Sinbad.io

Sinbad.io quickly became a preferred cryptocurrency mixer for North Korea’s state-sponsored Lazarus Group, laundering millions in stolen Bitcoin from major hacks including Harmony Horizon Bridge and Axie Infinity. Operating since late 2022, Sinbad obscured the trail of illicit funds by pooling and redistributing crypto transactions, enabling hackers and criminals to evade detection and sanctions. The mixer’s vital role in laundering over $100 million in stolen assets led to its sanctioning and seizure by U.S., Dutch, and international authorities by late 2023. This case highlights the ongoing threat posed by crypto mixers in facilitating global money laundering for cybercriminal networks and sanctioned rogue states.

Sinbad.io was a cryptocurrency mixing service primarily operating on Bitcoin that served as a key tool for laundering stolen funds linked to North Korea’s Lazarus Group. This group used Sinbad to obscure the origins and destinations of millions in illicit cryptocurrencies stolen from significant hacks such as the Harmony Horizon Bridge and Axie Infinity. Sanctioned and seized by U.S. and Dutch authorities in late 2023, Sinbad.io’s crackdown marked a significant disruption to laundering networks aiding state-sponsored cybercrime. The case illustrates the ongoing challenges of criminal abuse in cryptocurrency ecosystems and international regulatory efforts to impede illegal financial flows linked to cyber-enabled theft and state malign activities.

Countries Involved

This case primarily involves the United States, the Netherlands, and the Democratic People’s Republic of Korea (DPRK). The United States played a leading role through its Treasury Department and Federal Bureau of Investigation, while the Netherlands’ Fiscal Information and Investigation Service also participated in enforcement actions. North Korea is involved via the state-sponsored hacker group Lazarus responsible for the illicit funds laundered through Sinbad.io. The global nature of cryptocurrency transactions implies that multiple other countries may have indirect involvement, given the decentralized and borderless nature of crypto technology

Date Discovered / Reported

The criminal activities related to Sinbad.io were publicly reported at least by late 2023, with significant enforcement actions announced by U.S. authorities in November 2023. Earlier investigations and sanctions against related mixers (such as Blender.io in 2022) provide context for subsequent actions against Sinbad.io. The operators were formally charged and arrested in late 2024 and early 2025, showing an ongoing timeline of discovery and enforcement extending beyond initial exposure.

Cryptocurrency Involved

Bitcoin (BTC)

Type of Crime

The core crime is money laundering of stolen cryptocurrency, specifically bitcoins obtained through cyber theft and hacking operations. This laundering enabled hackers to obscure the illicit origin of stolen funds, allowing them to integrate these funds into the financial system undetected. Additional related illicit activities connected to Sinbad.io transactions include sanctions evasion, drug trafficking payments, darknet marketplace transactions, and potentially financing prohibited activities such as weapons programs.

Entities Involved

Key entities involved include the Lazarus Group, a North Korean state-sponsored cyber hacking team designated by OFAC as a sanctioned entity due to their vast cybercrime operations. On the enforcement side, U.S. Treasury’s Office of Foreign Assets Control (OFAC), the FBI, and the Netherlands’ Fiscal Information and Investigation Service (FIOD) cooperated to sanction and seize Sinbad.io’s infrastructure. The operators of Sinbad.io—Roman Vitalyevich Ostapenko, Alexander Evgenievich Oleynik, and Anton Vyachlavovich Tarasov—were criminally charged for their roles in facilitating the laundering process.

PEP Involvement

No direct involvement of Politically Exposed Persons (PEPs) beyond state-sponsored actors. Lazarus Group represents a state-sponsored cybercrime collective but is not categorized as PEPs in traditional anti-money laundering frameworks. The case centers on criminal state actors rather than individual political figures or exposed persons with legitimate political roles.

Laundering Techniques Used

Sinbad.io provided cryptocurrency mixing or tumbling services, which pooled and masked Bitcoin transactions to break the transparent audit trail on the blockchain. This obscures the transactional history, making it difficult for forensic investigators to trace stolen cryptocurrency flows. The mixer blended stolen cryptos from multiple hacks, pooling them before redistribution, effectively disassociating criminals from their proceeds. This technique is a widely used method in crypto-based money laundering, enabling anonymity despite blockchain transparency.

