The U.S. government on Thursday sanctioned two cryptocurrency exchanges and unsealed an indictment against a Russian national for his alleged involvement in the operation of several money laundering services that were offered to cybercriminals.
The virtual currency exchanges, Cryptex and PM2BTC, have been alleged to facilitate the laundering of cryptocurrencies possibly obtained through cybercrime.
The coordinated action was carried out in collaboration with the Netherlands Police and the Dutch Fiscal Intelligence and Investigation Service (FIOD) as part of an ongoing law enforcement crackdown called Operation Endgame.
Pursuant to the exercise, the websites associated with both the exchanges have been confiscated and replaced with a law enforcement seizure banner. Furthermore, it has led to the seizure of cryptocurrency worth €7 million ($7.8 million).
"The United States and our international partners remain resolute in our commitment to prevent cybercrime facilitators like PM2BTC and Cryptex from operating with impunity," said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith.
"Treasury, in close coordination with our allies and partners, will continue to use all tools and authorities to disrupt the networks that seek to leverage the virtual assets ecosystem to facilitate their illicit activities."
PM2BTC ("btc2pm[.]me"), the Treasury said, facilitated the laundering of convertible virtual currency (CVC) associated with ransomware and other illicit actors operating in Russia. It has been operational since 2014.
It's also said to have provided direct CVC-to-ruble exchange services, while failing to implement effective anti-money laundering (AML) and Know Your Customer (KYC) programs as required by U.S. federal law.
"PM2BTC facilitates a substantially greater proportion of transactions with apparent links to money laundering activity in connection with Russian illicit finance as compared to 99 percent of other virtual asset service providers," it said. "PM2BTC employs an unusual obfuscation that inhibits attribution of transactions to illicit activity and actors."
Cryptex ("Cryptex[.]net"), in a similar vein, has been accused of advertising virtual currency services directly to cybercriminals, receiving over $51.2 million in illicit proceeds derived from ransomware attacks. It further claimed "complete anonymity" when registering for an account.
It is also estimated to have received no less than $720 million in transactions linked to illegal services used by Russia-based ransomware actors and cybercriminals, including fraud shops, mixing services, exchanges lacking KYC programs, and the now-sanctioned virtual currency exchange Garantex.
A 44-year-old Russian national, Sergey Sergeevich Ivanov (aka UAPS or TALEON), has been charged for his role as a professional cyber money launderer for nearly two decades, and for providing his services, counting Cryptex and PM2BTC, to other e-crime groups and drug traffickers.
Ivanov's other charges include lending payment processing support to the carding website Rescator and laundering the illegal funds originating from Joker's Stash, another popular carding forum that voluntarily shut down its operations in February 2021.
Two such payment processing services are PinPays and UAPS ("uaps[.]so"), the latter of which stands for Universal Anonymous Payment System and has facilitated payments for several fraud shops like Genesis Market, BriansClub/Brian Dumps, and Faceless, per Chainalysis.
"UAPS and Cryptex have processed over $7.5 billion worth of transactions since their inception in 2013 and 2018, respectively," the blockchain analytics company noted.
Elliptic, another blockchain intelligence firm, said it's aware of "thousands of additional addresses" connected to Cryptex, PM2BTC, PinPays, and Joker's Stash, outside of the four cryptoasset addresses listed by the Treasury as tied to Cryptex, that have affiliations to Russian darknet markets, stolen data vendors, and a dark web forum.
A second Russian national, Timur Shakhmametov (aka JokerStash or Vega), 38, has also been charged with operating Joker's Stash and laundering its proceeds.
The carding marketplace, which offered for sale data from nearly 40 million payment cards annually, peddled hundreds of millions of payment cards over a period of seven years. It's believed that the service netted the threat actors anywhere between $280 million to more than $1 billion in profits.
Concurrent with the actions, the U.S. Department of State has announced rewards of up to $10 million each for information leading to the arrests and/or convictions of Timur Shakhmametov and Sergey Ivanov.
An additional $1 million is also up for grabs for providing information leading to the identification of other key members linked to UAPS, PM2BTC, PinPays, and Joker's Stash.
"One of the most critical tactics in disrupting illicit actors is to disrupt the infrastructure they abuse to facilitate money laundering and other transnational cybercrime," Chainalysis said.
"Today's actions represent [Office of Foreign Assets Control's] continued efforts to work with key international partners to make the internet a safer place by shutting down fraudulent services and the infrastructure that hosts them."
Update
Russian authorities have opened a criminal investigation into Cryptex and UAPS, as part of a law enforcement action that saw 148 searches in 14 different regions across the country, leading to the arrest of 96 suspects.
"The accomplices conducted illegal activities on the exchange of currencies, cryptocurrencies, delivery and receipt of cash, sale of bank cards and personal accounts," the Investigative Committee of Russian Federation (ICRF) said in a statement on October 2, 2024. "The main clients of these services were cybercriminals and hackers who used the services to legalize their criminal income."
The individuals are believed to have earned about 3.7 billion rubles ($39 million). The development marks one of the rare instances of the Russian government going after cybercrime groups harbored within its borders. Russian news agency Interfax reported that one of the defendants in the criminal case is Ivanov, who has also been sanctioned by the U.S. government.
(The story was updated after publication on October 4, 2024, to include details about the criminal investigation launched by Russia.)