Feds crack down on Russian crypto exchanges used by ransomware gangs


The US Treasury Department has announced sanctions against several Russian crypto companies – otherwise being used as money laundering fronts for ransomware gangs – including a Russian charged with carrying out millions in transactions.

The sanctions were announced Thursday by the Treasury’s Financial Crimes Enforcement Network (FinCEN) in coordination with the US Office of Foreign Assets Control (OFAC), the US Secret Service Cyber Investigative Section, and other international law enforcement.

Cryptocurrency exchanger PM2BTC and cryptocurrency exchange Cryptex are the two Russian companies charged with facilitating hundreds of millions of dollars worth of money laundering transactions via the digital platforms.

ADVERTISEMENT

The financial transactions have been traced back to numerous ransomware cartels as well as the OFAC-designated darknet market Genesis Market, which was busted up by the FBI last April.

Russian-born Sergey Sergeevich Ivanov was also slapped with an indictment for operating the shady crypto exchanges, along with another Russian national, Timur Shakhmametov, US officials said.

Making sure illicit actors are cut off from US markets is part of the Treasury’s latest effort to “protect the integrity of the US financial system,” the agency posted on X Thursday.

'Unusual obfuscation'

According to FinCENs, PM2BTC would launder digital currency for Russian-based cybercriminals by providing direct CVC-to-ruble exchange services using US financial institutions that had already been sanctioned by the federal agency, essentially participating in sanctions evasion.

The company is accused of failing to maintain a “credible and effective anti-money laundering and know your customer (KYC) program.”

ADVERTISEMENT

FinCEN also said PM2BTC used “unusual obfuscation” to hide any illicit transactions from authorities.

Cryptex was found to be registered in St. Vincent and the Grenadines under the pseudonym “International Payment Service Provider,” and also operating in the financial services sector of the Russian Federation economy.

The crypto exchange freely advertises its services inside Russia and has received over $51.2 million in funds derived from ransomware attacks, FinCEN said in the news release.

“Cryptex is also associated with over $720 million in transactions to services frequently used by Russian-based ransomware actors and cybercriminals, including fraud shops, mixing services, exchanges lacking KYC programs, and OFAC-designated virtual currency exchange Garantex,” FinCEN said.

Ivanov, the alleged Russian money launderer, is said to have facilitated hundreds of millions of dollars in virtual transactions using payment processing services, including the illicit Russian platform UAPS, for ransomware actors, initial access brokers, darknet marketplace vendors, and other criminal actors for the past two decades.

As part of the sanctions, any assets owned by PM2BTC, Cryptex, and Ivanov located in the US will be frozen, including any entity, property, or interests, partially owned or otherwise.

Furthermore, there are now restrictions to block US individuals or entities from carrying out any business transactions or financial dealings with either of the three.

Russian cybercriminals operating with impunity

ADVERTISEMENT

Treasury officials say they have been pressuring Moscow to “take concrete steps to prevent cyber criminals from freely operating in its jurisdiction,” but say they have come up empty-handed.

International cybercrime authorities were able to seize the web domains and/or infrastructure associated with PM2BTC and Cryptex, as well as the UAPS payment processing platform.

“The US remains resolute to prevent cybercrime facilitators like PM2BTC and Cryptex from operating with impunity…and the Treasury Department will continue to use all tools and authorities to disrupt the networks that seek to leverage the virtual assets ecosystem to facilitate their illicit activities,” said Acting Under Secretary Bradley T. Smith of US Treasury for Terrorism and Financial Intelligence.

Thursday’s sanctions are tied to the takedown of the Genesis market, an international law enforcement operation carried out in 2023 between the US, Europol, and Dutch authorities, known as Operation Endgame.

Operation Endgame – considered one of the largest organized cybercrime takedowns ever, resulted in multiple arrests, the shutdown of hundreds of servers, the seizure of thousands of domains worldwide, and the disruption of several key ransomware platforms.

Still, even after the 2023 Genesis market takedown led to the arrest of 120 suspects, security insiders say organized cybercrime was still a thriving business, with top Russian platforms selling millions of sets of stolen personal data collected via proliferating infostealer malware.

Genesis Market seized
Genesis Market seized by FBI. Image by Cybernews.

OFAC’s said Thurday's actions further illustrate that Russia continues to offer safe harbor to such actors, naming several other high-profile Russian cybercriminals outed by the FBI earlier this year.

“These include the July designation of two members of the Russian hacktivist group Cyber Army of Russia Reborn; the May designation of Dmitry Khoroshev (LockBitSupp), the leader of the LockBit ransomware group; and the February designation of LockBit affiliates Ivan Kondratiev and Artur Sungatov,” OFAC said.

Working with the US State Department, a reward of up to $10 million each for information leading to the arrest or conviction of Ivanov or Shakhmametov was offered up to the public on Thursday.

Additionally, State Department officials posted rewards of up to $1 million each for information identifying the leaders of PM2BTC, as well as stolen credit card marketplaces PinPays and Joker's Stash.

ADVERTISEMENT