Russia’s War in Ukraine Has Complicated the Means Through Which Cybercriminals Launder Funds. Here’s How They’re Adapting

Recent sanctions coupled with Russia’s measures to better control the flow of information and activity on the internet, has prompted threat actors to pursue a variety of financial workarounds.

Default Author Image
April 21, 2022

Perfect storm: Sanctions and counter-sanctions 

Observed cash-out pivots, discussions

The takedown of Hydra combined with the Russian authorities’ attempts to establish a firmer control over cryptocurrency flows will likely lead to changes in how cybercriminals transfer ill-gotten funds. Below are examples from discussions about cash-out techniques Flashpoint has observed in the recent months (February and March) since Russia’s invasion of Ukraine and the subsequent levying of sanctions against Russia. 

P2P cryptocurrency exchanges

Compromised or specifically set up accounts at these exchanges had been used in cryptocurrency laundering operations even before the invasion. The role of P2P exchanges in these transactions could also be to obfuscate the origin of the funds and the money then could be sent to risky exchanges, which conduct business in Russia, or even major exchanges, such as Binance. 

Conventional bank transfers

Since not every Russian bank presently falls under international sanctions blocking access to the SWIFT financial communication system, it is still possible to transfer funds to certain banks in Russia from Western financial institutions, even if certain threat actors may find it challenging to rebuild an existing cash-out network. Another workaround is using transfers through banks located in third countries that have not joined sanctions against Russian banks, such as Armenia, Vietnam or China. 

For example: Flashpoint observed a money mule advertising their services on an illicit community in March, which included receiving money in a German bank account and doing not only Bitcoin, but also Russian wire transfers in turn.

UnionPay cards

For example: A seller in a particular illicit community, whose activity consists of selling credit cards for the purposes of transfers of illicit gains, announced on March 28 that their offers now included UnionPay cards. 

Hunkering down

Due to financial transactions to Russia becoming more complicated and fear of an impending crackdown on Russian-linked accounts via cryptocurrency exchanges, some threat actors have suggested turning to means enabling them to store value for a longer period of time, including “cold” wallets (wallets that are not connected to the internet) and even gold. 

For example, threat actors discussing the future of cryptocurrency cash outs on a top-tier illicit community in early March mentioned cold wallets and decentralized exchanges as two ways to avoid funds being blocked or confiscated. On other forums, users suggested keeping funds in gold. 

The Hydra effect

Sellers on the Hydra Marketplace, the biggest Russian-speaking darknet market, continued offering traditional cash-out services as well as access to various P2P accounts until the market’s servers were taken down by German law enforcement on April 5, who also seized $25M worth of cryptocurrency in the process. Following the takedown, discussion between members of illicit communities in Flashpoint data collections focused on the traceability of transactions through Hydra and the risks that users who transferred money through sellers of the marketplace face, rumoring also that the services offered on the market were used to evade sanctions. This is difficult to independently verify.

Get Flashpoint intelligence by your side