German Law Enforcement Seizes Russian No KYC Exchanges

On September 19, 2024, the German Federal Criminal Police (BKA) seized the infrastructure of 47 Russian-language no-KYC (Know Your Customer) cryptocurrency exchanges. The name is:Operation Final Exchange“The takedown is notable not only for its scale, but also for the light it has shed on the central role that instant-swap-style no-KYC exchanges play in facilitating on-chain cybercrime.

As the name suggests, no-KYC exchanges have no known process for collecting customer data before allowing a deposit or withdrawal. They do not require a name, phone number, or email address and make no attempt to verify this information before allowing transactions. As such, these services allow a range of cybercriminals to abuse their services without KYC checks to identify or disrupt illicit activity. The BKA’s Operation Final Exchange landing page calls out ransomware affiliates, botnet operators, and darknet vendors as users of the 47 targeted exchanges. Additionally, these services provided fiat on- and off-ramping for sanctioned Russian banks, creating an opportunity to evade sanctions.

Below, we delve deeper into the on-chain activities of these exchanges, examine their connection to the sanctioned Russian banks, and discuss the implications of the disruption.

Who are these 47 No KYC Exchanges?

Our data reveals interesting patterns across the services targeted by the BKA, with robust direct and indirect exposure to various illicit services. At least seventeen of the exchanges saw a month with more than 50% direct inflow from illicit sources. At least twelve saw a month where more than 30% of direct inflow came from darknet marketplaces (DNMs). At least six saw at least one month where stolen funds made up more than 30% of total direct inflow. At least five had at least one month where more than 30% of indirect inflow came from sanctioned entities.

This exposure shows that for many of these services, laundering illicit funds was a substantial part of their business. As illustrated below Chainalysis Crypto Research Chart, the top ten services targeted by the BKA did business with a wide range of illicit services, including, but not limited to, sanctioned entities, ransomware actors, DNMs, and dark web escrow and data brokers.

The graph below shows the quarterly inflow to the top ten stock exchanges closed by the BKAThese services received value from a variety of sources, including periods of significant inflows of drug-related DNMs, online pharmacies, malicious cybercriminals such as ransomware gangs, and funds stolen in robberies and scams.

There has also been a notable increase over time in the share of inflows from legitimate sources, particularly centralized exchanges. While this change in the composition of inflows might in other circumstances suggest that the services were cleaning up their platforms, the reality is likely more complicated. In this case, the increased inflows from otherwise legitimate sources most likely represent the increasing use of these services for sanctions evasion by Russian nationals, who are likely attempting to use these no KYC exchanges to evade sanctions on Russian banks.

How do these services work?

These services operate as instant swap-style services, allowing users to exchange one currency for another without providing any personal information or going through a verification process. Offerings include crypto-to-crypto and fiat-to-crypto swaps, allowing users to instantly exchange popular cryptocurrencies and stablecoins, or link their bank account directly to on-/off-ramp fiat to crypto.

As with other categories of the illicit crypto ecosystem, we have seen that no KYC exchanges, especially those targeted by the BKA, often have overlapping or similar on-chain infrastructure. In some cases, they even share off-chain networks, such as website shells, employees and administrators, physical locations, and ownership structures, to name a few. Typically, these websites do not have any affiliated company incorporation, registration, phone numbers, physical addresses, or any indication of jurisdictional operation. Unlike other high-risk and illegal services, most of these services do not have a social media presence, but instead offer users the ability to interact with a bot on their homepages. Despite using servers in Germany, these services primarily target a Russian clientele, as suggested by their default language settings in Russian and information about banking services for fiat transactions provided by sanctioned Russian banks, such as Sberbank.

Connectivity with sanctioned Russian banks

Many of the 47 no KYC exchanges were Russian-language platforms offering fiat-to-crypto and crypto-to-crypto instant exchange services. As we saw in our recent analysis of Russia’s new cryptocurrency law, Russian-language instant exchanges can be exploited to quickly move fiat currency from sanctioned Russian banks to specific crypto wallets, allowing entities to bypass sanctions. Given the dramatically increased sanctions pressure on Russian banks following the large-scale invasion of Ukraine in February 2022, instant exchanges have emerged as a convenient way to move funds on and off for sanctioned banks. Of the 47 non-KYC exchanges targeted in Operation Final Exchange, all exchanges we identified on-chain accepted on- and off-ramping with sanctioned Russian banks.

The magnitude of the disruption is likely to lead to useful progress

Most of the exchanges targeted by BKA have been operating since 2021 or earlier, with the top three by transactions processed – Xchange.cash, 60cek.org, and Bankcomat.com – operating since 2016 or earlier, according to the Operation Final Exchange landing page. The longevity of these services suggests that a substantial portion of affected customers will need to establish alternative financial facilitation and money laundering routes.

The impact of the disruption will likely extend far beyond the targeted no-KYC exchanges. As the BKA noted, it now has possession of these exchanges’ development, production, and backup servers, as well as transaction data, registration data, and IP addresses. This data will likely play a significant role in generating follow-up leads for the BKA and key international law enforcement partners in the coming months. We will continue to monitor this phenomenon closely and highlight any new no-KYC exchanges that emerge as significant players in this space.

This website contains links to third party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively, “Chainalysis”). Access to such information does not imply association with, approval, endorsement, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.

This material is for information purposes only and is not intended to provide legal, tax, financial or investment advice. Recipients should consult their own advisors before making any such decisions. Chainalysis is not responsible or liable for any decision made or any other action or omission in connection with the Recipient’s use of this material.

Chainalysis does not warrant or guarantee the accuracy, completeness, timeliness, suitability or validity of the information contained in this report and shall not be liable for any claims attributable to errors, omissions or other inaccuracies in any portion of the material.