Arrested Clop gang members laundered over $500M in ransomware payments

The members of the Clop ransomware gang that were arrested last week in Ukraine as part of an international law enforcement action also operated money laundering services for multiple cybercrime groups.

According to cryptocurrency exchange portal Binance, the group engaged in both cyber-attacks and "a high-risk exchanger" that laundered funds for the Clop ransomware gang and other criminal groups.

In total, Binance said the group laundered more than $500 million worth of cryptocurrency from ransomware payments originating from attacks carried out with the Clop and Petya strains.

In addition, the group, which Binance tracked as FancyCat, also laundered millions more from other forms of cybercrimes.

Binance, which is a cryptocurrency exchange portal based in the Cayman Islands, said it worked with blockchain analysis firms TRM Labs and Crystal (BitFury) to discover the group's existence; information they later shared with law enforcement and which Binance claims led to the group's arrest earlier this month.

According to Ukrainian police, six Clop/FancyCat members were detained last week around the Kyiv area.

While Ukrainian police claimed the group was part of the Clop ransomware gang, Binance's revelation today confirms the fact that the six suspects were only marginal pawns in the Clop operation.

This also explains why the six arrests last week in Ukraine did not lead to a stop in Clop attacks.

The ransomware gang's "leak site" remained active, even after the arrests, and a new victim was added on Tuesday, June 22, six days after the arrests in Ukraine.

The FancyCat case marks the second time that a Binance internal investigation leads to the arrest of a criminal group that laundered ransomware payments.

The first arrests took place in June 2020, when Ukrainian police arrested a criminal gang that ran 20 low-level cryptocurrency exchanges that laundered more than $42 million worth of ransomware payments between 2018 and 2020—part of an operation Binance codenamed Bulletproof Exchanger.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.