EN
The crypto world is not without its dark corners. From high-risk exchanges to individual hackers, there are entities that exploit the decentralized nature of cryptocurrencies for illicit activities.
In this article, we're diving deep into the underworld of crypto to rank the most notorious entities and individuals based on their inflows in USD.
11. Yevgeniy Igorevich Polyanin - $16,098,600
Who is Yevgeniy Igorevich Polyanin?
Yevgeniy Igorevich Polyanin is a name that's been making waves in the cybersecurity world. He's wanted for his alleged involvement in ransomware attacks and money laundering activities. Specifically, Polyanin is accused of deploying Sodinokibi and REvil ransomware, leaving electronic ransom notes on victims' computers. These notes guided victims to web addresses where they could pay a ransom to have their files decrypted.
What Did He Do?
Upon visiting these web addresses, victims were presented with a ransom amount and a virtual currency address for payment. If the ransom was paid, Polyanin provided the decryption key, allowing victims to regain access to their files. If not, he would either post the victims' exfiltrated data online or claim to have sold it to third parties.
Polyanin has been charged in the United States District Court for the Northern District of Texas with multiple counts, including conspiracy to commit fraud and money laundering.
OFAC's Designation
The Office of Foreign Assets Control (OFAC) is designating Polyanin, along with Ukrainian Yaroslav Vasinskyi, for their roles in perpetuating Sodinokibi/REvil ransomware incidents against the United States.
Both individuals are part of a cybercriminal group that has reportedly received more than $200 million in ransom payments, paid in Bitcoin and Monero. OFAC is also designating a company owned by Polyanin under Executive Order 13694.
Sanctions and Implications
As a result of OFAC's designation, all property and interests in property of Polyanin that are subject to U.S. jurisdiction are blocked. U.S. persons are generally prohibited from engaging in transactions with him. Financial institutions and other entities that engage in transactions with Polyanin may also expose themselves to sanctions or enforcement actions.
10- Dmitrii Karasavidi - $16,800,000
Who is Dmitrii Karasavidi?
Meet Dmitrii Karasavidi, a Russian national who has been making headlines for all the wrong reasons. He's been sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) for his involvement in a sophisticated phishing campaign
. This campaign targeted customers of virtual asset service providers, both in the U.S. and abroad, leading to combined losses of at least $16.8 million.
What Did He Do?
Karasavidi and his accomplice, Danil Potekhin, created web domains that mimicked legitimate virtual currency exchanges. This tactic, known as "spoofing," exploited internet users' trust to fraudulently obtain their personal information. Once they had the login credentials, they accessed the victims' real accounts and employed a variety of methods to exfiltrate the ill-gotten virtual currency.
They used exchange accounts created with fictitious or stolen identities, circumvented exchanges' internal controls, and even manipulated the market to make a quick profit.
How Did He Launder the Money?
Karasavidi didn't stop at theft. He laundered the proceeds of the attacks into an account under his name. He attempted to conceal the nature and source of the funds by transferring them through multiple accounts and multiple virtual currency blockchains. But here's the kicker: the stolen virtual currency was eventually traced back to Karasavidi’s account, leading to the seizure of millions in both virtual currency and U.S. dollars.
OFAC's Designation and Legal Actions
OFAC coordinated closely with the United States Secret Service and the U.S. Attorney’s Office for the Northern District of California to bring Karasavidi to justice. He is also the subject of an indictment unsealed by the Department of Justice.
The Importance of AML/CFT Regimes
Karasavidi's actions highlight the critical role that Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) regimes play in deterring cybercrimes. Because these cybercriminals have to launder their misappropriated funds, AML/CFT regimes serve as a crucial chokepoint in countering this type of criminal activity.
9. Alex Adrianus & Martinus Peijnenburg - $25,091,600
Who are Alex Adrianus & Martinus Peijnenburg?
Alex Adrianus Martinus Peijnenburg and Martinus Pterus Henri De Koning are Dutch nationals. They've been designated by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) for their involvement in supplying illicit synthetic drugs to the U.S. market.
They initially started their operations on the dark web, selling fentanyl analogues and other synthetic opioids to U.S. consumers.
The Illicit Enterprise
In 2017, both individuals were arrested by the National Police of the Netherlands. They were involved in the sale and distribution of synthetic stimulants, cannabinoids, and opioids through their Dutch company, Research Group Nederland.
Despite their arrest, they continued their illicit activities. Between November 2018 and February 2021, they generated millions of dollars in virtual currency through a synthetic drug sales website, therealrc.com.
This site was maintained by Peijnenburg and facilitated payments through bank transfers or virtual currencies.
