The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Sanctioned cryptocurrency tool appears to reemerge under new name

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! I’m losing track of all these murdered balloons.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: Personal health information from more than 3 million people was stolen by hackers in December, and Russian cybercriminals temporarily disrupted NATO sites over the weekend. First: 

Punished crypto mixer allegedly sets sail under new moniker — Sinbad

A popular tool that North Korean government-affiliated hackers had allegedly used to disguise their cryptocurrency transactions appears to have reemerged under a new name after being sanctioned by the U.S. government.

The revival demonstrates that sanctions can serve as a setback for cryptocurrency mixers, but sometimes not a permanent one.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) last year issued sanctions on a cryptocurrency mixer called Blender. It closed down around the same time. Now, its operators have likely relaunched it under the name Sinbad, according to cryptocurrency monitoring firm Elliptic.

Already, the North Korean hacking organization known as the Lazarus Group have used Sinbad to launder more than $100 million, the firm said in an analysis.

Roots of a comeback

In the case of Sinbad, its operator or operators benefited from around $22 million that they are believed to have taken from Blender, Elliptic said.

“It’s very easy for the anonymous operator of a mixer to redeploy infrastructure and operate under a new brand,” Tom Robinson, chief scientist and co-founder of the company, told me. “If sanctions are tied to a particular service’s name, that clearly poses a problem for sanctions enforcement.”

“In practice though, mixers need users and liquidity in order to be effective, which can be difficult for a new brand to attract,” Robinson said. “Sinbad appears to have tried to bootstrap itself with funds from Blender, which left a money trail linking the two services.”

Blender shut down last April. OFAC issued sanctions against the mixer the next month.

  • “Today, for the first time ever, Treasury is sanctioning a virtual currency mixer,” Brian Nelson, Treasury undersecretary for terrorism and financial intelligence, said at the time. “Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests. We are taking action against illicit financial activity by [North Korea] and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered.”

The sanctions came shortly after hackers committed a record cryptocurrency heist, stealing virtual currency worth around $620 million from the online crypto game Axie Infinity. The Treasury Department said the Lazarus Group was behind the theft and used Blender to launder more than $20 million.

In August, Treasury also issued sanctions against the mixer Tornado Cash, with officials saying North Korean hackers also had used it to mask its transactions. That mixer has continued to operate, and users of the service filed a lawsuit against the Treasury Department over those sanctions, saying the sanctions threatened people engaging in lawful activity and seeking privacy.

North Korean hackers have engaged in a hacking spree aimed at cryptocurrency firms, with the profits bankrolling the country’s nuclear and ballistic missile programs, according to United Nations sanctions monitors. North Korea is subject to U.N. sanctions.

The latest

Last summer brought another crypto heist from the cryptocurrency bridge Horizon, a service that allows multiple blockchains to communicate with one another. Elliptic and the FBI blamed the Lazarus Group for that theft, too, where the hackers made off with $100 million.

That’s where Sinbad reentered the picture, Elliptic said. 

“Sinbad was launched in early October 2022, and despite its relatively small size, it soon began to be used to launder the proceeds of Lazarus hacks,” the company’s analysis states. “Tens of millions of dollars from Horizon and other North Korea-linked hacks have been passed through Sinbad to date and continue to do so, demonstrating confidence and trust in the new mixer.”

Elliptic said a number of clues connected Blender to Sinbad. Among them:

  • “A Bitcoin wallet used to pay individuals who promoted Sinbad, itself received Bitcoin from the suspected Blender operator wallet.” 
  • “Analysis of blockchain transactions shows that almost all of the early incoming transactions to Sinbad (some $22 million) originated from the suspected Blender operator wallet.”
  • “There are strong similarities in the structure of both services’ websites, as well as in their use of language and naming conventions.”
  • “Both services have a clear nexus to Russia, with Russian-language support and websites.”

Sinbad could soon run into the same problems Blender did, however.

“Blender may have been motivated to rebrand in order to avoid sanctions, and OFAC could now seek to impose further sanctions on Sinbad,” Elliptic concluded. “It may also have done so in order to gain trust from users, following Blender’s abrupt closure last year, and the disappearance of significant amounts of funds from the mixer.”

The keys

Cyberattacks on U.S. energy facilities at beginning of Ukraine war were stymied, executive says

Dragos founder and chief executive Robert M. Lee told reporters that hackers tried to take down “around a dozen” electric and gas facilities in the United States soon after Russia’s invasion of Ukraine, Politico’s Maggie Miller reports. Cybersecurity firms have previously linked the malware in question to Russia.

