Russian money laundering networks uncovered linking narco traffickers, ransomware gangs and Kremlin spies

Avatar

Following an investigation into how a ransomware gang was cashing out extorted cryptocurrency, British law enforcement on Wednesday announced uncovering a sprawling Russian money laundering system used by transnational drug traffickers, cybercriminals, Moscow elites evading sanctions and even the Kremlin’s espionage operations.

Internationally more than 80 people have already been arrested in Operation Destabilise — led by the U.K.’s National Crime Agency (NCA) — which was publicized as the United States announced sanctions against the networks’ most senior perpetrators, aiming to disrupt their access to global financial exchange systems.

The investigation “has exposed billion-dollar money laundering networks operating in a way previously unknown to international law enforcement,” according to Rob Jones, the NCA’s director general of operations, who added that for “the first time, we have been able to map out a link between Russian elites, crypto-rich cyber criminals, and drugs gangs on the streets of the UK.”

At the top of the chain are two Russian businesses called Smart and TGR Group, both based in Moscow’s landmark Federation Tower, who are accused of providing critical liquidity and logistics services allowing criminals to collect funds in one country and make the equivalent value available in another. This value often involves swapping cryptocurrency for cash at the drugs level, although the laundering service also used property and other stores of value including shares and bonds.

The companies, which are independent but were observed assisting each other, for instance to buy property, have a presence in 30 countries, from the U.K. and mainland Europe to the Middle East, Russia and South America, authorities said. Their clients included drug cartels in Colombia and Ecuador, the family-run Kinahan crime syndicate, the Trickbot/Conti/Ryuk cybercrime group, and unspecified Russian espionage operations.

The head of the Smart network has been identified as Ekatarina Zhdanova — a business celebrity in Russia, and “not your typical organised crime group boss,” as the NCA said — who had already been sanctioned by the U.S. Office of Foreign Assets Control (OFAC) last year. Her associates Khadzi-Murat Dalgatovich Magomedov and Nikita Vladimirovich Krasnov were identified and sanctioned on Wednesday. The TGR Group was led by George Rossi, assisted by Elena Chirkinyan and Andrejs Bradens (aka Andrejs Carenoks). All three have also been sanctioned, alongside four business entities: TGR Partners; TGR DWC LLC; TGR Corporate Concierge Ltd.; and Siam Expert Trading Company Ltd.

Left to right: Elena Chirkinyan, George Rossi and Ekatarina Zhdanova. Images: U.K. NCA 

Zhdanova has been arrested by the French authorities in a separate investigation, the NCA said. Rossi’s whereabouts are unknown at present.

The NCA said it coordinated activity that led to 84 arrests — 71 in Britain, and 13 overseas — with “many already serving prison sentences,” and seized over £20 million ($25,341,000) in cash and cryptocurrency. The agency said that the low margins used in the laundering business made the loss extremely significant, even though it was a small percentage of the billions the networks were assessed to move annually.

How did it work?

Street-level drug dealers accumulate an enormous amount of cash to pass up the chain to their suppliers. This stage of the conspiracy involves couriers, who are “generally Russian speakers, but may not be Russian nationals” as explained by Will Lyne, the head of intelligence at the NCA’s national cybercrime unit, speaking to journalists.

The money-handling members of the drug dealing gangs hand cash to the couriers in exchange for cryptocurrency — usually USD Tether — which Lyne said the NCA saw being transferred almost immediately after the cash handover, and believes is eventually sent to South American drug cartels to fund more shipments of cocaine.

According to the agency, the scale of the laundering was enormous. One of the courier networks it investigated was identified conducting “cash handovers in 55 different locations across England, Scotland and Wales and the Channel Islands, over a four-month period. They did so on behalf of at least 22 suspected criminal groups.”

According to the NCA, its investigators observed these exchanges taking place “on a large-scale” across the United Kingdom and they believe the system is “likely replicated in a number of other countries in the West.”

Lyne explained how the handovers worked: “Often there’s a token that’s exchanged, so you don’t accidentally give your bag of cash to the wrong person in a car park somewhere,” with the token often being the serial number on a low-denomination bank note. “So if you’re the drugs gang, and you’ve handed over your cash to the courier, cryptocurrency will be sent to you, and then that cash will be laundered through traditional money-laundering methodology.”

Cash seized by Operation Destabilise. Image: U.K. NCA

The street cash is consolidated and counted before being washed through traditional high-cash turnover businesses in the United Kingdom, or simply being driven out of the country into other jurisdictions. The NCA’s Jones explained that there was simply so much money being made that no single laundering route was used and that millions of pounds are regularly smuggled across the border, despite these transfers regularly being caught.

Directing the movement of money are the coordinators in Moscow. Lyne explained that TGR Group provides a way to wash cash through businesses and a series of shell companies to get its value into the legitimate global financial system, often routed through the United Arab Emirates, where the company’s liquidity allows for the value to be transferred rather than the actual cash. “It’s generally not a bank transfer back upstream to the Russians,” said Lyne.

At this end of the chain, Zhdanova and Rossi’s links to ransomware groups and cryptocurrency laundering services provide them with a supply of the digital assets. In particular, Zhdanova has been accused of providing services to the Trickbot/Conti/Ryuk group.

Smart and TGR are both “heavily exposed” to the Garantex cryptocurrency exchange, which has been previously sanctioned by the United States, and has been linked to ransomware groups as well as payments to companies for components of weapons used by Russia in its invasion of Ukraine, according to the NCA.

Who else used the service?

The networks have been linked to money laundering for Russian oligarchs as well as Russian state-linked entities. Following the British government sanctioning the owners of the Russian media organization Russia Today, the TGR Group transferred funds alleged to have originated from RT to support another Russian-language media organization in Britain.

“From late 2022 to summer 2023 the Smart network was used to fund Russian espionage operations,” stated the NCA, although Jones declined to provide additional details when asked if this was connected to the Russian-directed Bulgarian spy ring recently arrested in Britain.

The NCA said there was a range of ongoing operational activity that it could not disclose on Wednesday.

“Operation Destabilise is the most significant money laundering operation that the NCA has undertaken in the last ten years,” said Jones. “It targets and has attacked and systematically undermined a laundromat that brings together, at scale, street cash and cryptocurrency, that allows the unprecedented transfer of value internationally between crime groups.

“The ingredients in that unholy alliance takes you from, if you like, McMafia through to Narcos through to Le Carré, where you have espionage, where you have transnational organised crime, and you have elite Russian-speaking money launderers and cybercriminals. All of that comes together in this operation, and by attacking it, we have the ability to degrade all of those threats.”

During the summer of 2023, the NCA ran a period of activity of making a series of interdictions — snatching up the money and arresting the couriers who were working as part of the network. “We saw the stress that our operational activity was putting on those networks,” with Russian organized crime groups complaining about how hard it was becoming to operate in London and beginning to charge an increased commission on the handling fees.

The NCA’s Jones said: “We expect the impact of the designations and the full package of activity that will then be available … to have further, really significant impact on these groups.”

CybercrimeNation-stateGovernmentNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.

 

Total
0
Shares
Previous Post

Russia-Linked Turla Exploits Pakistani Hackers’ Servers to Target Afghan and Indian Entities

Related Posts