{"id":75132,"date":"2023-03-07T07:00:00","date_gmt":"2023-03-07T05:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=75132"},"modified":"2025-09-10T09:55:54","modified_gmt":"2025-09-10T06:55:54","slug":"cleaning-up-the-dirt-which-bitzlato-counterparties-face-new-criminal-charges","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/cleaning-up-the-dirt-which-bitzlato-counterparties-face-new-criminal-charges\/","title":{"rendered":"Cleaning up the dirt: which Bitzlato counterparties face new criminal charges?"},"content":{"rendered":"<p>On January 17, the French public prosecutor&#8217;s office, together with partners from Spain, Portugal and Cyprus, <a href=\"https:\/\/forklog.com\/en\/news\/us-authorities-arrest-founder-of-bitzlato-crypto-platform\">seized the infrastructure<\/a> of the Bitzlato cryptocurrency exchange and detained <a href=\"https:\/\/forklog.com\/en\/news\/bitzlato-co-founder-cites-seized-funds-and-announces-restart\">five people affiliated with the company<\/a>.<\/p>\n<p>According to Europol, in total the exchange converted assets tied to criminal activity worth around <a href=\"https:\/\/forklog.com\/en\/news\/europol-bitzlato-converted-more-than-1-billion-of-assets-linked-to-crime\">\u20ac1 billion ($1.08 billion)<\/a>. In the indictment of founder Anatoly Legkodymov, in particular, laundering <a href=\"https:\/\/www.justice.gov\/usao-edny\/pr\/founder-and-majority-owner-bitzlato-cryptocurrency-exchange-charged-unlicensed-money\">$700 mln<\/a>, linked to the closed darknet marketplace Hydra.<\/p>\n<p>Among Bitzlato&#8217;s <a href=\"https:\/\/forklog.com\/en\/news\/binance-hydra-and-finiko-named-leading-counterparties-in-bitzlato-case\">counterparties<\/a> are major bitcoin exchanges, P2P platforms, mixers, darknet marketplaces and pyramid schemes. Tracking of illicit funds in the case has already led to <a href=\"https:\/\/forklog.com\/en\/news\/binance-customers-report-account-blocks\">freezes of user accounts<\/a> on several <span data-descr=\"centralized exchanges\" class=\"old_tooltip\">CEX<\/span>.<\/p>\n<p>Synthesising with ForkLog\u2019s analysts, we examined which entities that interacted with Bitzlato could become subjects of new investigations and how this could affect their users.<\/p>\n<h2 class=\"wp-block-heading\"><strong>How investigators traced Bitzlato?<\/strong><\/h2>\n<p>Experts consulted by ForkLog are convinced that aiding the laundering of illicit funds drew law enforcement\u2019s attention to Bitzlato. The exchange had been under surveillance even before the <a href=\"https:\/\/forklog.com\/en\/news\/german-police-confiscated-hydra-servers-and-seized-543-btc\">seizure of Hydra\u2019s servers<\/a> in April 2022.<\/p>\n<p>According to <a href=\"https:\/\/blog.chainalysis.com\/reports\/2022-crypto-crime-report-preview-russia-ransomware-money-laundering\/\">Chainalysis<\/a>, over $966 million \u2014 48% of the platform\u2019s total transaction volume \u2014 were linked to illicit or high\u2011risk operations. Of these, $206 million came from darknet marketplaces, $224.5 million from various kinds of fraud, and $9 million from extortionist groups.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/Slhb6P9aK7YbK6bOe1FazLT1SzGYJ1o6d1oPHppN4lgRxzUrSzMHUDHwzeS3hSgPRAKy2ufrdDB-5fEYVbW_WGCA3ELQtyDON-GfOW9ZcatDnmfqIUBCTPlmACcH2CReJRhhXEkZrWZPxdHcifD7CxODvlTGC7RgkLKIZKGGqNohyycZAQ9aIcoHKUMSfg\" alt=\"Cleaning up the dirt: which Bitzlato counterparties face new criminal charges?\"\/><figcaption>Sources of illicit funds entering Bitzlato. Data: Chainalysis.<\/figcaption><\/figure>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abIn addition to Hydra, Bitzlato actively interacted with sanctioned platforms, such as Chatex, Blender.io, with wallets of various hacker groups and fraudulent projects, for example \u2018Finiko\u2019. In combination with the absence of proper AML\/KYC procedures this led to such consequences\u00bb, \u2014 said representatives of the BitOK tracking, control and analytics service.<\/p>\n<\/blockquote>\n<p>These conclusions are confirmed by <a href=\"https:\/\/www.fincen.gov\/sites\/default\/files\/shared\/Order_Bitzlato_FINAL%20508.pdf\">the FinCEN report<\/a>.<\/p>\n<p>In addition, among Bitzlato\u2019s allegations are aiding in laundering funds to <a href=\"https:\/\/nbctf.mod.gov.il\/en\/seizures\/Pages\/Blockchain1.aspx\">terrorists<\/a>, notably Jama\u2019at at-Tauhid wal-Jihad and <a href=\"https:\/\/ru.wikipedia.org\/wiki\/%D0%A5%D0%90%D0%9C%D0%90S\">Hamas<\/a>, added to the team.<\/p>\n<p>According to them, the confirmed amount of seized assets of the exchange at this stage stands at about 144 BTC. By contrast, Bitzlato representatives reported the seizure of the platform\u2019s hot wallet, which contained \u201c<a href=\"https:\/\/forklog.com\/en\/news\/bitzlato-co-founder-cites-seized-funds-and-announces-restart\">around 35% of users\u2019 funds across all cryptocurrencies at the time of the operation<\/a>.