Cleaning up the dirt: which Bitzlato counterparties face new criminal charges?

On January 17, the French public prosecutor’s office, together with partners from Spain, Portugal and Cyprus, seized the infrastructure of the Bitzlato cryptocurrency exchange and detained five people affiliated with the company.

According to Europol, in total the exchange converted assets tied to criminal activity worth around €1 billion ($1.08 billion). In the indictment of founder Anatoly Legkodymov, in particular, laundering $700 mln, linked to the closed darknet marketplace Hydra.

Among Bitzlato’s counterparties are major bitcoin exchanges, P2P platforms, mixers, darknet marketplaces and pyramid schemes. Tracking of illicit funds in the case has already led to freezes of user accounts on several CEX.

Synthesising with ForkLog’s analysts, we examined which entities that interacted with Bitzlato could become subjects of new investigations and how this could affect their users.

How investigators traced Bitzlato?

Experts consulted by ForkLog are convinced that aiding the laundering of illicit funds drew law enforcement’s attention to Bitzlato. The exchange had been under surveillance even before the seizure of Hydra’s servers in April 2022.

According to Chainalysis, over $966 million — 48% of the platform’s total transaction volume — were linked to illicit or high‑risk operations. Of these, $206 million came from darknet marketplaces, $224.5 million from various kinds of fraud, and $9 million from extortionist groups.

«In addition to Hydra, Bitzlato actively interacted with sanctioned platforms, such as Chatex, Blender.io, with wallets of various hacker groups and fraudulent projects, for example ‘Finiko’. In combination with the absence of proper AML/KYC procedures this led to such consequences», — said representatives of the BitOK tracking, control and analytics service.

These conclusions are confirmed by the FinCEN report.

In addition, among Bitzlato’s allegations are aiding in laundering funds to terrorists, notably Jama’at at-Tauhid wal-Jihad and Hamas, added to the team.

According to them, the confirmed amount of seized assets of the exchange at this stage stands at about 144 BTC. By contrast, Bitzlato representatives reported the seizure of the platform’s hot wallet, which contained “around 35% of users’ funds across all cryptocurrencies at the time of the operation.” They did not disclose a precise figure, citing fluctuations in exchange rates.

«The total number of wallets associated with Bitzlato exceeds 257,000; the overwhelming majority are Bitcoin addresses. All of them have been identified by us and our colleagues as high‑risk addresses rated at 7–10. Naturally, most are users’ deposit addresses, but there are about 20 hot and cold wallets of the platform», — noted the experts at HAPI Labs.

BitOK specialists provided a more granular breakdown of the wallets:

• ~ 250,000 Bitcoin addresses;
• two main Ethereum addresses;
• ~ 60,000 Litecoin addresses;
• ~ 3,500 Dash addresses;
• ~ 3,200 Bitcoin Cash addresses.

Bitzlato’s counterparties potentially under investigation?

Among Bitzlato’s main counterparties tracked from 2019 to 2023 are:

• darknet marketplaces Hydra, BlackSprut, OMG!OMG!, Mega, MG555, Solaris, FEshop and Middle Earth;
• exchanges Binance, Garantex, Kraken and Coinbase;
• financial pyramids Finiko, QubitTech, Antares, Teqra, FX Trading and KriptoFuture;
• sanctioned platforms Chatex and Blender.io;
• ransomware strains Phobos, AstroLocker and Dharma;
• mining pools ViaBTC.com and EMCD.

As Crystal Blockchain specialists noted, in 2022 roughly a quarter of all bitcoins processed through Bitzlato were linked to illicit activity or to services that do not request verification from users.

They added that on darknet forums there were direct recommendations to send funds to Bitzlato, as a service “that does not ask questions.” At the same time, bypassing the exchange’s compliance was not difficult.

«For example, with one OMG!OMG! client, when attempting a direct withdrawal to Bitzlato, the platform’s security team requested proof of funds provenance. The user forged a screenshot of a withdrawal from a P2P service: Bitzlato verified the image as evidence and the user was able to withdraw fiat», the experts said.

The BitOK team states that authorities could potentially be interested in any counterparties that interacted with Bitzlato.

«In our view, many exchanges and brokers have already received Bitzlato-related requests from law enforcement and financial regulators», they added.

If one looks at Hydra-related transaction handling, problems could potentially arise for exchanges MINE.exchange, WW-Pay.net, Konvert.im, Payeer.com, the online wallet Cryptonator.com and the P2P platform LocalBitcoins, according to HAPI Labs. Note that LocalBitcoins announced in early February that it would cease serving users due to the crypto-winter. Nevertheless, the shutdown of operations is no guarantee against future investigations.

The large Russian financial pyramid Finiko also had numerous counterparties, for example Binance, Garantex Europe OU, Bitpanda, Luno and Coinbase, LocalBitcoins and Totalcoin.io, as well as other platforms with little or no KYC/AML requirements.

Overall, according to HAPI, if a service generates more than 20% of its turnover from illicit activity or laundering stolen funds, there is a high likelihood that law enforcement will sooner or later take an interest.

«Right now this looks unlikely, but Binance may face serious questions in the near future. They receive too much of their funds from suspicious addresses with high risk, including those linked to financing terrorism», they added.

Any investigations into these services mean potential freezes of their clients’ funds.

Can users recover assets from freezes?

Centralised exchanges’ actions regarding customers’ balances, whose funds may be tied to illicit activity, depend on their AML policies, explain experts.

A striking example is the recent mass account freezes on Binance tied to the Bitzlato case. To date, some users still cannot access their assets.

With growing adoption of crypto by traditional financial institutions and tighter regulation, services without adequate verification, AML compliance, licensing and other safeguards are at risk.

