The Justice Department today announced actions coordinated with the Department of State, Department of the Treasury, and other federal and international law enforcement partners to combat Russian money laundering operations. The actions involved the unsealing of an indictment charging a Russian national with his involvement in operating multiple money laundering services that catered to cybercriminals, as well as the seizure of websites associated with three illicit cryptocurrency exchanges.
“Today’s actions highlight the Department’s continued disruption of malicious cyber actors and their criminal ecosystem,” said Deputy Attorney General Lisa Monaco. “The two Russian nationals charged today allegedly pocketed millions of dollars from prolific money laundering and fueled a network of cyber criminals around the world, with Ivanov allegedly facilitating darknet drug traffickers and ransomware operators. Working with our Dutch partners, we shut down Cryptex, an illicit crypto exchange and recovered millions of dollars in cryptocurrency.”
“Every step cybercriminals take in their pursuit of money leaves another track that leads us to their doorstep,” said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia. “And if you follow them on their path of greed, they will lead us to you. We will not stop, because while domains can always be seized, justice is unyielding.”
“The Secret Service is relentless in pursuing those engaged in criminal activity,” said Assistant Director Brian Lambert of the U.S. Secret Service. “I thank our domestic and foreign partners for their efforts on this case, as we continue our work bringing to justice those engaged in transnational criminal activity.”
According to court documents unsealed today in the Eastern District of Virginia, Russian national Sergey Ivanov, known online as “Taleon,” among other aliases, was charged with one count of conspiracy to commit and aid and abet bank fraud for providing payment processing support to the carding website Rescator, and one count of conspiracy to commit money laundering for laundering proceeds from the carding website Joker’s Stash. “Carding” is the unlawful acquisition of and trade in stolen credit and debit card information for fraudulent purposes. Ivanov allegedly operated for nearly two decades as a professional cyber money launderer, advertising his services to other cybercriminals on exclusive Russian-speaking criminal forums. Over the years, Ivanov’s laundering services and payment systems have catered to cybercrime marketplaces, ransomware groups, and hackers responsible for significant data breaches of major U.S. companies.
Ivanov allegedly created and/or operated Russian payment and exchange services UAPS, PinPays, and PM2BTC, which provided money transfer and laundering services directly to criminals. Cryptocurrency blockchain analysis revealed that between July 12, 2013, and Aug. 10, cryptocurrency addresses associated with Ivanov’s alleged money laundering services conducted transactions totaling approximately $1.15 billion in value. Approximately 32% of all traced bitcoin sent to these addresses originated from other cryptocurrency addresses associated with criminal activity. For example, more than $158 million of bitcoin flowing into Ivanov’s addresses allegedly represented fraud proceeds, more than $8.8 million allegedly represented proceeds from known ransomware payments, and approximately $4.7 million allegedly originated from darknet drug markets. The U.S. Secret Service has obtained court authorization to seize domains associated with the UAPS and PM2BTC websites.
The Rescator carding website allegedly sold stolen payment card data from U.S. financial institutions and personally identifiable information (PII) of U.S. citizens. For example, the website allegedly advertised the sale of data from up to 40 million payment cards and the PII of approximately 70 million people that had been stolen from a major U.S. retail victim in 2013. The breach cost the U.S. retail victim at least $202 million in expenses and caused damage to the U.S. retail victim’s customers, who became targets of identity theft by other cybercriminals. Ivanov allegedly provided payment processing support for the Rescator carding site through the UAPS and PinPays services for purchases made on the site using bitcoin.
Additionally, Russian national Timur Shakhmametov, known online as “JokerStash” and “Vega,” among other aliases, is charged in the same indictment with one count of conspiracy to commit and aid and abet bank fraud, one count of conspiracy to commit access device fraud, and one count of conspiracy to commit money laundering related to his work in operating the carding website Joker’s Stash and laundering the proceeds. Joker’s Stash offered for sale data from approximately 40 million payment cards annually, totaling hundreds of millions of payment cards overall, and was one of the largest known carding markets in history. Estimates of its profits range from $280 million to more than $1 billion. Shakhmametov and others allegedly promoted Joker’s Stash and its products by advertising the Joker’s Stash website and its stolen payment card data on numerous online cybercrime forums.
Separately, the U.S. Secret Service executed a seizure order from the District of Maryland against two website domain names used to support the cryptocurrency money laundering exchange “Cryptex.net.” According to court records unsealed today, Cryptex.net and Cryptex.one were associated with the administration and operation of Cryptex, which offers complete anonymity to Cryptex users by allowing them to register for accounts without providing know-your-customer compliance requirements. Like UAPS and PM2BTC, Cryptex advertised itself directly to cybercriminals.
According to a company that provides blockchain analytics services to law enforcement, there have been more than 37,500 transactions involving bitcoin addresses associated with Cryptex, amounting to a total value of approximately 62,586 bitcoin, or $1.4 billion at the time the transactions were made. Of that amount, about 31% of the bitcoin sent, or $441 million, originated from cryptocurrency addresses associated with criminal conduct, including $297 million of fraud proceeds and more than $115 million of proceeds from ransomware payments. Nine percent of all bitcoin sent to Cryptex, or $162 million, originated from cryptocurrency addresses associated with services often used by cybercriminals. Further, 28% of all bitcoin sent from Cryptex was sent to companies or darknet markets sanctioned by the United States.
The seizure of these domains by the government will prevent the owners and third parties from using the sites for money laundering. Individuals visiting those sites now will see a message indicating that the site has been seized by the federal government.
As part of the coordinated actions taken today, our Dutch partners seized the servers hosting PM2BTC and Cryptex. Those servers have been taken offline at various locations around the world, and the Dutch have seized cryptocurrency from those servers worth over $7 million.
In coordination with the department’s actions, other U.S. government agencies and foreign law enforcement partners are also taking related actions. The U.S. Department of State issued reward offers up to $11 million through its Transnational Organized Crime Rewards Program for information leading to the arrest and/or conviction of Ivanov and others involved in the operation of his money laundering services, and for Shakhmametov and others involved in the operation of Joker’s Stash. Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an order that identifies PM2BTC as being of “primary money laundering concern” in connection with Russian illicit finance. Concurrently, Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Cryptex and Ivanov.
The U.S. Secret Service Cyber Investigative Section is investigating the case.
Assistant U.S. Attorney Zoe Bedell for the Eastern District of Virginia is prosecuting the case against Ivanov and Shakhmametov. Trial Attorney Jeff Pearlman and Senior Counsel Jessica Peck of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Thomas Sullivan of the District of Maryland are handling the investigation into Cryptex. The Justice Department’s Office of International Affairs also provided assistance in these matters.
The Netherlands Police, Dutch Fiscal Information and Investigation Service, the International Cooperation Department of the Central Criminal Police of the State Police of Latvia, Europol, the National Cyber-Forensics & Training Alliance, the German Federal Criminal Police Office, and the UK National Crime Agency provided invaluable assistance.
The text of FinCEN’s order can be found here.
For more information on the individuals and entities that OFAC designated today, click here.