\u201d They did not disclose a precise figure, citing fluctuations in exchange rates.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abThe total number of wallets associated with Bitzlato exceeds 257,000; the overwhelming majority are Bitcoin addresses. All of them have been identified by us and our colleagues as high\u2011risk addresses rated at 7\u201310. Naturally, most are users\u2019 deposit addresses, but there are about 20 hot and cold wallets of the platform\u00bb, \u2014 noted the experts at HAPI Labs.<\/p>\n<\/blockquote>\n<p>BitOK specialists provided a more granular breakdown of the wallets:<\/p>\n<ul class=\"wp-block-list\">\n<li>~ 250,000 Bitcoin addresses;<\/li>\n<li>two main Ethereum addresses;<\/li>\n<li>~ 60,000 Litecoin addresses;<\/li>\n<li>~ 3,500 Dash addresses;<\/li>\n<li>~ 3,200 Bitcoin Cash addresses.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>Bitzlato\u2019s counterparties potentially under investigation?<\/strong><\/h2>\n<p>Among Bitzlato\u2019s main counterparties tracked from 2019 to 2023 are:<\/p>\n<ul class=\"wp-block-list\">\n<li>darknet marketplaces Hydra, BlackSprut, OMG!OMG!, Mega, MG555, Solaris, FEshop and Middle Earth;<\/li>\n<li>exchanges Binance, Garantex, Kraken and Coinbase;<\/li>\n<li>financial pyramids Finiko, QubitTech, Antares, Teqra, FX Trading and KriptoFuture;<\/li>\n<li>sanctioned platforms Chatex and Blender.io;<\/li>\n<li>ransomware strains Phobos, AstroLocker and Dharma;<\/li>\n<li>mining pools ViaBTC.com and EMCD.<\/li>\n<\/ul>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/qryeyZVVf1WLjjs1J4wLcwRvylbhe4aYUnz82CBIRcM18SkxmIBQ0ntJnEccR8wjNOEAchOZzfGhF96KSVaAV2R_SGQliqHhaEZy4s4UDpmnREdyDzDyqGmdAteHyvk0S8y8yVa67iNKKlqHF5d0ZySrfoVUuSLrB4oNcOEgibEyK7FT2jzFN81udNJM9A\" alt=\"Cleaning up the dirt: which Bitzlato counterparties face new criminal charges?\"\/><figcaption>Top-20 illicit organisations that sent money to Bitzlato. Data: Chainalysis.<\/figcaption><\/figure>\n<p>As Crystal Blockchain specialists noted, in 2022 roughly a quarter of all bitcoins processed through Bitzlato were linked to illicit activity or to services that do not request verification from users.<\/p>\n<p>They added that on darknet forums there were direct recommendations to send funds to Bitzlato, as a service \u201cthat does not ask questions.\u201d At the same time, bypassing the exchange\u2019s compliance was not difficult.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abFor example, with one OMG!OMG! client, when attempting a direct withdrawal to Bitzlato, the platform\u2019s security team requested proof of funds provenance. The user forged a screenshot of a withdrawal from a P2P service: Bitzlato verified the image as evidence and the user was able to withdraw fiat\u00bb, the experts said.<\/p>\n<\/blockquote>\n<p>The BitOK team states that authorities could potentially be interested in any counterparties that interacted with Bitzlato.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abIn our view, many exchanges and brokers have already received Bitzlato-related requests from law enforcement and financial regulators\u00bb, they added.<\/p>\n<\/blockquote>\n<p>If one looks at Hydra-related transaction handling, problems could potentially arise for exchanges MINE.exchange, WW-Pay.net, Konvert.im, Payeer.com, the online wallet Cryptonator.com and the P2P platform LocalBitcoins, according to HAPI Labs. Note that LocalBitcoins announced in early February that it would cease serving users due to the crypto-winter. Nevertheless, the shutdown of operations is no guarantee against future investigations.<\/p>\n<p>The large Russian financial pyramid Finiko also had numerous counterparties, for example Binance, Garantex Europe OU, Bitpanda, Luno and Coinbase, LocalBitcoins and Totalcoin.io, as well as other platforms with little or no KYC\/AML requirements.<\/p>\n<p>Overall, according to HAPI, if a service generates more than 20% of its turnover from illicit activity or laundering stolen funds, there is a high likelihood that law enforcement will sooner or later take an interest.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abRight now this looks unlikely, but Binance may face serious questions in the near future. They receive too much of their funds from suspicious addresses with high risk, including those linked to financing terrorism\u00bb, they added.<\/p>\n<\/blockquote>\n<p>Any investigations into these services mean potential freezes of their clients&#8217; funds.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Can users recover assets from freezes?<\/strong><\/h2>\n<p>Centralised exchanges\u2019 actions regarding customers\u2019 balances, whose funds may be tied to illicit activity, depend on their AML policies, explain experts.