«In such cases, users’ funds may be subject to thorough scrutiny; accounts may be frozen without providing information about the source of funds or other evidence that the assets were indeed “clean.” Either way — it will take a very long time», warned Crystal Blockchain.

To pre-empt possible freezes, experts recommend AML-transaction analysis services. In particular, BitOK has developed its own portfolio-tracker focused on monitoring “dirty” money.

«We help track crypto assets, upload supporting documents, keep notes on operations and create documents for tax purposes or proof of provenance, for example when the bank or tax authorities request it», said the service’s representatives.

In the Bitzlato case, the tracker checks wallets not only for their link to the exchange but also to its largest counterparties, including Hydra, Finiko, Chatex, Blender.io, Binance, Kraken, Coinbase and others. Available assets for checking include Bitcoin, Ethereum, Litecoin, Dash, and Bitcoin Cash.

HAPI Labs urges adhering to basic cyber hygiene rules, including avoiding interactions with unknown or unreliable platforms. The company offers two free tools for address checks: HAPI Terminal and HAPI Explorer.

«We help track crypto assets, upload supporting documents, keep notes on operations and create documents for tax or provenance purposes, for example when the bank or tax authorities require it», said BitOK representatives.

In the Bitzlato case, the tracker checks wallets not only for their link to Bitzlato, but also to its major counterparties, including Hydra, Finiko, Chatex, Blender.io, Binance, Kraken, Coinbase and others. Wallets/assets checked include Bitcoin, Ethereum, Litecoin, Dash, and Bitcoin Cash.

Comments from Bitzlato

Anton Shkureno, a freelance adviser to Bitzlato (the spokesperson asked not to be named) told ForkLog that the French prosecutor’s investigation is not directed at the exchange itself.

«Criminal cases have been brought only against individuals, but the company will act as a third party to defend its business reputation. There is no investigation into Bitzlato in France or Russia», she said.

She noted that all the arrested individuals “were not part of the team; they were contractors or consultants, some of whom had never participated in the company’s core activities.” The founder Anatoly Legkodymov has also “long since left the company.” The company, for its part, provides them with necessary consultations.

Now the exchange is appealing the seizure of its servers in France.

«Unfortunately, this is not a quick process. This is also because France intentionally slows down proceedings, but we hope for a swift victory», the lawyer added.

She noted that the company, if necessary, is prepared to provide law enforcement with all internal documents that “prove compliance with all AML/KYC requirements and procedures.”

Discussing risks of criminal cases against Bitzlato’s counterparties, the lawyer found it difficult to speculate.

«It is hard to say, because the company operated calmly and did not even foresee that criminal cases would be brought against people who have long been detached from the company, and some not even connected with its core activities», she said.

Similar cases

Bitzlato is not the only crypto service under suspicion for processing illicit funds and whose assets were frozen as part of investigations.

In September 2021, the U.S. Treasury’s OFAC added the cryptocurrency exchange Suex with offices in Moscow and Saint Petersburg to its sanctions list. Authorities say funds of operators of at least eight ransomware programs, scam projects and darknet marketplaces passed through the service.

Chainalysis found that since February 2018 Suex received more than $480 million in Bitcoin. At least $160 million of this amount is linked to illicit activity.

In the wake of the Binance investigation, Binance blocked assets of some users due to potential ties to Suex. The notification explaining the reasons for the account suspension reached victims only the day after problems arose.

On November 8 of the same year, U.S. authorities imposed sanctions on Telegram bot for cryptocurrency exchange Chatex, as well as Izibits OÜ, Chatextech SIA and Hightrade Finance Ltd. Co‑founder of the service, as well as the Suex exchange, is Russian Yegor Petukhovsky.

According to Chainalysis, since September 2018 Chatex processed Bitcoin transactions totaling at least $77.5 million, including more than $17 million of illicit assets, including Hydra funds, Finiko scams, QubitTech.ai and others, as well as operators of several ransomware programs.

During the investigation period, users’ funds on Chatex were blocked from movement, but the team claims they remain safe.

In April 2022 the U.S. added the cryptocurrency exchange Garantex to its sanctions list. An analysis of its known transactions showed that transfers exceeding $100 million involved illicit entities and darknet marketplaces; of these, almost $6 million came from the Russian hacking group Conti and around $2.6 million from Hydra.

In early March 2022, operator Garantex relinquished its Estonian license to operate with virtual currencies after discovering a number of systemic violations in its activities.

In May, the U.S. Treasury added the mixer Blender.io to its sanctions list. The agency said the service helped launder funds stolen by North Korean hackers and was implicated in ransomware campaigns.

The ministry also noted Blender.io’s link to the Ronin Ethereum sidechain hack in the game Axie Infinity, in which North Korea’s Lazarus Group stole crypto assets worth $625 million. Through the mixer, around $20.5 million of that amount flowed.

In August, sanctions were imposed on the cryptocurrency mixer Tornado Cash. Authorities said that since its inception in 2019 the service has been used by criminals to launder more than $7 billion; over $455 million of that figure is linked to Lazarus.

Circles also added USDC addresses to its blacklist.

Conclusions

Experts interviewed note that the fight against money laundering in the crypto market is still in its early stages, and thus AML compliance and the integrity of digital assets will continue to grow in importance.

Organizations that fail to comply with anti-money laundering rules and continue to process assets from illicit actors may come under law enforcement scrutiny.

«When dealing with unlicensed exchanges, users risk losing their savings or facing a host of questions when moving to licensed platforms. Services that do not collect customer data simply function as mixers», Crystal Blockchain summarised.