In the cryptocurrency economy, there’s often a fine line between financial privacy and money laundering. Now one Bitcoin “mixer” service called is walking that tightrope in full public view: Just a few months after launching on the open web, it appears to have already become the preferred money-laundering outlet for the world’s most prolific state-sponsored crypto thieves.

In a portion of its annual crime report published last week, blockchain analysis firm Chainalysis noted that Sinbad—which, like other mixer services, offers to foil cryptocurrency tracing efforts by taking in users’ cryptocurrency, mixing their coins with other those of other users, and returning the same amount—had received $25 million in stolen cryptocurrency from North Korean hackers in just December and January, more than any other mixing service had received.

Those funds, according to Chainalysis, include portions of the thieves’ proceeds from massive heists that targeted the Harmony Bridge service, from which the North Koreans stole roughly $100 million, as well as the Ronin Bridge service, from which the hackers stole a staggering $650 million. Chainalysis’ vice president of investigations, Erin Plante, says North Korea’s crypto-stealing cybercriminals began funneling their profits bit by bit through Sinbad almost immediately after the mixer’s October launch, in the hopes of obscuring their loot’s origin before cashing it out at an exchange. Sinbad “hit the radar for North Korea quickly,” Plante says, “and it’s become their favorite.”

That’s put the new service in an awkward position: Just weeks after its debut, Sinbad became a tool that operates publicly—with a traditional website running in the open in addition to a dark-web site running on the anonymity network Tor—and yet some of its earliest, most high-volume users also happen to be the crypto world’s most notorious cybercriminals. North Korean hackers, according to Chainalysis’s findings, stole no less than $1.7 billion in cryptocurrency last year, helping to make the year the worst on record for total crypto thefts.

Sinbad’s’s founder, meanwhile, argues in an email interview with WIRED that the service has no reason to hide. “Sinbad is present in clearnet because it doesn’t do anything bad,” writes the service’s creator and administrator, who asked to be called “Mehdi,” using the term “clearnet” to mean a website not hidden on the Tor network.

“I am against total surveillance, control over internet users, against autocracies and dictatorships,” Mehdi adds. “Every living person has the right to privacy.”

Mehdi, who declined to reveal his real name or where he or Sinbad are based, says that he created Sinbad as a response to the growing centralization of cryptocurrency and the erosion of the privacy promises it once appeared to offer. He named his mixer service after the fictional Middle Eastern sailor who, as Mehdi puts it, “traded goods all around the world.” Mehdi describes Sinbad as a legitimate privacy-preserving technology project, comparing it to privacy-focused cryptocurrencies like Monero or Zcash, anonymity-enhancing crypto wallet software like Wasabi, and the Tor browser, which encrypts user traffic and routes it through multiple servers to hide people’s identities.

As for the tens of millions of dollars that North Korean hackers laundered through Sinbad? “Your magazine is the first one to ever contact me about this issue,” Mehdi writes. “In case I receive a request from [Chainalysis] or any other institution I will investigate the matter and make my opinion on it.”

Sinbad’s position highlights a strange tension in the world of cryptocurrency. The cryptocurrency obfuscation tools like Monero, Zcash, and Wasabi to which Mehdi compares Sinbad do have legitimate and legal uses—say, a retail store that wants to accept cryptocurrency payments without revealing its revenue to a competitor, or dissidents in a repressive regime who want to fund their opposition movement through international cryptocurrency donations without being tracked. Mixer services are among those privacy services. They can, in some cases, protect users’ funds from being traced on blockchains, where transactions are often all too easily surveilled. But mixers also often enable money laundering by the rampant ransomware gangs, scammers, dark-web black market vendors, and thieves who have long exploited the crypto economy.

In recent years, Western law enforcement has cracked down on a series of mixer services, a law enforcement effort that’s left fewer money-laundering options for cybercriminals than at any time in the past decade, according to Chainalysis. The US Department of Justice indicted the alleged administrators of mixing services Bitcoin Fog and Helix in 2020, and Dutch prosecutors late last year launched similar charges against the creator of another crypto mixing service, Tornado Cash. The US Treasury’s Office of Foreign Asset Controls also imposed sanctions against Tornado Cash and the mixing service Blender, both of which Chainalysis says were previously used by North Korean hackers to launder millions of dollars in stolen crypto.

But in the US criminal cases against mixing service administrators, at least, the Department of Justice has claimed that the services knowingly conspired with criminals. In the cases of Bitcoin Fog, for instance, prosecutors say undercover agents told the service that they sought to launder profits from dark-web drug sales, and Bitcoin Fog nonetheless completed their transactions. Helix advertised its services on the homepage of dark-web drug market AlphaBay.

Mehdi, by contrast, argues that he wasn’t aware that the $25 million in allegedly dirty crypto Chainalysis identified was sent to Sinbad by North Korean hackers: Those funds were stolen, Mehdi points out, in the form of the cryptocurrency Ether and only later exchanged for bitcoins, the only cryptocurrency Sinbad accepts. “I couldn’t have possibly known about the funds’ sources,” Mehdi writes.

Chainalysis’ Plante speculates that the North Korean hackers may have chosen Sinbad in part due to its newness. Because it only recently appeared online, she says many investigators may not have yet identified its Bitcoin addresses, making its mixing far harder to trace. Plante declined to say whether Chainalysis had managed to defeat the service’s mixing itself, potentially tracing its users’ coins in spite of Sinbad’s privacy assurances—a feat the company says it’s achieved with some other cryptocurrency mixing services in the past.

But Nick Carlsen, an investigator at another cryptocurrency tracing firm, TRM Labs, argues that Sinbad is likely too small to function as an effective mixer: The fewer users and the smaller their pool of funds, the easier it is to distinguish their transactions and follow the money. And that thin layer of temporary anonymity may be all that North Korean hackers are seeking, given that they’re usually based in North Korea or China, far beyond the reach of Western law enforcement. “The North Koreans’ typical MO isn’t to obtain the kind of anonymity any other hacker would need,” says Carlsen. “They’re usually just trying to buy themselves a few hours of breathing room with which they can carry out the next phase of their laundering op.”

As for whether Mehdi himself might be identified, indicted, arrested, or sanctioned, he told WIRED he remains relatively confident about his own fate. He shared a long list of cryptocurrency mixing services on the forum BitcoinTalk, pointing out that relatively few have faced those outcomes. “It would be silly not to worry about it at all. I take all the necessary precautions to protect my anonymity,” he writes, but “I expect to remain part of the market and not become one of the unfortunate exceptions.”

Amid a continuing crackdown on crypto money-laundering services, though, there’s no doubt Sinbad’s high-wire act is riskier than ever—particularly as its North Korean users paint an ever-larger target on its back.