How Cryptocurrency Turns to Cash in Russian Banks – Krebs on Security
A Canadian-registered financial firm has become a payment processor for dozens of Russian cryptocurrency exchanges and websites peddling cybercriminal services targeting Russian-speaking customers, new research has found. Meanwhile, an investigation into the Vancouver street address used by the company revealed it was home to dozens of foreign currency dealers, money transfer companies and cryptocurrency exchanges, none of which were actually there.
Richard Sanders is a blockchain analyst and investigator who advises the law enforcement and intelligence communities. Sanders has spent much of 2023 in Ukraine, traveling with Ukrainian soldiers while mapping the changing landscape of Russian cryptocurrency exchanges that are laundering money for drug networks operating in the region.
Recently, Sanders has focused on determining how dozens of popular cybercrime services get paid from their customers and how they convert cryptocurrency earnings into cash. Over the past few months, he had been signing up to various cybercrime services and then tracking their clients’ funds.
The 122 services targeted in Sanders’ study include some of the better-known businesses advertising on cybercrime forums today, such as:
– Abuse-friendly or “bulletproof” hosting providers such as anonvm[.]Wow, there’s also PQ hosting;
– Sites that sell old email, financial or social media accounts (such as verif)[.]work and Kopechka[.]shop;
– Anonymous or “agent” suppliers, such as crazyrdp[.]com and rdp[.]monster;
– Anonymous messaging services including anonsim[.]Internet and SMS Boss[.]relative.
Sanders said he first came across some of these services while investigating a Kremlin-sponsored disinformation campaign in Ukraine because they were useful for organizing large-scale, anonymous social media campaigns.
According to Sanders, all 122 services he tested were delivered through a company called Cryptobacteriumwhich the company describes as a cryptocurrency payments platform based in Vancouver, British Columbia. Cryptomus’ website says its parent company — Xeltox Enterprises Ltd. (formerly certa-pay[.]com) — Registered as a Money Services Business (MSB) Canadian Center for Financial Transactions and Reports Analysis (Financial Transaction Analysis Center).
Sanders said payment data he collected also showed that at least 56 cryptocurrency exchanges are currently using Cryptomus to process transactions, including financial entities with the following names: cashier[.]yes, Grumbot[.]com, Flying money[.]We, Obama[.]Ru and slide[.]yes.
These platforms are built with Russian speakers in mind, and each advertises the ability to anonymously exchange one form of cryptocurrency for another. They also allow exchanging cryptocurrencies for cash in accounts at some of Russia’s largest banks – Almost all of these are currently subject to sanctions by the United States and other Western countries.
Analysis of the technical infrastructure shows that all these exchanges use Russian email providers and that most are hosted directly in Russia or are backed by Russian ISPs with infrastructure in Europe (such as Selectel, Netwarm UK, Beget, Timeweb and DDoS -Guard). The analysis also showed that almost all 56 exchanges used Yunyaoa global content delivery network headquartered in San Francisco.
“The purported purpose of these platforms is to allow companies to accept cryptocurrency payments in exchange for goods or services,” Sanders told KrebsOnSecurity. “Unfortunately, it’s almost impossible to find anything for sale using Cryptomus’ website, and the services appear to fall into one or two different categories: facilitating transactions with sanctioned Russian banks, and providing cyberattack infrastructure and means. platform.
Cryptomus did not respond to multiple requests for comment.
Phantom address?
The Cryptomus website and its FINTRAC listing show that the company’s registered address is 422 Richards Street, Suite 170, Vancouver, BC The subject of this address is A survey published in July go through CCTV National News and Investigative Journalism Foundation (IJF)which documents dozens of cases across Canada where multiple MSBs were established at the same address, often without the knowledge or consent of the actual occupants of the location.
Their investigation found that 422 Richards Street was listed as the registered address for at least 76 foreign exchange dealers, eight MSBs and six cryptocurrency exchanges. The address is a three-story building that once housed a bank and now houses a massage therapy clinic and co-working space. But they found that not a single MSB or currency dealer was paying for the coworking space’s services.
Reporters found another 97 MSBs clustered at a commercial office suite address in Ontario, although there was no evidence the companies had arranged any business services at that address.
Peter GermanFormer Deputy Commissioner Royal Canadian Mounted Police The author of two reports on money laundering in British Columbia told the publication that this goes against the spirit of Canada’s registration requirements for such businesses, which are considered to pose a high risk of money laundering and terrorism financing.
“If you have 70 people in a building, that’s an abuse of the entire system,” Germaine said.
