OFAC Designates Russian Exchange Cryptex and Fraud Shop Facilitator UAPS, FinCEN Names PM2BTC

On September 26, 2024, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) assigned Russia-based exchange Cryptex and Sergey Sergeyevich Ivanov (aka UAPS, aka TALEON), which facilitated money laundering for fraud shops, ransomware payments, darknet markets and other criminal actors. In addition, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN). has mentioned PM2BTCa no KYC exchange that processed more than $1 billion and is associated with Ivanov, a “major money laundering concern” under section 9714(a) of the Combating Russian Money Laundering Act. The action against PM2BTC is the FinCEN’s second use of 9714(a) involving cryptocurrency affiliated entities, after the first action against Bitzlato in January 2023. Today it is one of OFAC’s largest-ever crypto designations at the service level; UAPS and Cryptex have processed more than $7.5 billion in transactions since their inception in 2013 and 2018, respectively.

This designation coincides with several Dutch and American law enforcement actions in which the domains, servers and other infrastructure of the services were seized. The Financial and Tax Crime Investigation Services (FIOD) and the National High Tech Crime Unit (NHCTU) of the Netherlands, with the help of Chainalysis and Tether, 7 million euros worth of money was seized. At the same time, the US State Department has done the same awarded a reward offering up to $10 million through the Transnational Organized Crime Rewards Program for information leading to Ivanov’s arrest and/or conviction. In addition, according to the designation, the U.S. Secret Service and the U.S. Attorney’s Office for the Eastern District of Virginia are announcing charges against Ivanov and another Russian national, Timur Shakhmametov. These simultaneous efforts are part of Operation Endgamea multilateral, coordinated cyber operation between US and European authorities aimed at dismantling the financial enablers of transnational cybercrime.

Services like Cryptex, UAPS and PM2BTC are key enablers of cybercrime as they process payments and launder the proceeds from the sale of stolen data and personally identifiable information (PII). Criminals typically use this information to orchestrate various scams, identity theft, and account takeovers.

Below, we take a closer look at Cryptex, UAPS and PM2BTC, examining their activities along the chain and their role in the cybercrime ecosystem, and how OFAC’s actions contribute to a global crackdown on fraud.

What is Cryptotex?

Cryptex is a Russian-language, direct exchange service that operates a trading platform and an exchange platform.

In January 2022, Cryptex launched CryptexPay to support payment processing in Bitcoin (BTC) and Litecoin (LTC) for online businesses using its platforms, especially those classified as high-risk. CryptexPay further attracted criminals by explicitly advertising its lack of compliance with AML/KYC requirements.

What is UAPS?

UAPS, which stands for Universal Anonymous Payment System, facilitates payments for fraud shops, including the now designated ones Genesis MarketBriansClub/Brian Dumps and Faceless. The project was officially launched in 2013 on a dark web forum as an underground, invite-only payment processor. An attractive feature of the service was that payment processing capabilities could be integrated via API. According to the terms of service, sellers are only approved if they receive an invitation from another member or permission from the admin. For this reason, it is very popular among criminals who use crypto to finance their activities.

In 2015, many fraud shops switched from UAPS to PinPays, a now-defunct version of UAPS that featured a logo on the websites of vendors that used the service. Some fraud shops even started redirecting users to a PinPays merchant page. Based on the high overlap in fraud merchant customers and shared wallet infrastructure evident across the chain, it is clear that PinPays was an attempt at an overt rebranding of UAPS. UAPS also shared the wallet infrastructure with the PM2BTC without KYC exchange. However, in recent years the service’s exchange function has been minimal, and its on-chain behavior indicates that UAPS serves primarily as a fraud-related payment processor.

What is PM2BTC?

PM2BTC is a no-KYC exchange that has been operational since 2014 and is closely associated with Ivanov (aka UAPS). Like UAPS and Cryptex, the agency facilitated activities on behalf of ransomware actors and fraud shops, in addition to facilitating sanctions evasion. Today’s press release from the Ministry of Finance highlighted that almost half of all PM2BTC funds were from clearly illegal sources.

On-chain activity from Cryptex, UAPS and PM2BTC

Cryptex has processed nearly $7 billion worth of crypto transactions during its lifetime, mostly in BTC and LTC. Between 2018 and mid-2019, most of the value received came from regular services, with some increases in value received by fraud shops and high-risk entities. Since late 2019, Cryptex has obtained most of its value from fraud shops, followed by mainstream services, high-risk entities, and ransomware services.

In the below Chain analysis reactor In the graph we see Cryptex’s relationship with a selection of ransomware actors, including underground money laundering services, underground calling services and malware-as-a-service providers. Cryptex has processed hundreds of millions of dollars in ransomware proceeds.

We also see Cryptex’s connection to OFAC-sanctioned Russian national, Ekaterina Zhdanovawhich used cryptocurrency to launder money on behalf of Russian elites, ransomware groups and other bad actors.

On-chain analysis also reveals the size of funds processed through UAPS’s Cryptex. In 2024 alone, UAPS sent over $89 million worth of crypto to intermediary addresses, after which the funds were moved to addresses controlled by Cryptex (as shown in the chart below).

The chart below highlights just some of PM2BTC’s counterparts that process hundreds of millions of dollars on behalf of illicit actors, including ransomware and fraud shops.

The global crackdown on fraudulent infrastructure

One of the most critical tactics in disrupting illicit actors is disrupting the infrastructure they abuse to facilitate money laundering and other transnational cybercrime. Today’s actions represent OFAC’s ongoing efforts to work with key international partners to make the Internet a safer place by shutting down fraudulent services and the infrastructure that hosts them.

This website contains links to third party sites that are not under the control of Chainalysis, Inc. or its subsidiaries (collectively “Chainalysis”). Access to such information does not imply any association, endorsement, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.

This material is for informational purposes only and is not intended to provide legal, tax, financial or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision or other act or omission in connection with Recipient’s use of these materials.

Chainalysis does not guarantee the accuracy, completeness, timeliness, suitability or validity of the information contained in this report and is not responsible for any claims due to errors, omissions or other inaccuracies in any portion of such material.