<\/p>\n<p>A striking example is the recent mass account freezes on Binance tied to the Bitzlato case. To date, some users still cannot access their assets.<\/p>\n<p>With growing adoption of crypto by traditional financial institutions and tighter regulation, services without adequate verification, AML compliance, licensing and other safeguards are at risk.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abIn such cases, users\u2019 funds may be subject to thorough scrutiny; accounts may be frozen without providing information about the source of funds or other evidence that the assets were indeed \u201cclean.\u201d Either way \u2014 it will take a very long time\u00bb, warned Crystal Blockchain.<\/p>\n<\/blockquote>\n<p>To pre-empt possible freezes, experts recommend AML-transaction analysis services. In particular, BitOK has developed its own portfolio-tracker focused on monitoring \u201cdirty\u201d money. <\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abWe help track crypto assets, upload supporting documents, keep notes on operations and create documents for tax purposes or proof of provenance, for example when the bank or tax authorities request it\u00bb, said the service\u2019s representatives.<\/p>\n<\/blockquote>\n<p>In the Bitzlato case, the tracker checks wallets not only for their link to the exchange but also to its largest counterparties, including Hydra, Finiko, Chatex, Blender.io, Binance, Kraken, Coinbase and others. Available assets for checking include Bitcoin, Ethereum, Litecoin, Dash, and Bitcoin Cash.<\/p>\n<p>HAPI Labs urges adhering to basic cyber hygiene rules, including avoiding interactions with unknown or unreliable platforms. The company offers two free tools for address checks: <a href=\"https:\/\/terminal.hapilabs.one\/guest-address-check\">HAPI Terminal<\/a> and <a href=\"https:\/\/explorer.hapi.one\">HAPI Explorer<\/a>.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abWe help track crypto assets, upload supporting documents, keep notes on operations and create documents for tax or provenance purposes, for example when the bank or tax authorities require it\u00bb, said BitOK representatives.<\/p>\n<\/blockquote>\n<p>In the Bitzlato case, the tracker checks wallets not only for their link to Bitzlato, but also to its major counterparties, including Hydra, Finiko, Chatex, Blender.io, Binance, Kraken, Coinbase and others. Wallets\/assets checked include Bitcoin, Ethereum, Litecoin, Dash, and Bitcoin Cash.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Comments from Bitzlato<\/strong><\/h2>\n<p>Anton Shkureno, a freelance adviser to Bitzlato (the spokesperson asked not to be named) told ForkLog that the French prosecutor\u2019s investigation is not directed at the exchange itself.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abCriminal cases have been brought only against individuals, but the company will act as a third party to defend its business reputation. There is no investigation into Bitzlato in France or Russia\u00bb, she said.<\/p>\n<\/blockquote>\n<p>She noted that all the arrested individuals \u201cwere not part of the team; they were contractors or consultants, some of whom had never participated in the company\u2019s core activities.\u201d The founder Anatoly Legkodymov has also \u201clong since left the company.\u201d The company, for its part, provides them with necessary consultations.<\/p>\n<p>Now the exchange is appealing the seizure of its servers in France.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abUnfortunately, this is not a quick process. This is also because France intentionally slows down proceedings, but we hope for a swift victory\u00bb, the lawyer added.<\/p>\n<\/blockquote>\n<p>She noted that the company, if necessary, is prepared to provide law enforcement with all internal documents that \u201cprove compliance with all AML\/KYC requirements and procedures.\u201d<\/p>\n<p>Discussing risks of criminal cases against Bitzlato\u2019s counterparties, the lawyer found it difficult to speculate.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abIt is hard to say, because the company operated calmly and did not even foresee that criminal cases would be brought against people who have long been detached from the company, and some not even connected with its core activities\u00bb, she said.<\/p>\n<\/blockquote>\n<h2 class=\"wp-block-heading\"><strong>Similar cases<\/strong><\/h2>\n<p>Bitzlato is not the only crypto service under suspicion for processing illicit funds and whose assets were frozen as part of investigations.