“This is the closest we’ve ever been to having U.S. or European infrastructure, I’d say U.S. infrastructure, go offline,” Lee said. “It wasn’t employed on one of its targets, they weren’t ready to pull the trigger, they were getting very close.” Lee said that the attack was stymied by the U.S. government and cybersecurity industry, but declined to provide more details about what stopped the attack.

Lee also didn’t say whether the malware — which he described as a “state-level, wartime capability” — was on the facilities networks, or if hackers were close to accessing those networks. The U.S. government warned about the malware last year.

Russian hackers target NATO websites

The Russian hacking group KillNet said it carried out distributed denial of service (DDoS) attacks against the North Atlantic Treaty Organization, or NATO, over the weekend and causing temporary disruption to some of its websites, Computer Weekly’s Alex Scroxton reports.

During a news conference Sunday, NATO Secretary General Jens Stoltenberg said the alliance has deployed additional protective measures. In the meantime, a NATO spokesperson added that “NATO cyber experts are actively addressing an incident affecting some NATO websites. NATO deals with cyber incidents on a regular basis, and takes cybersecurity very seriously.”

Although NATO was probably prepared to be targeted, Dark Reading reports that NATO’s NR network, which is used to transmit sensitive and classified data, was also impacted and “disrupted communications between NATO and at least one of its airplanes transporting search and rescue equipment to Incirlik Air Base in Turkey,” in the aftermath of a devastating earthquake in the region. 

NATO’s Special Operations Headquarters and Strategic Airlift Capability were also affected. 

DDoS attacks are known to cause little actual damage to targets, instead causing a temporary disruption as hackers overload websites with malicious, phony traffic. This incident comes as Killnet has been launching DDoS attacks on websites in Germany and the United States amid the war in Ukraine. 

More than 3 million people’s personal health information was stolen in ransomware attack

Last year, the intimate health details and other personally identifiable information of 3.3 million people was stolen in a ransomware attack of Regal Medical Group in California, Ionut Arghire reports for Security Week.

The incident, which took place on Dec. 1, 2022, but was not made aware to victims until Feb. 1, 2023, targeted the health care provider’s affiliates, including Lakeside Medical Organization, Affiliated Doctors of Orange County and Greater Covina Medical Group. 

In a breach notification letter, Regal said that names, addresses, birth dates, phone numbers, Social Security numbers, diagnosis and treatment information, health plan member numbers, laboratory test results, prescription details and radiology reports were compromised. 

The medical group informed the Department of Health and Human Services about the incident at the beginning of February, saying that over 3.3 individuals might have been impacted but that it is working with vendors to restore access to compromised systems. Regal fell short of confirming the kind of malware that was used in the attack or whether a ransom was paid. 

Government scan

Treasury identifies security risks for financial sector in moving to cloud services, next steps (Inside Cybersecurity)

All but Florida, South Dakota apply for federal cyber grants allocated by infrastructure bill (The Record)

Global cyberspace

Chinese mobile masts loom over the Munich Security Conference (Politico Europe)

LockBit's Royal Mail ransom deadline passes, no data release (The Register)

What happened to #OpRussia? (Dark Reading)

Cyber insecurity

Crypto scam aimed at online acquaintances costs victims billions (Tory Newmyer)

Bridgewater-Raritan schools data breach exposes personal info (Government Technology)

Alleged SIM swapper ransomed Instagram influencer for dates, striptease video (Motherboard)

Pepsi bottling ventures suffers data breach after malware attack (Bleeping Computer)


  • The House Judiciary Committee holds a hearing to discuss protecting children online today at 10 a.m.
  • The Senate Banking, Housing and Urban Affairs Committee will hold a meeting to examine why financial system safeguards are needed for digital assets today at 10 a.m. 
  • The Cyber Threat Alliance holds a webinar about the importance of mandatory cyberattack incident reporting requirements on Thursday at 12 p.m.
  • The Future of Privacy Forum holds its 13th annual privacy papers for policymakers summit and awards ceremony Thursday at 5:30 p.m.  
  • The National Association of State Election Directors holds its winter conference in D.C. on Thursday through Saturday. 
  • The Intelligence and National Security Alliance holds its annual achievement awards Thursday at 6 p.m. in Arlington, Va.

Secure log off

Thanks for reading. See you tomorrow.