OFAC's Designation
OFAC has designated Peijnenburg and De Koning under Executive Order 14059. This action marks the first use of E.O. 14059 to target those involved in the sale of illicit drugs purchased online and via darknet marketplaces.
Several Netherlands-based companies owned or controlled by them were also designated.
Sanctions and Implications
As a result of the designation, all property and interests in property of these individuals that are in the U.S. or under the control of U.S. persons must be blocked and reported to OFAC.
This also extends to any entities that are owned, directly or indirectly, by one or more blocked persons. Those who engage in transactions with these designated individuals may also expose themselves to sanctions or enforcement actions.
8. Yinyin Tian - $99,500,000
Who is Yinyin Tian?
Yinyin Tian is a Chinese national who has been sanctioned by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC). He's been implicated in laundering stolen cryptocurrency linked to the Lazarus Group, a North Korean state-sponsored cyber group.
The Connection to Lazarus Group
Tian and another individual, Li Jiadong, are accused of materially assisting the Lazarus Group. They received approximately $91 million from DPRK-controlled accounts, stolen in an April 2018 hack of a cryptocurrency exchange. An additional $9.5 million was received from another hack.
The Intricate Web of Money Laundering
Tian and Li were experts at obfuscating the origin of these funds. They transferred the currency among addresses they controlled, making it difficult for authorities to trace the money back to its source.
The Cyber Intrusion
In April 2018, an employee of the targeted exchange downloaded malware through an email, giving the Lazarus Group unauthorized access to customers' personal information and virtual currency wallets. This led to the theft of virtual currencies valued at $250 million at the time.
Financial Maneuvers
Tian moved more than $34 million of these illicit funds through a newly added bank account linked to his exchange account. He also converted nearly $1.4 million worth of Bitcoin into prepaid Apple iTunes gift cards. These gift cards can be used to purchase additional Bitcoin at certain exchanges.
Legal Implications
Tian and Li have been charged with money laundering conspiracy and operating an unlicensed money transmitting business. This case highlights the U.S. government's commitment to holding those who engage in cybercrime accountable, regardless of their location.
Sanctions and Consequences
As a result of the sanctions, all property and interests in property of Tian that are in the United States or under the control of U.S. persons must be blocked and reported to OFAC. Financial institutions that knowingly facilitate transactions for Tian could also be subject to U.S. sanctions.
7. Chatex - $ 243,000,000
What is Chatex?
Chatex is a Russia-based Telegram bot that facilitates peer-to-peer (P2P) cryptocurrency transactions within the Telegram app. Founded by Egor Petukhovsky, who also founded the recently sanctioned OTC service Suex, Chatex claims to be the world's largest service of its kind, boasting over 366,000 users.
The Sanctions
The U.S. Department of Justice (DOJ) and the Treasury’s Office of Foreign Asset Control (OFAC) announced joint actions against Chatex. The company has been added to the Specially Designated Nationals and Blocked Persons (SDN) List, effectively prohibiting Americans from doing business with them.
The Infrastructure
In addition to Chatex, three other companies—IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd—were also sanctioned. These companies were instrumental in setting up the key infrastructure that Chatex relied on to operate.
Financial Activities
Chatex has been quite active since its inception in September 2018. According to Chainalysis, the service has received at least $243,000,000 million worth of Bitcoin. Millions of this came from illicit sources, including darknet markets like Hydra Marketplace, scams like Finiko and QubitTech.ai, and various ransomware strains.
The Affiliates
Two cybercriminals, Ukrainian national Yaroslav Vasinskyi and Russian national Yevgeniy Polyanin who were previously mentioned, were also sanctioned for their role in ransomware attacks against U.S. companies. Both acted as affiliates for the ransomware strain Sodinokibi/REvil, believed to be run by the same organization behind the now-defunct Gandcrab ransomware.
Sanctions Implications
As a result of these designations, all property and interests of Chatex and its affiliates that fall under U.S. jurisdiction are blocked. U.S. persons are generally prohibited from engaging in transactions with them. Financial institutions and other entities that engage in transactions with Chatex may also expose themselves to sanctions or enforcement actions.
6. Lazarus Group - $991,000,000
Who Are They?
The Lazarus Group is a North Korean state-sponsored cybercrime organization. They are known for their malicious activities targeting various sectors, including government, military, and financial institutions.
The group is controlled by North Korea's primary intelligence bureau, the Reconnaissance General Bureau (RGB), which is sanctioned by both the U.S. and the United Nations.
Funds stolen by Lazarus group may have been used to fund North Korea’s ballistic missile and nuclear programs.
