Russia’s War in Ukraine Has Complicated the Means Through Which Cybercriminals Launder Funds. Here’s How They’re Adapting￼
Perfect storm: Sanctions and counter-sanctions
Sanctions introduced against Russia in the wake of the 2022 Russian invasion of Ukraine—coupled with capital controls introduced by the Russian Central Bank to counter them—have affected opportunities for cybercriminals to transfer financial resources (e.g. profits from criminal schemes) between Russia and Western countries, though not cut them off entirely.
The situation has been further impacted by the takedown of Hydra, which had emerged as an outlet for threat actors offering cryptocurrency laundering services and tools.
This, coupled with other measures that Russia has taken gain firmer control over its internet infrastructure, has challenged the status quo between Russian cybercriminals and the country that turns a blind eye to, or supports, their illicit activities. It has also prompted threat actors to pursue workarounds to transfer funds between Russia and other countries, either through novel means or by recalibrating existing cash-out methods—as well as scramble for safety.
Observed cash-out pivots, discussions
The takedown of Hydra combined with the Russian authorities’ attempts to establish a firmer control over cryptocurrency flows will likely lead to changes in how cybercriminals transfer ill-gotten funds. Below are examples from discussions about cash-out techniques Flashpoint has observed in the recent months (February and March) since Russia’s invasion of Ukraine and the subsequent levying of sanctions against Russia.
P2P cryptocurrency exchanges
Compromised or specifically set up accounts at these exchanges had been used in cryptocurrency laundering operations even before the invasion. The role of P2P exchanges in these transactions could also be to obfuscate the origin of the funds and the money then could be sent to risky exchanges, which conduct business in Russia, or even major exchanges, such as Binance.
There is a baseline interest in stablecoins as a stable storage of value, means of money laundering and alternative access to US dollars, but after an initial increase in ruble trades in the tether (USDT) stablecoin, Flashpoint analysts did not observe an significant spike in interest in them in the context of the war. Analysts have observed discussions about stablecoins such as USDT and DAI being used as a means to transfer US dollars out of Russia in order to circumvent the currency controls put in place by the Central Bank of Russia, which forbid Russians from transferring money to accounts abroad and limit USD withdrawals to $10,000. These techniques are likely relevant to IT professionals, many of whom are reportedly leaving Russia for an extended period of time.
Conventional bank transfers
Since not every Russian bank presently falls under international sanctions blocking access to the SWIFT financial communication system, it is still possible to transfer funds to certain banks in Russia from Western financial institutions, even if certain threat actors may find it challenging to rebuild an existing cash-out network. Another workaround is using transfers through banks located in third countries that have not joined sanctions against Russian banks, such as Armenia, Vietnam or China.
For example: Flashpoint observed a money mule advertising their services on an illicit community in March, which included receiving money in a German bank account and doing not only Bitcoin, but also Russian wire transfers in turn.
Initially, Flashpoint analysts have observed increasing interest in UnionPay cards. UnionPay, a Chinese payment system has emerged as an alternative to Western-based credit card companies, which have suspended activity in Russia, though recent reports suggested that the Chinese system is wary of cooperating with Russian banks. While Western-based cards that were issued before the sanctions will still work, cash-out schemes that rely on issuing new cards may pivot to UnionPay cards if these are available.
For example: A seller in a particular illicit community, whose activity consists of selling credit cards for the purposes of transfers of illicit gains, announced on March 28 that their offers now included UnionPay cards.
Due to financial transactions to Russia becoming more complicated and fear of an impending crackdown on Russian-linked accounts via cryptocurrency exchanges, some threat actors have suggested turning to means enabling them to store value for a longer period of time, including “cold” wallets (wallets that are not connected to the internet) and even gold.
For example, threat actors discussing the future of cryptocurrency cash outs on a top-tier illicit community in early March mentioned cold wallets and decentralized exchanges as two ways to avoid funds being blocked or confiscated. On other forums, users suggested keeping funds in gold.
The Hydra effect
Sellers on the Hydra Marketplace, the biggest Russian-speaking darknet market, continued offering traditional cash-out services as well as access to various P2P accounts until the market’s servers were taken down by German law enforcement on April 5, who also seized $25M worth of cryptocurrency in the process. Following the takedown, discussion between members of illicit communities in Flashpoint data collections focused on the traceability of transactions through Hydra and the risks that users who transferred money through sellers of the marketplace face, rumoring also that the services offered on the market were used to evade sanctions. This is difficult to independently verify.
Analysts assess with moderate confidence that the takedown of Hydra Market will cause a marked disruption in cryptocurrency-based cash-out operations. Prior to the takedown, the market was emerging as a hub of cash-out services, a reaction to increased KYC and AML requirements of cryptocurrency exchanges. Even though these services can survive outside of Hydra, the uncertainty regarding law enforcement access to past transaction details will likely reduce the clientele of services that formerly operated on Hydra, in the short term. At this point it is unclear where Hydra’s money laundering providers will end up, as sellers of the marketplace’s main product type—narcotics—have not yet settled on one specific platform either.
Get Flashpoint intelligence by your side
Any organization’s security capabilities are only as good as its threat intelligence and risk remediation program. Flashpoint’s suite of tools offer you a comprehensive overview of your threat landscape and the ability to proactively address risks and protect your critical data assets. To unlock the power of great threat intelligence, sign up for a demo or get started with a free trial today.