Menu Home

OFAC adds Blender.io to Cyber sanctions, updates Lazarus Group DPRK listing

OFAC has added:

BLENDER.IO (a.k.a. @BLENDERIO_ENGLISH; a.k.a. @BLENDERIO_RUSSIAN; a.k.a. @MADEAMAZE_BOT; a.k.a. BLENDERIO); Website https://blender.io; alt. Website https://blender.to; alt. Website http://blenderjkul472odyrnpmnirqgpzd3kms54jrrfycledrvvfbyj3wnqd.onion/; Email Address blender.io@tuta.io; alt. Email Address adblenderio@tuta.io; Digital Currency Address - XBT 3K35dyL85fR9ht7UgzPfd1gLRRXQtNTqE3; alt. Digital Currency Address - XBT 3Q5dGfLKkWqWSwYtbMUyc8xGjN5LrRviK4; alt. Digital Currency Address - XBT 3EPqGUw2q89pwPZ1UF8FJspE2AyojSTjdu; alt. Digital Currency Address - XBT 3LhnVMcBq4gsR7aDaRr9XmUo17CuYBV4FN; alt. Digital Currency Address - XBT 3F6bbvS1krsc1qR8FsbTDfYQyvkMm3QvmR; alt. Digital Currency Address - XBT 3JHMz3mTna1gVCZSPp8NgRFiY7phkv5mA8; alt. Digital Currency Address - XBT 32DaxSzUhLBHY2WGSWQYiBSHnRsfQZrrRp; alt. Digital Currency Address - XBT 3MTRvM5QrYZHKo8gh5qKcrPK3RLjxcDCZE; alt. Digital Currency Address - XBT 34pFGsSYbWEritXncW9unZtQQE9dKSvKku; alt. Digital Currency Address - XBT 38ncxqt932N9CcfNfYuHGZgCyR85hDkWBW; alt. Digital Currency Address - XBT 3F6bbvS1krsc1qR8FsbTDfYQyvkMm3QvmR; alt. Digital Currency Address - XBT 3MD3riFB6U8PykypF6qkvSj8R2SGdUDPn3; alt. Digital Currency Address - XBT 3JUwAS7seL3fh5hxWh9fu3HCiEzjuQLTfg; alt. Digital Currency Address - XBT 3EUjqe9UpmyXCFd6jeu69hoTzndMRfxw9M; alt. Digital Currency Address - XBT 3QEjBiPzw6WZUL4MYMmMU6DY1Y25aVbpQu; alt. Digital Currency Address - XBT 3N3YSDvp4cbhEgNGabQxTN39kEzJmwG8Ah; alt. Digital Currency Address - XBT 3J19qffPT6mxQUcV6k5yVURGZtdhpdGr4y; alt. Digital Currency Address - XBT 33KKjn4exdBJQkTtdWxqpdVsWxrw3LareG; alt. Digital Currency Address - XBT 3GSXNXzyCDoQ1Rhsc7F1jjjFe7DGcHHdcM; alt. Digital Currency Address - XBT 3QJyT8nThEQakbfqgX86YjCK1Sp9hfNCUW; alt. Digital Currency