The registration of 10 MSBs registered at 422 Richard St. was revoked. According to media reports, a company at 422 Richards Street had its registration revoked this year and one of its directors had an address in Russia. “Others appear to have been directed by company directors in Cyprus and other high-risk jurisdictions for money laundering,” they wrote.
comments FINTRAC Registry (.CSV) shows that many MSBs at 422 Richards St. offer international money transfer or remittance services to countries such as Malaysia, India, and Nigeria. Some act as currency exchange offices, while others appear to sell merchant accounts and online payment services. Still, KrebsOnSecurity was unable to find any clear links between the 56 Russian cryptocurrency exchanges identified by Sanders and the dozens of payment companies that FINTRAC said share addresses with Cryptomus parent company Xeltox Enterprises.
evade sanctions
August 2023, Binance Some of the largest cryptocurrency exchanges responded to sanctions against Russia in the following ways: Cut off many Russian banks and restricting Russian customers to transactions in rubles. Before the change, most of the exchanges currently served by Cryptomus used their own self-hosted cryptocurrency wallets to handle customer funds, Saunders said.
Sanders said that by September 2023, he discovered that the exchanges he was tracking were all nested together like Cryptomus’ Russian dolls, adding a new cryptocurrency wallet to all transactions by generating a new cryptocurrency wallet for each order. layer confusion.
“They all just moved to Cryptomus,” he said. “Cryptomus generates new wallets for each order, continuously attribution, and requires high fees for each transaction.”
He continued: “Exchanges like Binance and OKX delisted Sberbank and other sanctioned banks and eliminated Russian users, but this did not eliminate the ability of Russians to easily trade cryptocurrencies.” In fact, it’s made even easier because live exchanges don’t even have “know your customer” rules. US sanctions have caused most Russian instant exchanges to switch from self-hosted wallets to platforms, especially Cryptomus.
Russian President Vladimir Putin signed a new law in August legalizing cryptocurrency mining and allowing the use of cryptocurrencies for international payments. Russian government’s embrace of cryptocurrencies is a notable pivot: Bloomberg notes Just in January 2022, just weeks before Russia’s full-scale invasion of Ukraine, the central bank proposed a complete ban on the use and creation of cryptocurrencies.
In a report released in September on Russia’s cryptocurrency ambitions, blockchain analytics firm chain analysis Russia’s move to incorporate cryptocurrencies into its financial system could improve its ability to bypass the U.S.-dominated financial system and engage in non-dollar-denominated trade, it said.
“While it is difficult to quantify the true impact of certain sanctions, the fact that Russian officials pointed to the impact of sanctions on Moscow’s ability to handle cross-border trade suggests that the impact being felt was large enough to inspire urgency to legalize sanctions. and investing in alternative payment pipelines it once condemned. evaluative.
When asked for its opinion on Cryptomus activity, Chainananalysis stated that Cryptomus has been used by various criminals to launder money and/or purchase goods and services.
“We have seen threat actors involved in ransomware, narcotics, darknet markets, fraud, cybercrime, sanctioned entities and jurisdictions, and hacking operations deposit funds into Cryptomus,” the company said in a statement. for purchases, but also uses the Cryptomos payment API for money laundering services.
shell game
It is unclear whether Cryptomus and/or Xeltox Enterprises have any operations in Canada. A search of Xeltox’s former name – Certa Payments Ltd. – on the UK Companies House shows entity with that name Incorporated in December 2023 at the Post Office, London.
The sole shareholder and director of the company is a 25-year-old Ukrainian woman living in the Czech Republic named Vera Klitschka. Ms. Krychka was recently appointed to the Board of Directors Several other new UK companiesincluding an entity created in February 2024 named Globopay UAB Ltd.the other is called WS Management Consultants Ltd. Ms. Klitschka did not respond to a request for comment.
WS Management Consultants Claims to be a regulatory agency that specifically oversees cryptocurrency licenses within the jurisdiction Western Saharaa disputed territory in northwest Africa. The company assists applicants with bank establishment and formation, online gaming licenses and the creation and licensing of foreign exchange brokers, its website said. One of the former websites of Certa Payments — certa[.]Website — also shares server with 12 other domains, including rasd-state[.]ws, website of the Central Reserve Authority of Western Sahara.
the commercial register Ms. Krychka from the Czech Republic works as a director of an advertising and marketing company called “Krychka”. Icon Technology Co., Ltd.formerly named Blevins Technologies (Blaven’s website calls it an online payment service provider).
In August 2024, Icon Tech changed its name again Mezindalondnaya IBU SROthe company describes itself as an “experienced IT consultancy” based in Armenia. The registry said Ms Klicica was also, to some extent, a director of Turkish investment companies. He has such a great business acumen at such a young age!
For now, Canada remains an attractive location for cryptocurrency businesses to set up shop, at least on paper. IJF and CTV News found that as of February 2024, there were just over 3,000 actively registered MSBs in Canada, 1,247 of which were located in the same building as at least one other MSB.
“This analysis does not include approximately 2,700 MSBs whose registrations have lapsed, been revoked or otherwise ceased,” they observed. “If they were included, then a staggering 2,061 of the 5,705 MSBs were at least the same as other MSB shares the same building.”
2024-12-11 21:38:48