Estimated Value Laundered

While exact totals remain undisclosed, estimates indicate millions of dollars of cryptocurrency laundered through Sinbad.io. Lazarus Group alone has stolen over $3 billion in cryptocurrencies across various hacks, with a significant portion laundered through Sinbad.io, including funds from the Harmony Horizon Bridge, Axie Infinity, and Atomic Wallet hacks. Analysts estimate that more than one-third of Sinbad.io’s volume originated from hacked funds, indicating substantial sums pass through this mixer.

Transaction Analysis Summary

Analysis shows Sinbad.io processed Bitcoin using mixing techniques that dissociated transactions by pooling user funds for redistribution. Detailed blockchain forensic efforts revealed links between Sinbad transactions and virtual currency thefts tied to Lazarus Group. Sinbad emerged as a successor to the previously sanctioned Blender.io mixer, filling the void in laundering services for North Korean cybercriminals. The transaction trails revealed patterns of funds moving through darknet markets and evading sanctions enforcement by fragmenting and redistributing assets in small chunks to obscure audit trails.

Regulatory/Enforcement Actions Taken

In November 2023, the U.S. Treasury Department’s OFAC imposed sanctions on Sinbad.io, followed by FBI and Dutch authorities seizing the platform’s infrastructure to take it offline. The action is part of a broader crackdown on cryptocurrency mixers known to facilitate illicit activity, with prior sanctions on Blender.io and Tornado Cash targeting similar abuse. Several operators of Sinbad.io were arrested and indicted in late 2024 and early 2025 for money laundering charges connected to the service. These legal moves highlight ongoing international coordination to cut off laundering pathways used by state-sponsored cyber criminals.

Links to Reports / Sources

Case Title / Operation Name:

Sinbad.io Money Laundering Case

Country(s) Involved:

Korea, North (North Korea), Netherlands, United States

Platform / Exchange Used:

Sinbad.io (cryptocurrency mixer service) operating on the Bitcoin blockchain

Cryptocurrency Involved:

Bitcoin (BTC)

Volume Laundered (USD est.):

Estimated millions of dollars; part of over $3 billion in cryptocurrency stolen by North Korean Lazarus Group, including funds from hacks such as Harmony Horizon Bridge, Axie Infinity, and Atomic Wallet.

Wallet Addresses / TxIDs :

Two Bitcoin addresses listed by OFAC as associated with Sinbad.io; thousands more linked based on blockchain analysis (specific wallet addresses withheld).

Method of Laundering:

Cryptocurrency mixing (tumblers) to obscure transaction origins and destinations, pooling and redistribution of mixed Bitcoin to hide audit trails on public blockchain, evading detection and sanctions.

Source of Funds:

Illicit funds from major crypto hacks including Horizon Bridge hack, Axie Infinity hack, Atomic Wallet theft, sanctions evasion, darknet marketplace transactions, narcotics trafficking proceeds, and state-sponsored cybercrime by Lazarus Group.

Associated Shell Companies:

No widely reported shell companies directly linked to Sinbad.io laundering operations; case focused on mixer operators and cybercriminal groups rather than corporate fronts.

PEPs or Individuals Involved:

Operators indicted include Roman Vitalyevich Ostapenko, Alexander Evgenievich Oleynik, Anton Vyachlavovich Tarasov; Lazarus Group (North Korean state-sponsored hackers) connected, no traditional PEPs involved.

Law Enforcement / Regulatory Action:

U.S. Treasury OFAC sanctions in Nov 2023; FBI and Dutch authorities seized Sinbad.io infrastructure; operators charged with money laundering in early 2025; international enforcement cooperation to disrupt laundering networks linked to DPRK cybercrime.

Year of Occurrence:

Reported and sanctioned mainly in 2023; legal charges against operators filed in 2024 and 2025

Ongoing Case:

Ongoing

AML Network Risk Rating:

🔴 High Risk