolen cryptocurrency.

However, the Department of Justice has asserted that the services deliberately colluded with criminals in the criminal proceedings brought against mixing service administrators at least in the US. Prosecutors claim that in the cases involving Bitcoin Fog, undercover agents informed the service that they wished to re-launder proceeds from dark-web drug sales, but Bitcoin Fog nonetheless processed their transactions. On the home page of the AlphaBay drug marketplace on the dark web, Helix promoted its services.

Contrarily, Mehdi contends that he was unaware that the $25 million in supposedly shady crypto that Chainalysis found was supplied to Sinbad by North Korean hackers. Mehdi notes that:

the money was taken in the form of ether, a cryptocurrency, and were only later converted to bitcoins, the only form of payment that Sinbad will accept. I couldn’t have possibly known about the sources of the funds.

Plante of Chainalysis hypothesizes that the North Korean hackers may have selected Sinbad in part because of its novelty. She claims that many investigators may not have have recognized its Bitcoin addresses because it just recently debuted online, making its mixing much more difficult to identify. Plante declined to comment on whether Chainalysis had been able to circumvent the service’s mixing, potentially tracing the currencies of its users despite Sinbad’s privacy guarantees. The company claims to have done this in the past with certain other cryptocurrency mixing services.

However, Nick Carlsen, a researcher at TRM Labs, a different cryptocurrency tracing company, asserts that Sinbad is probably too small to serve as a reliable mixer: It is simpler to discern between their transactions and follow the money when there are fewer users and a smaller pool of monies. Given that North Korean hackers are typically based in North Korea or China, outside the purview of Western law enforcement, that thin veneer of temporary anonymity may be all that they are looking for. According to Carlsen, the North Koreans typically do not want the level of obscurity that other hackers would require.

Typically, they are merely trying to buy themselves a few hours of breathing room so they can complete the next step of their laundering operation. Mehdi said that he is still rather confident about his own future, regardless of the possibility that he would be recognized, charged, detained, or punished. On the BitcoinTalk forum, he posted a lengthy list of cryptocurrency mixing providers, noting that only a small number had experienced those effects.

Not worrying about it at all would be foolish. I take all the required steps to maintain my anonymity, but I anticipate to continue to participate in the market and not end up as one of the sad exceptions.

There’s no denying that Sinbad’s high-wire act is riskier than ever, especially given that its North Korean users paint an ever-larger target on its back, in the midst of a continuous crackdown on cryptocurrency money-laundering services.


Join Our Telegram channel to stay up to date on breaking news coverage

Read next