US-led operation disrupts crypto exchanges linked to Russian cybercrime

The U.S. government and Dutch law enforcement took action on Thursday against a handful of Russian cryptocurrency exchanges accused of laundering cybercrime proceeds and a man allegedly involved in their operations. 

In addition to website seizures and other technical moves by law enforcement, the U.S. Treasury’s Office of Foreign Assets Control sanctioned the exchange Cryptex and Russian national Sergey Sergeevich Ivanov. 

Ivanov is also allegedly connected to the virtual currency exchange PM2BTC, which was classified a “primary money laundering concern” by the Treasury’s Financial Crimes Enforcement Network (FinCEN). The designation prohibits “certain transmittals of funds” involving PM2BTC by financial institutions.

As part of the coordinated action against the exchanges, the U.S. Secret Service’s Cyber Investigative Section, along with the Dutch Fiscal Intelligence and Investigation Service (FIOD) and Netherlands police, seized web domains and infrastructure connected to PM2BTC, Cryptex and UAPS — a payment processor allegedly connected to Ivanov. 

According to the Treasury Department, Cryptex has received more than $51.2 million resulting from ransomware attacks, and over $720 million in transactions were linked to services “frequently used by Russia-based ransomware actors and cybercriminals”like fraud shops, mixing services and the previously sanctioned virtual currency exchange Garantex.

Half of PM2BTC’s exchange activity, meanwhile, was found by the Treasury to have links to suspected crime, including over $600,000 in transactions involving darknet markets between July 22, 2023, and January 14, 2024.    

The Treasury alleges that Ivanov has “laundered hundreds of millions of dollars’ worth of virtual currency for ransomware actors, initial access brokers, darknet marketplace vendors, and other criminal actors for approximately the last 20 years.”

He has been a payment processor, they said, for a handful of darknet marketplaces including the Genesis Market, which was seized last year in an FBI-led operation. 

The Department of State also announced a reward of up to $10 million for information leading to the arrest or conviction of Ivanov and Russian national Timur Shakhmametov, who is allegedly the creator of Joker’s Stash, a massive online marketplace for stolen credit card data and personally identifiable information that shut down in 2021. 

“We will continue to use all our tools and authorities to deter and expose these money laundering networks and impose cost on the cyber criminals and support networks,” the State Department said in a release. “We reiterate our call that Russia must take concrete steps to prevent cyber criminals from freely operating in its jurisdiction.” 

The sanctions are the latest in a series of attempts to punish Russian cybercriminals, who are generally given safe harbor by the Kremlin. It is unclear if the measures to cut them off from the Western financial sector have any tangible impact. 

In May, the Treasury sanctioned Dmitry Khoroshev, the leader of the LockBit ransomware group, several months after a similar action against two of the group’s affiliates. In July, the Treasury designated two members of the Cyber Army of Russia Reborn hacking group.