What Have They Done?
Lazarus Group gained notoriety for their involvement in the WannaCry 2.0 ransomware attack in 2017, affecting at least 150 countries and shutting down approximately 300,000 computers. The attack had a significant impact on the United Kingdom's National Health Service, costing them over $112 million.
While they've dabbled in various forms of cybercrime, what makes them particularly relevant to the crypto community is their knack for siphoning off cryptocurrencies. According to reports, they've stolen around $571 million in cryptocurrency between January 2017 and September 2018.
They are also jointly responsible with APT38 for the $620,000,000 hack of Axie Infinity in 2022. $30,000,000 has since been recovered.
Tactics and Tools
The Lazarus Group employs sophisticated methods to infiltrate cryptocurrency exchanges and individual wallets. They use phishing scams, malware attacks, and advanced persistent threats (APTs) to gain unauthorized access.
Their hack of Axie Infinity started with a fake job offer to one of Axie Infinity’s developers.
The group has sub-groups like Bluenoroff and Andariel, focusing on financial gains and cyber operations against foreign businesses and governments, respectively.
Sanctions and Implications
As a result of their activities, all property and interests of Lazarus Group that fall under U.S. jurisdiction are blocked. U.S. persons are generally prohibited from engaging in transactions with them.
Financial institutions and other entities that engage in transactions with Lazarus Group may expose themselves to sanctions or enforcement actions.
5. Suex OTC - $1,040,000,000
What is Suex?
Suex is a Moscow-based over-the-counter (OTC) trading desk that specializes in cryptocurrency transactions. While the name might not ring a bell in the West, Suex and its founder, Egor Petukhovsky, are well-known figures in Russian crypto circles.
Suex was the first cryptocurrency exchange sanctioned by the US.
In September of 2021, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) added Suex and 25 affiliated cryptocurrency addresses to its Specially Designated Nationals (SDN) list. This effectively blacklisted the firm from the global dollar financial system. Suex had the dubious honor of being the first crypto business to receive this designation.
Financial Activities
According to data from Chainalysis, Suex was responsible for processing millions in criminal transactions. At least $13 million came from ransomware, and another $147 million was tied to other forms of illicit activity.
The Founder's Stance
Egor Petukhovsky, the founder of Suex, has publicly declared his innocence. He stated that neither he nor any business affiliated with him has ever engaged in illegal activity. Petukhovsky is determined to fight for his reputation in U.S. courts.
Moscow Presence
Petukhovsky was a regular attendee at crypto meetups and conferences in Moscow. Suex was considered a reliable counterparty, meaning they were trusted to handle large sums of money .
Clients often visited Suex's office in Moscow City, a prestigious business district, to conduct transactions in cash. The company's now-offline website even advertised payment options via Visa and Mastercard.
Sanctions Implications
As a result of the sanctions, all property and interests of Suex that fall under U.S. jurisdiction are blocked. U.S. persons are generally prohibited from engaging in transactions with them. Financial institutions that do so may expose themselves to further sanctions or enforcement actions.
4- Blender.io
What is Blender.io? - $1,100,000,000+
Blender.io is a virtual currency mixer operating on the Bitcoin blockchain. For those unfamiliar with the term, a "mixer" is a service that blends various cryptocurrency transactions to obscure their origin, destination, and involved parties. While the stated aim is to enhance privacy, mixers like Blender.io are often exploited for illicit activities.
The Sanctions
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has imposed sanctions on Blender.io. The service has been used by the Democratic People’s Republic of Korea (DPRK) to launder money and support its malicious cyber activities.
Blender.io was the first mixer targeted with sanctions from the US. And was soon followed by sanctions on TornadoCash.
Chainalysis believes the sanctioning of these mixers is the cause of the significant drop in crypto send to mixers in 2022.
The Heist
On March 23, 2022, the DPRK's state-sponsored hacking group, Lazarus Group, executed the largest virtual currency heist to date. They stole nearly $620 million from a blockchain project related to the online game Axie Infinity. Blender.io was instrumental in processing over $20.5 million of these illicit proceeds.
Illicit Activities
Since its inception in 2017, Blender.io has facilitated the transfer of more than $500 million worth of Bitcoin. It has been involved in laundering money for various Russian-linked ransomware groups, including Trickbot, Conti, Ryuk, Sodinokibi, and Gandcrab.
3- Hydra - $6,810,000,000
What Was Hydra?
Hydra was a Russia-based darknet market, once dubbed by the U.S. Treasury's Office of Foreign Assets Control (OFAC) as the world's largest and most prominent darknet market. It offered a range of illicit services, including money laundering and ransomware operations.
The Shutdown and International Cooperation
On April 5, 2022, Hydra's operations were shut down in a coordinated effort by the U.S. and Germany. The U.S. Treasury Department sanctioned Hydra, while Germany announced the seizure of 543 bitcoin (BTC) worth about $25 million.
Interestingly, several known Hydra vendors migrated to OMG following Hydra's shutdown. This suggests that the two platforms may have operational similarities or even shared administrators.
OFAC's Findings
OFAC's investigation revealed that Hydra had more than 100 virtual currency addresses used for illicit transactions. About $8 million in ransomware proceeds flowed through Hydra's virtual currency accounts, including from notorious ransomware variants like Ryuk, Sodinokibi, and Conti.
The Scale of Illicit Activity
According to OFAC, roughly 86% of the illicit bitcoin received directly by Russian virtual currency exchanges in 2019 originated from Hydra. This underscores the platform's significant role in the darknet market.
The Aftermath
After Hydra's shutdown, its inflows dropped to zero. However, its influence didn't completely vanish. Many of its users migrated to other platforms, continuing their illicit activities.
The shutdown of Hydra and the subsequent migration of its users to other platforms highlight the ongoing challenges in combating darknet markets and money laundering in the crypto space.
2. Tornado Cash - $8,740,000,000
What is Tornado Cash?
This Ethereum-based service was designed as a cryptocurrency tumbler, a tool that mixes potentially identifiable or "tainted" cryptocurrency funds with others to obscure their original source.
The service was accused of laundering more than $7 billion in virtual currencies, including $455 million believed to have been stolen in 2022 by the Lazarus Group, a hacking group associated with the North Korean government. Over 34% of funds send to Tornado Cash came from illicit sources.
The service was governed through a decentralized autonomous organization (DAO) and used the $TORN token for voting on protocol updates.
Half of the funds originated from DeFi protocols, but a significant 18% came from sanctioned entities.
Non Custodial Mixer
Tornado Cash was more than just a simple mixer; it was a smart contract mixer built on the Ethereum blockchain. This meant that it was non-custodial, giving users full control over their funds throughout the mixing process.
Moreover, as a DeFi (Decentralized Finance) protocol, Tornado Cash had a level of resilience against external intervention. Unlike centralized services, which can be shut down by authorities, Tornado Cash's is decentralized lowering the effectiveness of sanctions. However, some level of difficulty of access has been done by removing the Tornado Cash platform and Github repository.
Questions on who could be held accountable for any illicit activities facilitated by a decentralized platform remain..
Sanctions
However, the governance model couldn't protect it from legal repercussions. In May 2023, a hacker gained full control of Tornado Cash's DAO through a malicious proposal, further complicating its legal and operational status.
Two more developers, Roman Storm and Roman Semenov, were charged with assisting in money laundering in the amount of $1 billion and were arrested.
Tornado Cash saw a significant drop in inflows from almost every category post-sanctions, except for funds sent from scammers and mixing services. The inflows fell by 68% in the 30 days following its designation, making the mixer less effective for money laundering due to reduced funds.
1. Garantex - $15,700,000,000
What is Garantex?
Garantex is a high-risk cryptocurrency exchange based in Russia. Founded in late 2019 and originally registered in Estonia, the exchange moved most of its operations to Moscow. Despite being sanctioned for money laundering activities similar to those of Hydra, another Russian-based crypto exchange, Garantex continues to operate.
Garantex accounted for a majority of illicit crypto transfers in 2022. 6.1% of inflows come from illicit sources. Analysis of known Garantex transactions reveals that over $100 million are associated with illicit actors and darknet markets.
The Sanctions
The U.S. Department of the Treasury sanctioned Garantex in April 2022, along with the Russian Hydra dark web marketplace. As the exchange is based in Russia it can effectively keep operating with impunity and its website is still publicly accessible.
As a result of the sanctions, all property and interests of Garantex under U.S. jurisdiction are blocked. U.S. persons are generally prohibited from engaging in transactions with them. Financial institutions and other entities that engage in transactions with Garantex may also expose themselves to sanctions or enforcement actions.
Current Day
The continued operation of Garantex, despite sanctions, underscores the challenges regulators face in combating cybercrime in the crypto space.
Because it is still operational Garantex is still being used for illicit activities. Recently $35 million from the Atomic Wallet hack have been traced back to Garantex.
However not all of Garantex’s funds may be from illicit activity. Many Russian citizens are also using the exchange and contributing to its high trading volume.
