In a portion of its annual crime report published last week, blockchain analysis firm Chainalysis noted that Sinbad—which, like other mixer services, offers to foil cryptocurrency tracing efforts by taking in users’ cryptocurrency, mixing their coins with other those of other users, and returning the same amount—had received $25 million in stolen cryptocurrency from North Korean hackers in just December and January, more than any other mixing service had received. Another cryptocurrency tracing firm, Elliptic, puts the amount flowing from the hackers to Sinbad far higher, at $100 million to date. Those funds, according to Chainalysis, include portions of the thieves’ proceeds from massive heists that targeted the Harmony Bridge service, from which the North Koreans stole roughly $100 million, as well as the Ronin Bridge service, from which the hackers stole a staggering $650 million. Chainalysis’ vice president of investigations, Erin Plante, says North Korea’s crypto-stealing cybercriminals began funneling their profits bit by bit through Sinbad almost immediately after the mixer’s October launch, in the hopes of obscuring their loot’s origin before cashing it out at an exchange. Sinbad “hit the radar for North Korea quickly,” Plante says, “and it’s become their favorite.” That’s put the new service in an awkward position: Just weeks after its debut, Sinbad became a tool that operates publicly—with a traditional website running in the open in addition to a dark-web site running on the anonymity network Tor—and yet some of its earliest, most high-volume users also happen to be the crypto world’s most notorious cybercriminals. North Korean hackers, according to Chainalysis’s findings, stole no less than $1.7 billion in cryptocurrency last year, helping to make the year the worst on record for total crypto thefts. Sinbad’s’s founder, meanwhile, argues in an email interview with WIRED that the service has no reason to hide. “Sinbad is present in clearnet because it doesn’t do anything bad,” writes the service’s creator and administrator, who asked to be called “Mehdi,” using the term “clearnet” to mean a website not hidden on the Tor network. “I am against total surveillance, control over internet users, against autocracies and dictatorships,” Mehdi adds. “Every living person has the right to privacy.” As for the tens of millions of dollars that North Korean hackers laundered through Sinbad? “Your magazine is the first one to ever contact me about this issue,” Mehdi writes. “In case I receive a request from [Chainalysis] or any other institution I will investigate the matter and make my opinion on it.” Cryptocurrency tracing firm Elliptic on February 13 released its own analysis of Sinbad that reveals clues that the service may in fact be a resurrected version of the mixing service Blender.io, which received millions of dollars in North Korean hackers’ stolen crypto before the US Treasury imposed sanctions on it last year and it dropped offline. Elliptic bases that theory on several blockchain connections between the two services, including $22 million that flowed from Blender’s addresses to Sinbad’s in Sinbad’s earliest days online, and identical handling of users’ funds in several respects. When WIRED asked Mehdi about that theory, he didn’t respond. Regardless of any connection to Blender.io, Sinbad’s position highlights a strange tension in the world of cryptocurrency. The cryptocurrency obfuscation tools like Monero, Zcash, and Wasabi to which Mehdi compares Sinbad do have legitimate and legal uses—say, a retail store that wants to accept cryptocurrency payments without revealing its revenue to a competitor, or dissidents in a repressive regime who want to fund their opposition movement through international cryptocurrency donations without being tracked. Mixer services are among those privacy services. They can, in some cases, protect users’ funds from being traced on blockchains, where transactions are often all too easily surveilled. But mixers also often enable money laundering by the rampant ransomware gangs, scammers, dark-web black market vendors, and thieves who have long exploited the crypto economy. In recent years, Western law enforcement has cracked down on a series of mixer services, a law enforcement effort that’s left fewer money-laundering options for cybercriminals than at any time in the past decade, according to Chainalysis. The US Department of Justice indicted the alleged administrators of mixing services Bitcoin Fog and Helix in 2020, and Dutch prosecutors late last year launched similar charges against the creator of another crypto mixing service, Tornado Cash. The US Treasury’s Office of Foreign Asset Controls also imposed sanctions against Tornado Cash and Blender, both of which Chainalysis says were previously used by North Korean hackers to launder millions of dollars in stolen crypto. Mehdi, by contrast, argues that he wasn’t aware that the $25 million in allegedly dirty crypto Chainalysis identified was sent to Sinbad by North Korean hackers: Those funds were stolen, Mehdi points out, in the form of the cryptocurrency Ether and only later exchanged for bitcoins, the only cryptocurrency Sinbad accepts. “I couldn’t have possibly known about the funds’ sources,” Mehdi writes. Chainalysis’ Plante speculates that the North Korean hackers may have chosen Sinbad in part due to its newness. Because it only recently appeared online, she says many investigators may not have yet identified its Bitcoin addresses, making its mixing far harder to trace. Plante declined to say whether Chainalysis had managed to defeat the service’s mixing itself, potentially tracing its users’ coins in spite of Sinbad’s privacy assurances—a feat the company says it’s achieved with some other cryptocurrency mixing services in the past. But Nick Carlsen, an investigator at another cryptocurrency tracing firm, TRM Labs, argues that Sinbad is likely too small to function as an effective mixer: The fewer users and the smaller their pool of funds, the easier it is to distinguish their transactions and follow the money. And that thin layer of temporary anonymity may be all that North Korean hackers are seeking, given that they’re usually based in North Korea or China, far beyond the reach of Western law enforcement. “The North Koreans’ typical MO isn’t to obtain the kind of anonymity any other hacker would need,” says Carlsen. “They’re usually just trying to buy themselves a few hours of breathing room with which they can carry out the next phase of their laundering op.” As for whether Mehdi himself might be identified, indicted, arrested, or sanctioned, he told WIRED he remains relatively confident about his own fate. He shared a long list of cryptocurrency mixing services on the forum BitcoinTalk, pointing out that relatively few have faced those outcomes. “It would be silly not to worry about it at all. I take all the necessary precautions to protect my anonymity,” he wrote—notably, prior to Elliptic’s revelation that Sinbad and Blender may be connected—but he added that “I expect to remain part of the market and not become one of the unfortunate exceptions.” Amid a continuing crackdown on crypto money-laundering services, though, there’s no doubt Sinbad’s high-wire act is riskier than ever—particularly as its North Korean users paint an ever-larger target on its back. Updated 1:45 pm ET, February 13, 2023 with new Elliptic findings about Sinbad.io.