Address - XBT 35hh9dg3wSvUJz9vFk1FsezLE5Fx3Hudk2; alt. Digital Currency Address - XBT 3NDzzVxiLBUs1WPvVGRfCYDTAD2Ua2PvW4; alt. Digital Currency Address - XBT 3DCCgmyKozcZkFBzYb1A2x8abZCpAUTPPk; alt. Digital Currency Address - XBT 3MvQ4gThF4mmuo49p4dBNchcmFHBRZnYfx; alt. Digital Currency Address - XBT 3FBgeJdhiBe22UoSpp51Vd8dPHVa2A4wZX; alt. Digital Currency Address - XBT 3HQDRyzwm82MFmLWtmyikDM9JQEtVT6vAp; alt. Digital Currency Address - XBT 31t4nEpcwyQJT1VuXdAoQZTT5givRDPsNP; alt. Digital Currency Address - XBT 39AALn7eTjdPzLb99hHhD6F7J8QWB3R2Rd; alt. Digital Currency Address - XBT 3LDbNuDkKmLae5r3a5icPA5CQg2Y8F7ogW; alt. Digital Currency Address - XBT 3JLyyLbwciWAC6re87D7mRknXakR4YbnUd; alt. Digital Currency Address - XBT 3ANWhUnHujdwbw2jEuGSRH6bvFsD9BqEy9; alt. Digital Currency Address - XBT 32fbAZMTaQxNd2fAue1PgsiPgWfcsHBQQt; alt. Digital Currency Address - XBT 3HupEUfKmMhvhXqf8TMoPAyqDcRC1kpe65; alt. Digital Currency Address - XBT 34kEYgpijvCmjvahRXXQEnBH76UGJVx2wg; alt. Digital Currency Address - XBT 3GYbbYkvqvjF5oYhaKCgQYCvcVE1JENk6J; alt. Digital Currency Address - XBT 3BazbaTP8ELJUEfPBV9z5HXEdgBziV9p7W; alt. Digital Currency Address - XBT 3GMfGEDYMTq9G8dEHet1zLtUFJwYwSNa3Y; alt. Digital Currency Address - XBT 38LjCapRrJEW7w2zwbyS15P9D9UGPjWS44; alt. Digital Currency Address - XBT 36XqYWGvUQwBrYLRVuegN4pJJJSPWL1WEu; alt. Digital Currency Address - XBT 37g6WgqedzZx6nx51tYgssNG8Hnknyj5nL; alt. Digital Currency Address - XBT 3QAdoc1rDCt8dii1GVPJXvvK6CEJLzCRZw; alt. Digital Currency Address - XBT 32PsiT8itBrEF84ebdaF82yBUEcz5Wc6uY; alt. Digital Currency Address - XBT 3B4G1M8eF3cThbeMwhEWkKzczw9QoNTGak; alt. Digital Currency Address - XBT 34ETiHfQWEYFCCaXmEeQWVmhFH5vz2JMvd; alt. Digital Currency Address - XBT 3PyzSbFj3hbQQjTzDzyLSgvFVDjB7yw4Cj; alt. Digital Currency Address - XBT 15PggTG7YhJKiE6B16vkKzA1YDTZipXEX4; Organization Established Date 2017 [CYBER2]. 

