US-led operation disrupts crypto exchanges linked to Russian cybercrime

The U.S. government and Dutch law enforcement took action on Thursday against a handful of Russian cryptocurrency exchanges accused of laundering cybercrime proceeds and a man allegedly involved in their operations. 

In addition to website seizures and other technical moves by law enforcement, the U.S. Treasury’s Office of Foreign Assets Control sanctioned the exchange Cryptex and Russian national Sergey Sergeevich Ivanov. The Justice Department also unsealed an indictment charging Ivanov and another Russian national for facilitating cybercrime. 

Ivanov is also allegedly connected to the virtual currency exchange PM2BTC, which was classified a “primary money laundering concern” by the Treasury’s Financial Crimes Enforcement Network (FinCEN). The designation prohibits “certain transmittals of funds” involving PM2BTC by financial institutions.

As part of the coordinated action against the exchanges, the U.S. Secret Service’s Cyber Investigative Section, along with the Dutch Fiscal Intelligence and Investigation Service (FIOD) and Netherlands police, seized web domains and infrastructure connected to PM2BTC, Cryptex and UAPS — a payment processor allegedly connected to Ivanov. 

According to the Treasury Department, Cryptex has received more than $51.2 million resulting from ransomware attacks, and over $720 million in transactions were linked to services “frequently used by Russia-based ransomware actors and cybercriminals”like fraud shops, mixing services and the previously sanctioned virtual currency exchange Garantex. 

Half of PM2BTC’s exchange activity, meanwhile, was found by the Treasury to have links to suspected crime, including over $600,000 in transactions involving darknet markets between July 22, 2023, and January 14, 2024.    

The Treasury alleges that Ivanov has “laundered hundreds of millions of dollars’ worth of virtual currency for ransomware actors, initial access brokers, darknet marketplace vendors, and other criminal actors for approximately the last 20 years.”

He has been a payment processor, they said, for a handful of darknet marketplaces including the Genesis Market, which was seized last year in an FBI-led operation. 

The Justice Department charged Ivanov, who goes by the online moniker “Taleon,” with bank fraud and money laundering for allegedly providing payment processing support to the carding websites Rescator and Joker’s Stash. 

Fellow Russian Timur Shakhmametov — who goes by “JokerStash” and “Vega” — was also charged for his alleged role as operator of Joker’s Stash, a massive online marketplace for stolen credit card data and personally identifiable information that shut down in 2021. 

The TOC Rewards Program offers rewards up to $10M each for info leading to the arrests and/or convictions of Russian nationals Timur Shakhmametov and Sergey Ivanov, and up to $1M for information leading to the identification of other leaders of Joker’s Stash, UAPS, PM2BTC, and… pic.twitter.com/1a0wZNb8IU

— US Dept of State INL (@StateINL) September 26, 2024

In addition, the Department of State announced a reward of up to $10 million for information leading to the arrest or conviction of Ivanov and Shakhmametov. 

“We will continue to use all our tools and authorities to deter and expose these money laundering networks and impose cost on the cyber criminals and support networks,” the State Department said in a release. “We reiterate our call that Russia must take concrete steps to prevent cyber criminals from freely operating in its jurisdiction.” 

The sanctions are the latest in a series of attempts to punish Russian cybercriminals, who are generally given safe harbor by the Kremlin. It is unclear if the measures to cut them off from the Western financial sector have any tangible impact. 

In May, the Treasury sanctioned Dmitry Khoroshev, the leader of the LockBit ransomware group, several months after a similar action against two of the group’s affiliates. In July, the Treasury designated two members of the Cyber Army of Russia Reborn hacking group. 

Editor’s Note: Updated 9:30 a.m., September 27, with details from the U.S. indictment.