Office of Public Affairs | Two Russian nationals charged in connection with operating billions of dollars worth of money laundering services

The Department of Justice today announced actions coordinated with the State Department, the Treasury Department, and other federal and international law enforcement partners to combat Russian money laundering operations. The actions include the unveiling of an indictment accusing a Russian national of his involvement in operating multiple money laundering services that targeted cybercriminals, as well as the seizure of websites linked to three illegal cryptocurrency exchanges.

“Today’s actions underscore the Department’s continued disruption of malicious cyber actors and their criminal ecosystem,” said Deputy Attorney General Lisa Monaco. “The two Russian nationals charged today are alleged to have pocketed millions of dollars through prolific money laundering and fueled a network of cybercriminals around the world, with Ivanov allegedly facilitating darknet drug traffickers and ransomware operators . Working with our Dutch partners, we shut down Cryptex, an illegal crypto exchange, and recovered millions of dollars in cryptocurrency.”

“Every step cybercriminals take in their quest for money leaves another trail that leads us to their front door,” said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia. “And if you follow their path of greed, they will lead us to you. We will not stop, because while domains can always be seized, justice is unyielding.”

“The Secret Service is relentless in its pursuit of those involved in criminal activity,” said US Secret Service Deputy Director Brian Lambert. “I thank our domestic and foreign partners for their efforts in this case as we continue our work to bring those involved in transnational criminal activity to justice.”

According to court documents released today in the Eastern District of Virginia, Russian national Sergey Ivanov, known online as “Taleon,” among other aliases, was charged with one count of conspiracy to commit bank fraud and aiding and abetting providing payment processing support to the card website Rescator, and one count of conspiracy to commit money laundering for laundering proceeds from the card website Joker’s Stash. “Carding” is the unlawful acquisition and trading of stolen credit and debit card information for fraudulent purposes. Ivanov is said to have operated as a professional cyber money launderer for almost two decades, advertising his services to other cyber criminals on exclusive Russian-language criminal forums. Over the years, Ivanov’s money laundering services and payment systems have targeted cybercrime marketplaces, ransomware groups and hackers responsible for significant data breaches at major US companies.

Ivanov allegedly founded and/or operated the Russian payment and exchange services UAPS, PinPays and PM2BTC, which provided money transfer and money laundering services directly to criminals. Cryptocurrency blockchain analysis revealed that between July 12, 2013 and August 10, cryptocurrency addresses linked to Ivanov’s alleged money laundering services executed transactions totaling approximately $1.15 billion. About 32% of all traced bitcoin sent to these addresses came from other cryptocurrency addresses linked to criminal activity. For example, more than $158 million worth of bitcoin flowing to Ivanov’s addresses reportedly came from fraud proceeds, more than $8.8 million represented proceeds from known ransomware payments, and approximately $4.7 million dollars come from drug markets on the darknet. The US Secret Service has received court permission to seize domains associated with the UAPS and PM2BTC websites.

The Rescator card website allegedly sold stolen payment card data from US financial institutions and personally identifiable information (PII) of US citizens. For example, the website allegedly advertised the sale of data from as many as 40 million payment cards and the PII of approximately 70 million people stolen from a major US retail victim in 2013. The breach cost the US retail victim at least $202 million. in costs and caused damage to the US retail victim’s customers, who became targets of identity theft by other cybercriminals. Ivanov allegedly provided payment processing support for the Rescator card site through the UAPS and PinPays services for purchases made on the site using bitcoin.

In addition, Russian national Timur Shakhmametov, known online as “JokerStash” and “Vega,” among others, is charged in the same indictment with one count of conspiracy to commit and aiding and abetting bank fraud, and one count of conspiracy to commit access device fraud. commit fraud, and one count of conspiracy to commit money laundering in connection with his work operating the card website Joker’s Stash and laundering the proceeds. Joker’s Stash offered data from approximately 40 million payment cards for sale annually, totaling hundreds of millions of payment cards, and was one of the largest known card marketplaces in history. Estimates of profits range from $280 million to more than $1 billion. Shakhmametov and others allegedly promoted Joker’s Stash and its products by advertising the Joker’s Stash website and stolen payment card information on numerous online cybercrime forums.

In addition, the U.S. Secret Service has executed a District of Maryland seizure warrant against two website domain names used to support the cryptocurrency money laundering exchange “Cryptex.net.” According to court documents released today, Cryptex.net and Cryptex.one were involved in the management and operation of Cryptex, which provides complete anonymity to Cryptex users by allowing them to register for accounts without providing know-your-customer compliance requirements. Like UAPS and PM2BTC, Cryptex advertised directly to cybercriminals.

According to a company that provides blockchain analysis services to law enforcement, there have been more than 37,500 transactions using bitcoin addresses linked to Cryptex, totaling a total value of approximately 62,586 bitcoin, or $1.4 billion at the time the transactions were carried out. Of that amount, about 31% of bitcoin sent, or $441 million, came from cryptocurrency addresses linked to criminal behavior, including $297 million in fraud proceeds and more than $115 million in ransomware payment proceeds. Nine percent of all bitcoin sent to Cryptex, or $162 million, comes from cryptocurrency addresses associated with services commonly used by cybercriminals. Furthermore, 28% of all bitcoin sent from Cryptex was sent to companies or darknet markets sanctioned by the United States.

The seizure of these domains by the government will prevent the owners and third parties from using the sites for money laundering. Individuals who visit these sites now will see a message indicating that the site has been seized by the federal government.

As part of the coordinated actions taken today, our Dutch partners have seized the servers hosting PM2BTC and Cryptex. Those servers were taken offline at various locations around the world and the Dutch seized cryptocurrency from those servers worth more than $7 million.

In coordination with the Department’s actions, other U.S. government agencies and foreign law enforcement partners are also taking related actions. The U.S. Department of State, through its Transnational Organized Crime Rewards Program, has offered rewards of up to $11 million for information leading to the arrest and/or conviction of Ivanov and others involved in the operation of his money laundering services, and for Shakhmametov and others involved in the operation of Joker’s Stash. The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has issued an order identifying PM2BTC as a “major money laundering concern” related to Russian illicit financing. At the same time, the Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Cryptex and Ivanov.

The Cyber ​​Investigative Section of the United States Secret Service is investigating the case.

Assistant U.S. Attorney Zoe Bedell for the Eastern District of Virginia is prosecuting the case against Ivanov and Shakhmametov. Attorney Jeff Pearlman and Senior Counsel Jessica Peck of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Thomas Sullivan of the District of Maryland are handling the Cryptex investigation. The Department of Justice’s Office of International Affairs also provided assistance in these cases.

The Dutch Police, the Dutch Fiscal Information and Investigation Service, the International Cooperation Department of the Central Criminal Investigation Department of the State Police of Latvia, Europol, the National Cyber-Forensics & Training Alliance, the German Federal Criminal Police Office and the British National Crime Agency have invaluable assistance provided.

The text of FinCEN’s decision can be found here.

For more information about the individuals and entities OFAC designated today, click here.