to its cyber-related sanctions and updated the following North Korea sanctions listing:

LAZARUS GROUP (a.k.a. "APPLEWORM"; a.k.a. "APT-C-26"; a.k.a. "GROUP 77"; a.k.a. "GUARDIANS OF PEACE"; a.k.a. "HIDDEN COBRA"; a.k.a. "OFFICE 91"; a.k.a. "RED DOT"; a.k.a. "TEMP.HERMIT"; a.k.a. "THE NEW ROMANTIC CYBER ARMY TEAM"; a.k.a. "WHOIS HACKING TEAM"; a.k.a. "ZINC"), Potonggang District, Pyongyang, Korea, North; Digital Currency Address - ETH 0x098B716B8Aaf21512996dC57EB0615e2383E2f96; alt. Digital Currency Address - ETH 0xa0e1c89Ef1a489c9C7dE96311eD5Ce5D32c20E4B; alt. Digital Currency Address - ETH 0x3Cffd56B47B7b41c56258D9C7731ABaDc360E073; alt. Digital Currency Address - ETH 0x53b6936513e738f44FB50d2b9476730C0Ab3Bfc1; Secondary sanctions risk: North Korea Sanctions Regulations, sections 510.201 and 510.210; Transactions Prohibited For Persons Owned or Controlled By U.S. Financial Institutions: North Korea Sanctions Regulations section 510.214 [DPRK3]. -to- LAZARUS GROUP (a.k.a. "APPLEWORM"; a.k.a. "APT-C-26"; a.k.a. "GROUP 77"; a.k.a. "GUARDIANS OF PEACE"; a.k.a. "HIDDEN COBRA"; a.k.a. "OFFICE 91"; a.k.a. "RED DOT"; a.k.a. "TEMP.HERMIT"; a.k.a. "THE NEW ROMANTIC CYBER ARMY TEAM"; a.k.a. "WHOIS HACKING TEAM"; a.k.a. "ZINC"), Potonggang District, Pyongyang, Korea, North; Digital Currency Address - ETH 0x098B716B8Aaf21512996dC57EB0615e2383E2f96; alt. Digital Currency Address - ETH 0xa0e1c89Ef1a489c9C7dE96311eD5Ce5D32c20E4B; alt. Digital Currency Address - ETH 0x3Cffd56B47B7b41c56258D9C7731ABaDc360E073; alt. Digital Currency Address - ETH 0x53b6936513e738f44FB50d2b9476730C0Ab3Bfc1; alt. Digital Currency Address - ETH 0x35fB6f6DB4fb05e6A4cE86f2C93691425626d4b1; alt. Digital Currency Address - ETH 0xF7B31119c2682c88d88D455dBb9d5932c65Cf1bE; alt. Digital Currency Address - ETH 0x3e37627dEAA754090fBFbb8bd226c1CE66D255e9; alt. Digital Currency Address - ETH 0x08723392Ed15743cc38513C4925f5e6be5c17243; Secondary sanctions risk: North Korea Sanctions Regulations, sections 510.201 and 510.210; Transactions Prohibited For Persons Owned or Controlled By U.S. Financial Institutions: North Korea Sanctions Regulations section 510.214 [DPRK3].  

And the Treasury Department issued the following press release:

PRESS RELEASES

U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats

May 6, 2022

Additional Lazarus Group Virtual Wallet Addresses Identified

WASHINGTON – Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned virtual currency mixer Blender.io (Blender), which is used by the Democratic People’s Republic of Korea (DPRK) to support its malicious cyber activities and money-laundering of stolen virtual currency. On March 23, 2022, Lazarus Group, a DPRK state-sponsored cyber hacking group, carried out the largest virtual currency heist to date, worth almost $620 million, from a blockchain project linked to the online game Axie Infinity; Blender was used in processing over $20.5 million of the illicit proceeds. Under the pressure of robust U.S. and UN sanctions, the DPRK has resorted to illicit activities, including cyber-enabled heists from cryptocurrency exchanges and financial institutions, to generate revenue for its unlawful weapons of mass destruction (WMD) and ballistic missile programs.

“Today, for the first time ever, Treasury is sanctioning a virtual currency mixer,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests. We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered.”

Treasury is also updating the List of Specially Designated Nationals and Blocked Persons (SDN List) to identify additional virtual currency addresses used by the Lazarus Group to launder illicit proceeds.  Treasury is committed to exposing components of the virtual currency ecosystem, like Blender, that are critical to the obfuscation of the trail of stolen proceeds from illicit cyber activity. OFAC sanctioned the Lazarus Group on September 13, 2019, pursuant to Executive Order (E.O.) 13722, and identified it as an agency, instrumentality, or controlled entity of the Government of the DPRK, based on its relationship to the U.S.- and UN-designated Reconnaissance General Bureau, the DPRK’s premiere intelligence organization, which is also involved in conventional arms trade.

TREASURY DESIGNATES FIRST MIXER

Blender Logo

Blender.io (Blender) is a virtual currency mixer that operates on the Bitcoin blockchain and indiscriminately facilitates illicit transactions by obfuscating their origin, destination, and counterparties. Blender receives a variety of transactions and mixes them together before transmitting them to their ultimate destinations. While the purported purpose is to increase privacy, mixers like Blender are commonly used by illicit actors. Blender has helped transfer more than $500 million worth of Bitcoin since its creation in 2017. Blender was used in the laundering process for DPRK’s Axie Infinity heist, processing over $20.5 million in illicit proceeds.

