On a global scale, 13% of funds siphoned as a result of ransomware attacks were sent to users in Russia, more than any other region. Funds siphoned via other forms of cybercrime also go through Russia-based services, particularly concentrated in Moscow’s financial district, known to facilitate money laundering.
Moscow City Raked in $700 Million of Illicit Funds
Moscow’s financial district, home to a large swath of cryptocurrency businesses that receive hundreds of millions of dollars in cryptocurrency per quarter, has raked in over $700 million in illicit funds between 2019 and 2021. Half of these businesses operate from the Federation Tower twin skyscrapers in Moscow City. “In any given quarter, the illicit and risky addresses account for between 29% and 48% of all funds received by Moscow City cryptocurrency businesses,” says Chainalysis. Of the $700 million, $313 million and $296 million came from scams and darknet markets, respectively. Ransomware came third at $38 million. Due to the size of such businesses in Moscow, some are big enough that millions of dollars of illicit funds represent only 10% or less of the total cryptocurrency they receive. This “could be attributed to the business’s lack of knowledge.” However, illicit funds totaling 30% or more of all transactions may mean that businesses are making “a concerted effort to serve a cybercriminal clientele.”
Notable Money Laundering Businesses in Moscow
Some of the most notable Moscow-based businesses that have facilitated significant money laundering, otherwise linked to criminal activity or harboring high-risk mixers and exchanges, include Garantex, Bitzlato, and Suex. Garantex and Suex have both received over $2 billion in cryptocurrency between 2019 and 2021, while over 30% of their transactions are “illicit and risky.” These transactions have included receiving funds extracted by ransomware strains, such as Phoenix Cryptolocker, Netwalker, and Conti. Hundreds of millions more come from a combination of darknet markets, scams, and individual ransomware attackers. The founder of one of the businesses known as Eggchange was arrested for helping Ryuk ransomware operators with money laundering operations. Another lower-profile business known as Cashbank, which pales in comparison to Garantex and Bitzlato in sheer transaction figures, has been advertising on forums “frequented by illicit actors and criminals.” Yet another business, Suex, was sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) in 2021 for receiving over $160 million in illicit funds siphoned from cybercriminal operations.
Eastern European Elite Cybercrime
Russian hackers have become a legendary information security cult staple over the years. One driver for that may be the nation’s “excellence in computer science education, combined with low economic prospects even for those who are skilled in the field.” Eastern Europe, including Russia, has sent the second most amount of illicit cryptocurrency, surpassed only by Western Europe. Eastern Europe leads the world in darknet cryptocurrency transactions, largely spearheaded by Hydra Market activity. That is the largest darknet market in the world, which “caters only to users in Russian-speaking countries throughout Eastern Europe.”
CIS Cybercriminals Will Not Attack Their Own
Cybercriminals from the region protect their own by avoiding attacking former Soviet CIS (Commonwealth of Independent States) countries. For example, several ransomware strains include code that stops ransomware file encryption if a system is located in a CIS country. “In other cases, ransomware operators have even given over decryptors to return file access after learning they inadvertently targeted a Russian organization,” claims the Chainalysis report.
He Said She Said
As a well-recognized participant in operations such as ransomware and money laundering, the question of whether superpower Russia will curb its appetite for cybercrime remains to be seen. The country’s laissez-faire stance on native ransomware operations — evident in the rarity of cybercrime crackdowns there — is a bit of a “he said, she said” situation. For instance, President Putin sides with cryptocurrency miners, while Russian national banks look for a ban on all cryptocurrency-related activity. Analysts believe that any official Russian commitment to openly fighting cybercrime will be disguised as more of an act of diplomacy than anything else, i.e. reducing pressure from the United States. “Regardless of what the future holds, it’s important to understand where things stand now: Russian cybercriminal organizations are some of the biggest perpetrators of cryptocurrency-based crime — especially ransomware — and local cryptocurrency businesses provide money laundering services that enable this activity,” said Chainalysis.