Cybercrime , Fraud Management & Cybercrime
Alleged Russian Cybercrime Money Launderer Indicted in US
Sergey Ivanov, aka 'Taleon,' Accused of Money Laundering Over Two-Decade SpanThe United States on Thursday criminally charged an alleged key money laundering figure in the Russian cybercriminal underground on the same day Western authorities shut down virtual currency exchanges by seizing web domains and servers associated with Russian cybercrime.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Dutch police seized servers hosting the PM2BTC cryptocurrency exchange. U.S. prosecutors accused Russian national Sergey Ivanov, known online as "Taleon," of operating the exchange alongside other payment services called UAPS and PinPays that cater to cybercriminals. An unsealed indictment said - activities that underscore his "deep involvement in Russian cybercrime." TRM also identified him as a payment processor for fraud shops, including Genesis Market, which law enforcement shuttered in May last year.
"Over the years, Ivanov's laundering services and payment systems have catered to cybercrime marketplaces, ransomware groups and hackers responsible for significant data breaches of major U.S. companies," said the Department of Justice.
The Department of the Treasury designated PM2BTC as a "primary money laundering concern," and sanctioned Ivanov, effectively cutting him off from the U.S. and European banking systems.
Indicted alongside Ivanov was Russian national Timur Shakhmametov, aka JokerStash and Vega, who allegedly used Ivanov to launder criminal proceeds. Prosecutors accused Shakhmametov of running now-defunct carder website Joker's Stash. Prosecutors estimated Joker's Stash administrators earned between $280 million to $1 billion in profits before shutting it down in 2021. Shakhmametov also faces charges for conspiracy to commit bank fraud and conspiracy to commit money laundering, as well as an additional charge of conspiracy to commit access device fraud.
PM2BTC, operated by Ivanov since 2014, allegedly facilitated fraud and ransomware payments for groups such as Conti and TrickBot. Treasury linked nearly half of the virtual currency exchange's operations to criminal activity. The platform evaded sanctions and used obfuscation techniques to stay under law enforcement's radar.
Ivanov also controls operations at PinPays, a payment processor launched as an invite-only service in 2013, servicing carding shops and other darknet operations allegedly including the Rescator carding site. Rescator sold stolen data from at least 40 million payment cards disbursed by U.S. financial institutions and the personally identifiable information of more than 70 million U.S. citizens.
Blockchain intelligence firm Chainalysis characterized PinPays as just a rebranded UAPS. Fraud shops in 2015 transitioned from UAPS to PinPays, both operating with the same logo, fraud shop customers and shared wallet infrastructure, it said. In recent years, the exchange function of the service has been "minimal, and on-chain behavior indicates that UAPS primarily serves as a fraud-related payment processor," it said.
TRM Labs said that PinPays aggregated deposits from multiple cybercrime services and laundered funds through interconnected wallets before sending them to another cryptocurrency platform that authorities shuttered Thursday called Cryptex. TRM Labs estimates the amount laundered between 2022 and 2024 to be over $500 million. It generated a new wallet address for each transaction and mixed illicit and legitimate deposits to anonymize the source of funds. "This dual role of processing both legitimate and illicit transactions places CryptexPay in a critical position within the global cybercrime ecosystem," TRM Labs said.
Working with Dutch and German police, federal law enforcement disrupted Cryptex.
Cryptex.net
and Cryptex.one
facilitated transactions worth $1.4 billion, prosecutors said, one-third of which came from blockchain addresses associated with criminal behavior. More than one-quarter of all cryptocurrency sent from Cryptex involved companies or darknet markets sanctioned by the Department of the Treasury. Dutch authorities seized Cryptex servers and recovered cryptocurrency worth $7 million.
The Department of State announced a reward of up to $10 million for information that would lead to the arrest or conviction of either Ivanov or Shakhmametov. It offered an additional reward of up to $1 million for information that could identify other leaders of the Joker's Stash criminal marketplace and the UAPS, PM2BTC and PinPays transnational criminal groups.