Today, the U.S. Department of the Treasury is undertaking actions as part of a coordinated international effort to disrupt Russian cybercrime services. Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing an order that identifies PM2BTC—a Russian virtual currency exchanger associated with Russian individual Sergey Sergeevich Ivanov (Ivanov)—as being of “primary money laundering concern” in connection with Russian illicit finance. Concurrently, the Office of Foreign Assets Control (OFAC) is sanctioning Ivanov and Cryptex—a virtual currency exchange registered in St. Vincent and the Grenadines and operating in Russia. The FinCEN and OFAC actions are being issued in conjunction with actions by other U.S. government agencies and international law enforcement partners to hold accountable Ivanov and the associated virtual currency services.
“The United States and our international partners remain resolute in our commitment to prevent cybercrime facilitators like PM2BTC and Cryptex from operating with impunity,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith. “Treasury, in close coordination with our allies and partners, will continue to use all tools and authorities to disrupt the networks that seek to leverage the virtual assets ecosystem to facilitate their illicit activities.”
Treasury’s actions aim to protect U.S. national security and the integrity of the U.S. financial system by cutting off illicit financial institutions from the U.S. market. These actions exemplify how Treasury is leveraging international cooperation and all available tools to counter the ransomware threat and target Russian illicit financial activity. The United States has pressed the Russian government to take concrete steps to prevent cyber criminals from freely operating in its jurisdiction.
A coordinated, international effort to combat russian illicit finance
In coordination with OFAC and FinCEN’s actions, other U.S. government agencies and foreign law enforcement partners are also taking related actions. The U.S. Secret Service’s Cyber Investigative Section, the Netherlands Police, and the Dutch Fiscal Intelligence and Investigation Service (FIOD) have seized web domains and/or infrastructure associated with PM2BTC, UAPS, and Cryptex. The U.S. Department of State has issued a reward offer up to $10 million through its Transnational Organized Crime Rewards Program for information leading to the arrest and/or conviction of Ivanov. Lastly, the U.S. Secret Service and the U.S. Attorney’s Office for the Eastern District of Virginia are unsealing an indictment of Ivanov and another Russian national, Timur Shakhmametov. These actions by U.S. and Dutch agencies were taken in partnership with Operation Endgame, a multinational coordinated cyber operation with European partners, to dismantle financial enablers of transnational organized cybercrime.
PM2BTC: A primary money laundering concern
FinCEN’s order identifying the virtual currency exchange PM2BTC, a virtual currency exchanger associated with Ivanov, as being of “primary money laundering concern” in connection with Russian illicit finance is made pursuant to section 9714(a) of the Combating Russian Money Laundering Act (as amended). The order is effective immediately and prohibits certain transmittals of funds involving PM2BTC by any covered financial institution.
As set out in the order, PM2BTC facilitates the laundering of convertible virtual currency (CVC) associated with ransomware and other illicit actors operating in Russia. PM2BTC provides direct CVC-to-ruble exchange services using U.S.-sanctioned financial institutions, otherwise facilitates sanctions evasion, and has failed to maintain a credible and effective anti-money laundering and know your customer (KYC) program. FinCEN found that nearly half of PM2BTC’s exchange activity had links to illicit activity, and correspondingly, that PM2BTC facilitates a substantially greater proportion of transactions with apparent links to money laundering activity in connection with Russian illicit finance as compared to 99 percent of other virtual asset service providers. FinCEN also determined that PM2BTC employs an unusual obfuscation that inhibits attribution of transactions to illicit activity and actors. The same technique has notably been used by several virtual currency exchanges of concern, some of which are sanctioned by OFAC.
The text of FinCEN’s order can be found here.
Cryptex And Ivanov: russian facilitators of cybercrime
Cryptex is a virtual currency exchange registered in St. Vincent and the Grenadines under the name “International Payment Service Provider” that provides financial services to cybercriminals and is operating in the financial services sector of the Russian Federation economy. Cryptex advertises its virtual currency services in Russian and has received over $51.2 million in funds derived from ransomware attacks. Cryptex is also associated with over $720 million in transactions to services frequently used by Russia-based ransomware actors and cybercriminals, including fraud shops, mixing services, exchanges lacking KYC programs, and OFAC-designated virtual currency exchange Garantex. OFAC is designating Cryptex pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757 (“E.O. 13694, as amended”), for being responsible for or complicit in, or for having engaged in, directly or indirectly, a cyber-enabled activity identified pursuant to E.O. 13694, as amended, and pursuant to E.O. 14024 for operating or having operated in the financial services sector of the Russian Federation economy.
Sergey Sergeevich Ivanov is an alleged Russian money launderer, who has laundered hundreds of millions of dollars’ worth of virtual currency for ransomware actors, initial access brokers, darknet marketplace vendors, and other criminal actors for approximately the last 20 years. Through various payment processing services, including one that does business under the name “UAPS,” Ivanov has served as the payment processor for various fraud shops, including OFAC-designated Genesis Market, whose website was taken down by law enforcement in 2023. Ivanov is currently associated with Cryptex. OFAC is designating Ivanov pursuant to E.O. 14024 for operating or having operated in the financial services sector of the Russian Federation economy.
OFAC’s designations follow several recent U.S. Treasury actions to combat Russia-based cyber criminals and further illustrates that Russia continues to offer safe harbor to such actors. These include the July 19, 2024 designation of two members of the Russian hacktivist group Cyber Army of Russia Reborn; the May 7, 2024 designation of Dmitry Khoroshev, also known as LockBitSupp, who is a leader of the LockBit ransomware group; and the February 20, 2024 designation of LockBit affiliates Ivan Kondratiev and Artur Sungatov. The individual and entity designated today facilitated transactions worth hundreds of millions of dollars for cybercriminals and cybercrime services, including ransomware actors and OFAC-designated darknet market Genesis Market.
SANCTIONS IMPLICATIONS
As a result of today’s action by OFAC, all property and interests in property of the designated persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons.
Financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person. Foreign financial institutions that conduct or facilitate significant transactions or provide any service involving Russia’s military-industrial base run the risk of being sanctioned by OFAC. For additional guidance, please see the updated OFAC advisory, “Updated Guidance for Foreign Financial Institutions on OFAC Sanctions Authorities Targeting Support to Russia’s Military-Industrial Base,” as well as OFAC Frequently Asked Questions (FAQs) 1146-1157.
The power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to the SDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior.
For information concerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s Frequently Asked Question 897 here.
For more information on the individuals and entities that OFAC designated today, click here.
For questions on FinCEN’s order, please contact the FinCEN Resource Center at 1-800-767-2825 or electronically at frc@fincen.gov.