Chainalysis names Moscow City firms linked to laundering cybercriminals’ funds

In 2021, cryptocurrency from ransomware passed through Russia-linked addresses for more than $400 million. This accounted for about 74% of total ransomware revenue, according to Chainalysis in a report.

Analysts noted that many forms of ransomware are linked to Russian cybercriminals. Chainalysis emphasised that their ties to Russia are determined by the following criteria:

• connection to the hacker group Evil Corp, based in Russia. Its leaders are is suspected of interacting with the Russian authorities;
• avoiding attacks on companies from the CIS;
• other indicators, such as the use of the Russian language.

Experts found that the bulk of ransomware proceeds are laundered through services, mainly aimed at Russian users.

“Russia is home to several cryptocurrency companies that processed a significant volume of transactions from illicit addresses,” the report says.

Analysts are tracking several dozen cryptocurrency firms operating in Moscow City. More than half of them are located, or were located, in Federation Tower.

Together, from 2019 to 2021 these companies quarterly received cryptocurrency worth hundreds of millions of dollars, and the total in the second quarter of last year reached nearly $1.2 billion, Chainalysis calculated. During the period, almost $700 million flowed to their addresses from high-risk accounts.

The bulk of illegal funds consisted of proceeds from fraud ($313 million) and darknet markets ($296 million); ransomware proceeds amounted to $38 million, in third place.

Analysts note that the share of high-risk transactions for some companies is small. This can be explained by a lack of awareness, not deliberate criminal activity.

“But for other Moscow City cryptocurrency firms, illicit funds account for up to or more than 30% of all received cryptocurrency, suggesting they may deliberately serve cybercriminal clients,” Chainalysis says.

The firm singled out several companies that were in some way linked to laundering funds during 2019-2021:

• Bitzlato. More than $966 million in funds related to illegal or high-risk operations. This amount accounts for almost half of all cryptocurrency that passed through the company. Chainalysis says Bitzlato received $206 million from darknet marketplaces, $224.5 million from various forms of fraud, and $9 million from ransomware groups;
• Garantex. More than $645 million linked to suspicious transactions — 31% of the total volume. According to Chainalysis, the company received over $10 million from ransomware operators, including NetWalker, Phoenix Cryptolocker and Conti;
• EggChange. More than $3.7 million related to illegal operations — 11% of the total volume. EggChange co-founder Denis Dubnikov is suspected of laundering money for Ryuk operators.

Chainalysis also noted Buy-bitcoin, Tetchange, Cashbank and Suex.

Suex in September the US Treasury included on the sanctions list. The agency says that funds of ransomware operators, scam projects, darknet marketplaces and the now-defunct BTC-e passed through the exchange.

Chainalysis found that Suex, among other things processed transactions with the cryptocurrency exchange WEX for several millions of dollars. According to Elliptic, through the exchange more than $370 million related to cybercriminals passed.

Garantex, in a reply to ForkLog, said that criteria for “toxic” transactions are still being formed on the market, and databases with information about them are continually expanded:

“Any cryptocurrency exchange operating for more than a year will face (or sooner or later will face) a situation in which its long-standing transactions may later be deemed ‘toxic’. Partly, this relates to ongoing investigations into highly resonant crimes.”

Currently, Garantex uses the Crystal service and, since late 2021, has been negotiating with Chainalysis to ensure “the maximum possible level of analytics” of the exchange’s operations:

“All incoming transactions, labeled by Crystal as ‘ransomware’ at the moment they arrive at Garantex, were promptly blocked in accordance with our AML policies.”

Representatives said they operate under the Estonian-licence regime and adhere to a “zero tolerance” stance toward transactions linked to illicit activity.

Bitzlato said that reports of the company’s Moscow office are incorrect and that the service is merely a broker between buyers and sellers. The company also noted it actively cooperates with law enforcement — in 2021 Bitzlato provided information to authorities in various countries no fewer than 200 times and blocked 1,157 users suspected of laundering funds. In a ForkLog comment, Bitzlato representatives added that the claim they belong to a crypto-criminal ecosystem is incorrect and erroneous.

“We consider the information about classifying Bitzlato as part of the crypto-criminal ecosystem to be incorrect and erroneous,” said the company representatives in a ForkLog interview.

ForkLog also approached Eggchange, Tetchange and Cashbank for comment but did not receive a reply by publication time.

In January, the FSB announced the takedown of the REvil ransomware group, which had been behind distributing ransomware. It was described as one of the world’s largest hacker collectives.

Follow ForkLog’s bitcoin news on our Telegram — cryptocurrency news, prices and analytics.