U.S. authorities recently targeted Sergey Sergeevich Ivanov, a Russian cybercrime facilitator, and PM2BTC and Cryptex, two virtual Russian currency exchanges associated with Ivanov, in an effort to disrupt Russian money laundering operations and prevent them from operating with impunity. According to the U.S. Department of the Treasury, over the last 20 years, Ivanov has laundered hundreds of millions of dollars’ worth of virtual currency for ransomware actors and other cybercriminals using various payment processing services, including PM2BTC, Cryptex and one that does business as “UAPS.” These actions were taken by the United States, on September 26, 2024, in coordination with members of the Netherlands Police and the Dutch Fiscal Intelligence and Investigation Service (“FIOD”), who reportedly seized the web domains and/or infrastructure associated with PM2BTC, UAPS and Cryptex.
On September 26, 2024, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) also issued an order identifying PM2BTC as a foreign financial institution of “primary money laundering concern” in connection with Russian illicit finance. The order, which was effective immediately, also prohibited covered financial institutions from transmitting funds involving PM2BTC. The order was issued after FinCEN determined that PM2BTC failed to maintain effective anti-money laundering and know your customer programs – failures that enabled certain ransomware actors and other cybercriminals in Russia to launder convertible virtual currency (“CVC”) funds and effectively evade U.S. sanctions. FinCEN also found that nearly half of PM2BTC’s exchange activity was linked to illicit activity.
On the same day, the Office of Foreign Assets Control sanctioned Ivanov and Cryptex, which is registered in St. Vincent and the Grenadines under the name ”International Payment Service Provider.” According to OFAC, Cryptex has received more than $51.2 million in funds derived from ransomware attacks. Ivanov and Cryptex were designated pursuant to Executive Order 14024, for operating in the financial services sector of the Russian economy, while Cryptex was additionally designated pursuant to EO 13694, as amended by EO 13757, for engaging in cyber-enabled activity identified pursuant to EO 13694, as amended.
In addition, on September 26, 2024, the U.S. Department of Justice unsealed an indictment in the Eastern District of Virginia that charged Ivanov with one count of conspiracy to commit and aid and abet bank fraud for supporting the carding website Rescator, and one count of conspiracy to commit money laundering for allegedly laundering the proceeds from another carding website, Joker’s Stash. The DOJ describes carding as the unlawful act of obtaining and trading stolen credit and debit card information for fraudulent purposes. The same indictment charges Russian national Timur Shakhmametov with similar offenses, including one count of conspiracy to commit access device fraud in connection with his creation and operation of the Joker’s Stash website. The DOJ also announced that the U.S. Secret Service executed a seizure order from the District of Maryland against “Cryptex.net” and “Cryptex.one,” two web domains associated with the administration and operation of the newly-designated Cryptex exchange.
The U.S. Department of State also concurrently issued an award of up to $10 million each for information leading to the arrests and/or convictions of Ivanov and Shakhmametov. The Department offered a separate reward of up to $1 million each for information leading to the identification of other Joker’s Stash leaders as well as the leaders of UAPS, PM2BTC, and PinPays, another transnational criminal group.
U.S. Department of Treasury Press Release | FinCEN News Release | Federal Register Notice | DOJ Press Release | U.S. Department of State Press Statement