<\/p>\n<p>In September 2021, the U.S. Treasury\u2019s OFAC added the cryptocurrency exchange <span data-descr=\"centralized exchanges\" class=\"old_tooltip\">Suex<\/span> with offices in Moscow and Saint Petersburg to its sanctions list. Authorities say funds of operators of at least eight ransomware programs, scam projects and darknet marketplaces passed through the service.<\/p>\n<p>Chainalysis <a href=\"https:\/\/blog.chainalysis.com\/reports\/ofac-sanction-suex-september-2021\/\">found<\/a> that since February 2018 Suex received more than $480 million in Bitcoin. At least $160 million of this amount is linked to illicit activity.<\/p>\n<p>In the wake of the Binance investigation, Binance blocked assets of some users due to potential ties to Suex. The notification explaining the reasons for the account suspension reached victims only the day after problems arose.<\/p>\n<p>On November 8 of the same year, U.S. authorities imposed sanctions on Telegram bot for cryptocurrency exchange Chatex, as well as Izibits O\u00dc, Chatextech SIA and Hightrade Finance Ltd. Co\u2011founder of the service, as well as the Suex exchange, is Russian Yegor Petukhovsky.<\/p>\n<p>According to Chainalysis, since September 2018 Chatex processed Bitcoin transactions totaling at least $77.5 million, including more than $17 million of illicit assets, including Hydra funds, Finiko scams, QubitTech.ai and others, as well as operators of several ransomware programs.<\/p>\n<p>During the investigation period, users\u2019 funds on Chatex were blocked from movement, but the team claims they remain safe.<\/p>\n<p>In April 2022 the U.S. added the cryptocurrency exchange Garantex to its sanctions list. An analysis of its known transactions showed that transfers exceeding $100 million involved illicit entities and darknet marketplaces; of these, almost $6 million came from the Russian hacking group Conti and around $2.6 million from Hydra.<\/p>\n<p>In early March 2022, operator Garantex relinquished its Estonian license to operate with virtual currencies after discovering a number of systemic violations in its activities.<\/p>\n<p>In May, the U.S. Treasury added the mixer Blender.io to its sanctions list. The agency said the service helped launder funds stolen by North Korean hackers and was implicated in ransomware campaigns.<\/p>\n<p>The ministry also noted Blender.io\u2019s link to the Ronin Ethereum sidechain hack in the game Axie Infinity, in which North Korea\u2019s Lazarus Group stole crypto assets worth $625 million. Through the mixer, around $20.5 million of that amount flowed.<\/p>\n<p>In August, sanctions were imposed on the cryptocurrency mixer <span data-descr=\"Know Your Customer (KYC)\" class=\"old_tooltip\">Tornado Cash<\/span>. Authorities said that since its inception in 2019 the service has been used by criminals to launder more than $7 billion; over $455 million of that figure is linked to Lazarus.<\/p>\n<p>Circles also added USDC addresses to its blacklist.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Conclusions<\/strong><\/h2>\n<p>Experts interviewed note that the fight against money laundering in the crypto market is still in its early stages, and thus AML compliance and the integrity of digital assets will continue to grow in importance.<\/p>\n<p>Organizations that fail to comply with anti-money laundering rules and continue to process assets from illicit actors may come under law enforcement scrutiny.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abWhen dealing with unlicensed exchanges, users risk losing their savings or facing a host of questions when moving to licensed platforms. Services that do not collect customer data simply function as mixers\u00bb, Crystal Blockchain summarised.<\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Together with ForkLog analysts, we examined which Bitzlato-linked entities could become subjects of new investigations and how this could affect their users.<\/p>\n","protected":false},"author":1,"featured_media":75133,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[1144],"tags":[1412,1635,1154,1557,1470,1720,1323,686],"class_list":["post-75132","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-longreads","tag-bans-and-restrictions","tag-bitzlato","tag-crimes","tag-finiko","tag-garantex","tag-hydra","tag-investigations","tag-sanctions"],"aioseo_notices":[],"amp_enabled":true,"views":"21","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/75132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=75132"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/75132\/revisions"}],"predecessor-version":[{"id":75134,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/75132\/revisions\/75134"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/75133"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=75132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=75132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=75132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}