OFAC’s investigation also identified Blender’s facilitation of money-laundering for, among others, Russian-linked malign ransomware groups including Trickbot, Conti, Ryuk, Sodinokibi, and Gandcrab.

Blender.io Cryptocurrency Mixing Process. 1st Step: Cyber Crime Event. 2nd Step: Laundering Process Begins. 3rd Step: Blender.io Mixes. Output is Obfuscated Proceeds.

Blender is being designated pursuant to E.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.

While most virtual currency activity is licit, it can be used for illicit activity, including sanctions evasion, through mixers, peer-to-peer exchangers, darknet markets, and exchanges. This includes the facilitation of heists, ransomware schemes, and other cybercrimes. Treasury continues to use its authorities against malicious cyber actors in concert with other U.S. departments and agencies, as well as our foreign partners, to disrupt financial nodes tied to illicit payments and cyber-attacks. Those in the virtual currency industry play a critical role in implementing appropriate Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) and sanctions controls to prevent sanctioned persons and other illicit actors from exploiting virtual currency to undermine U.S foreign policy and national security interests.

The virtual currency mixers that assist criminals are a threat to U.S. national security interests. Treasury will continue to investigate the use of mixers for illicit purposes and consider the range of authorities Treasury has to respond to illicit financing risks in the virtual currency ecosystem. For example, in 2020, Treasury’s Financial Crime Enforcement Network (FinCEN) assessed a $60 million civil money penaltyagainst the owner and operator of a virtual currency mixer for violations of the Bank Secrecy Act (BSA) and its implementing regulations. Criminals have increased use of anonymity-enhancing technologies, including mixers, to help hide the movement or origin of funds. Additional information on illicit financing risks associated with mixers and other anonymity-enhancing technologies in the virtual asset ecosystem can be found in the 2022 National Money Laundering Risk Assessment.

ADDITIONAL LAZARUS GROUP WALLET

OFAC is identifying four additional virtual currency wallet addresses used by the Lazarus Group to launder the remainder of stolen proceeds from the March 2022 Axie Infinity heist. This builds upon OFAC’s April 14, 2022, attribution of DPRK’s Lazarus Group as the perpetrators of the Axie Infinity heist and identification of the original getaway wallet address. Treasury is committed to tracing illicit virtual currency and blocking associated wallets and addresses wherever found.

SANCTIONS IMPLICATIONS

As a result of today’s action, all property and interests in property of the entity above, Blender.io, that is in the United States or in the possession or control of U.S. persons is blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked. All transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons are prohibited unless authorized by a general or specific license issued by OFAC, or exempt. These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.

The State Department issued its own:

The Democratic People’s Republic of Korea’s Illicit Activities and Sanctions Evasion

PRESS STATEMENT

ANTONY J. BLINKEN, SECRETARY OF STATE

MAY 6, 2022Share

The United States is imposing sanctions on the virtual currency mixer Blender.io (Blender), which is used by the Democratic People’s Republic of Korea (DPRK) to support its cyber-enabled illicit activities and money-laundering of stolen virtual currency funds.  In an attempt to evade robust U.S. and UN sanctions, the DPRK has resorted to theft of funds from virtual currency exchanges and blockchain-related companies to generate revenue for its unlawful weapons of mass destruction (WMD) and ballistic missile programs.  Blender is a platform that has enabled DPRK malicious cyber actors to mix illicit virtual currency with anonymous virtual currency to facilitate money laundering, including part of the proceeds of the nearly $620 million theft from Sky Mavis in March.

The United States remains committed to seeking diplomacy with the DPRK and calls on the DPRK to engage in dialogue. At the same time, we will continue to address the DPRK’s unlawful cyber activities, as well as violations of UN Security Council resolutions.

Links:

OFAC Notice

Press Releases – Treasury, State

Categories: Cyber sanctions North Korea (DPRK) Sanctions OFAC Updates Sanctions Lists

eric9to5

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: