Ukraine arrests gang who ran 20 crypto-exchanges and laundered money for ransomware gangs

Gang is believed to have laundered more than $42 million in criminal proceeds.
Written by Catalin Cimpanu, Contributor
Image: Ukraine Cyber Police

Law enforcement in Ukraine has announced today the arrest of a cybercrime gang who ran 20 cryptocurrency exchanges where they laundered more than $42 million in funds for criminal groups.

The group, which authorities said had three members, has been operating from Ukraine's Poltava region since 2018. According to Ukrainian officials, the group has advertised its services on underground criminal forums, where they offered to convert cryptocurrency from criminal activities into fiat (real-world) currency for other groups, helping criminals launder their ill-gotten profits.

The arrests took place in late June, earlier this year, but new details have been released Aug. 18 in joint press releases by Binance and Ukraine Cyber Police. Binance, who collaborated in the investigation, said the group collaborated with ransomware gangs, and also spread ransomware themselves.

The Bulletproof Exchanger Project

The Aug. 18 arrest also marks the first fruits of "Bulletproof Exchanger," an internal Binance project that the company started earlier this year.

The project's goal is to identify hubs of malicious activity in the cryptocurrency ecosystem, track down the operators, and work with authorities to arrest and shut them down.

"'Bulletproof exchanger' is a general term used internally to refer to a high-risk exchanging service that serves as a cash-out point for criminal activity, such as ransomware," the Binance security team told ZDNet in an email last week.

"We kept running into exchangers like these in our day to day investigative work and historically rogue cashout points have played an important role in the underground criminal economy (i.e. BTC-E), which is why we decided to devote research efforts to study this problem," it said.

Acting on this decision, Binance said it began building a database of various signals and data sets earlier this year, such as user data, DNS records, open-source intelligence feeds, law enforcement requests, and blockchain analytics.

Help from TRM Labs

Once Binance had a full database at its disposal, the company partnered with TRM Labs, a blockchain analysis firm specialized in detecting fraud.

Binance said TRM Labs came in and combed through "a massive amount of blockchain transaction data to analyze and correlate with suspicious activity on [Binance's] platform" and eventually identify a first bulletproof exchanger and one of its clients, a ransomware gang.

"For this particular group, the strength of the signals which their accounts were eliciting gave us high confidence they were involved in nefarious activities and prompted the need for further investigation," the Binance security team said.

Leveraging a memorandum of understanding (MoU) the company signed with Ukrainian officials last year, Binance safely passed its findings to Ukrainian law enforcement, who began an investigation into the illegal exchanges and the group behind them earlier this year.

"Some cases can take years," the Binance security team told ZDNet. "It was a perfect storm in this case, and we were able to move very fast, approximately three months from the time the case was opened to the time of takedown."

Bulletproof Exchanger Project to continue

Binance says that its Bulletproof Exchanger Project will continue to operate going forward and that it hopes to track down similar criminal cash-out points and cybercrime groups in the near future.

"Fighting money laundering, ransomware, and other malicious activity is of critical importance to the well-being of the [cryptocurrency] community and industry growth," Binance said.

Europol’s top hacking ring takedowns

Editorial standards