Blender.io

Blender.io represents a critical juncture in the evolution of cryptocurrency laundering, being the first virtual currency mixer sanctioned by the U.S. Treasury’s OFAC in 2022. Its role in laundering over $20 million stolen by North Korea’s Lazarus Group from the Ronin Network hack underscores the integral part these mixers play in enabling illicit cyber activities. By obscuring transaction trails, Blender.io not only facilitated state-sponsored theft but also highlighted the broader challenge regulators face in curbing crypto-enabled financial crime. This case marks a significant regulatory and enforcement milestone in combating the intersection of digital finance and national security threats, emphasizing the urgent need for robust oversight in the virtual asset ecosystem.

Blender.io is a Bitcoin blockchain mixer that has been exploited by major cybercriminal groups, notably North Korea’s Lazarus Group and various Russian ransomware syndicates, to launder illicit cryptocurrency proceeds. Its service obfuscates the origin and destination of funds by pooling deposits from multiple users and redistributing them anonymously. In 2022, the US Treasury’s OFAC sanctioned Blender.io for the first time as a virtual currency mixer supporting cybercrime, particularly laundering over $20.5 million stolen in the Axie Infinity Ronin Bridge hack. Subsequent law enforcement action has led to indictments of alleged operators involved in designing and managing the mixer’s laundering processes. This case exemplifies regulatory convergence on digital asset mixers as enablers of global money laundering schemes, with Blender.io serving as a notable nexus in those activities. The sanctions and indictments emphasize the US and global efforts to disrupt crypto-enabled money laundering globally by targeting these anonymizing platforms.

Countries Involved

The case implicates multiple countries, prominently the United States, North Korea, and Russia. North Korea is involved through its Lazarus Group cybercriminal organization, while Russian-linked ransomware groups have also been identified. The global nature is underscored by illicit funds flowing through cryptocurrency pathways affecting various international jurisdictions.

Date Discovered / Reported

The key discovery and reporting activity surrounding Blender.io’s role in money laundering occurred with public announcements and sanctions around May 2022, notably when the US Treasury’s Office of Foreign Assets Control (OFAC) issued sanctions against Blender.io for its involvement in laundering funds linked to North Korean thefts and ransomware activities.

Cryptocurrency Involved

Bitcoin (BTC)

Type of Crime

The core criminal activity linked to Blender.io involves money laundering. This includes laundering the proceeds of cyber-enabled crimes such as the large-scale cryptocurrency theft from Axie Infinity’s Ronin Bridge by the North Korean Lazarus Group, ransomware payments linked to various malware families (Trickbot, Conti, Ryuk, Sodinokibi, Gandcrab), wire fraud, and support for other related financial crimes.

Entities Involved

Key entities include Blender.io itself as the mixer facilitating transaction anonymization; the North Korean Lazarus Group, responsible for the Ronin Bridge heist and subsequent laundering; multiple Russian-linked ransomware groups; and the US Treasury OFAC as the primary regulator imposing sanctions. Additionally, individual operators alleged in later indictments include Roman Vitalyevich Ostapenko, Alexander Evgenievich Oleynik, and Anton Vyachlavovich Tarasov for money laundering conspiracy.

PEP Involvement

No direct involvement of Politically Exposed Persons (PEPs) has been reported in this case. The primary actors are cybercriminal groups and operators of crypto mixing services rather than politically exposed individuals.

Laundering Techniques Used

Blender.io employs cryptocurrency mixing/tumbling techniques, which pool multiple users’ cryptocurrency deposits and then redistribute them to new addresses, effectively severing the on-chain traceability between sender and receiver. This mixing process obscures the origin of illicit funds, making blockchain tracing and law enforcement investigations more challenging. Customized time delays, routing mechanisms, and batch transactions are also used to enhance anonymity.

Estimated Value Laundered

The laundering facilitated by Blender.io surpasses $20.5 million connected specifically to the North Korean Axie Infinity hack alone. Overall, because Blender.io has processed more than $500 million worth of Bitcoin since its inception, the total illicit value laundered via this platform is estimated to be in the hundreds of millions of dollars.

Transaction Analysis Summary

Analysis indicates that the Lazarus Group sent significant amounts of stolen Ether and Bitcoin through Blender.io and other mixers, such as Tornado Cash, for obscuring transaction trails. Large-scale transfers occurred between April and May 2022, with some outputs being routed through sanctioned addresses. The mixer obscured direct links between stolen fund origins and their ultimate destinations, complicating forensic efforts.

Regulatory/Enforcement Actions Taken

The US Treasury’s OFAC, under Executive Order 13694 (as amended), designated Blender.io as a sanctioned entity for materially assisting or providing financial services to cyber-enabled activities threatening US national security and foreign policy. This was the first-ever sanction targeting a virtual currency mixer. These actions included sanctioning 45 Bitcoin addresses linked to Blender.io and indictments against its alleged operators for money laundering conspiracy. The sanctions restrict US persons and entities from interacting with Blender.io and freeze its assets within US jurisdiction.

Links to Reports / Sources

Case Title / Operation Name:

Blender.io Money Laundering Facilitation

Country(s) Involved:

Korea, North (North Korea), Russia, United States

Platform / Exchange Used:

Blender.io (Bitcoin Mixer platform)

Cryptocurrency Involved:

Bitcoin (BTC)

Volume Laundered (USD est.):

Over $20.5 million linked to DPRK’s Axie Infinity Hack; hundreds of millions transacted overall

Wallet Addresses / TxIDs :

Multiple Bitcoin wallet addresses sanctioned by OFAC associated with Lazarus Group laundering

Method of Laundering:

Cryptocurrency mixing/tumbling to obfuscate origin and destination of funds

Source of Funds:

Cyber theft (Axie Infinity hack), ransomware payments linked to Russian malware groups

Associated Shell Companies:

N/A

PEPs or Individuals Involved:

No direct PEP involvement; operators charged include Roman Vitalyevich Ostapenko, Alexander Oleynik, Anton Tarasov for laundering conspiracy

Law Enforcement / Regulatory Action:

Sanctioned by U.S. Treasury OFAC May 2022, first-ever sanctions on virtual mixer; operators indicted for money laundering conspiracy

Year of Occurrence:

2022

Ongoing Case:

Ongoing

AML Network Risk Rating:

🔴 High Risk