US sanctions Russian accused of laundering virtual currency for ransomware affiliate


The Treasury Department on Friday sanctioned a Russian woman accused of laundering virtual currency on behalf of the country’s elites and cybercriminals, including an affiliate of Ryuk ransomware.

According to the Office of Foreign Assets Control, Ekaterina Zhdanova worked to help other Russians evade sanctions imposed on the country’s financial system after the invasion of Ukraine. In one case, an unnamed oligarch approached Zhdanova about moving $100 million to the United Arab Emirates, OFAC said

In 2021, she allegedly laundered more than $2.3 million of “suspected victim payments” for a Ryuk ransomware affiliate. She ran the funds through the Garantex cryptocurrency exchange, which was itself designated by OFAC in 2022.

According to OFAC, more than $100 million in transactions associated with darknet markets and criminals were conducted on the exchange before it was sanctioned.

“Through key facilitators like Zhdanova, Russian elites, ransomware groups, and other illicit actors sought to evade U.S. and international sanctions, particularly through the abuse of virtual currency,” said Undersecretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. The OFAC announcement does not offer details about Zhdanova’s professional background.

Ryuk ransomware wreaked havoc for years after emerging in 2018. In 2020, amid Covid-19 lockdowns, federal law enforcement agencies warned that the healthcare sector was under attack from Ryuk. The month before, hospital chain Universal Health Services had been hit with a Ryuk attack that ultimately cost the company $67 million.

In February, a Russian man pleaded guilty in an Oregon federal court to laundering funds for Ryuk over the course of three years. He was accused of being a middleman for the group alongside 13 unnamed co-conspirators.

Sanctions against individuals like Zhdanova are often more symbolic than impactful, as Russians involved in illicit activity are unlikely to have property or business interests in the United States.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

James Reddick has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

American Airlines pilot union hit with ransomware

Next Post

Cyber experts and officials raise alarms about exploits against Citrix and Apache products

Related Posts

Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware

At least two different suspected China-linked cyber espionage clusters, tracked as UNC5325 and UNC3886, have been attributed to the exploitation of security flaws in Ivanti Connect Secure VPN appliances. UNC5325 abused CVE-2024-21893 to deliver a wide range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as maintain persistent
Jason Macuray
Read More

New Migo Malware Targeting Redis Servers for Cryptocurrency Mining

A novel malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts. "This particular campaign involves the use of a number of novel system weakening techniques against the data store itself," Cado security researcher Matt Muir said in a technical report. The cryptojacking attack is facilitated
Omega Balla
Read More