In a significant move to disrupt international cybercrime, the U.S. Department of Justice, in collaboration with global partners, has announced a series of coordinated actions targeting Russian money laundering operations. These operations are designed to convert illicit funds, often originating from cybercriminal activities, into U.S. dollars, thereby enabling and incentivizing further criminal actions. These decisive measures include the indictment of a Russian national for operating money laundering services for cybercriminals, and the seizure of websites linked to three cryptocurrency exchanges facilitating these illegal conversions.
“Today’s actions underscore our unwavering commitment to dismantling the financial infrastructure that supports malicious cyber actors,” stated Deputy Attorney General Lisa Monaco. She highlighted the indictment of two Russian nationals who allegedly amassed millions through sophisticated money laundering schemes, effectively fueling a global network of cybercriminals. Sergey Ivanov, one of the indicted individuals, is accused of facilitating money laundering for darknet drug trafficking and ransomware operations. Monaco also noted the successful shutdown of Cryptex, an illicit crypto exchange, in partnership with Dutch authorities, and the recovery of millions of dollars in cryptocurrency.
Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division, emphasized that Cryptex and similar platforms provided a false sense of security to cybercriminals seeking to anonymously launder their ill-gotten gains. “The coordinated global actions, including the seizure of Cryptex domains, servers, and assets, serve as a clear warning: there is no safe haven online for cybercriminals. The Criminal Division remains dedicated to working with international partners to dismantle platforms that enable cybercrime and ensure they are no longer profitable.”
U.S. Attorney Jessica D. Aber for the Eastern District of Virginia, reinforced this message, stating, “Cybercriminals’ pursuit of illegal funds leaves a trail that law enforcement will relentlessly follow. Their greed will lead us to their doorsteps, and justice will be served.”
Assistant Director Brian Lambert of the U.S. Secret Service, added, “The Secret Service is steadfast in its pursuit of those engaged in criminal activity. We are grateful for the collaboration of our domestic and international partners in this case, as we continue to bring to justice those involved in transnational criminal activity.”
Unmasking the Money Laundering Networks: UAPS, PinPays, PM2BTC, and Cryptex
Court documents unsealed in the Eastern District of Virginia reveal the intricate details of these money laundering operations. Russian national Sergey Ivanov, known online as “Taleon,” faces charges of conspiracy to commit bank fraud and conspiracy to commit money laundering. For nearly two decades, Ivanov allegedly operated as a professional cyber money launderer, advertising his services on exclusive Russian-speaking criminal forums. His services, including payment systems like UAPS, PinPays, and PM2BTC, became go-to solutions for cybercrime marketplaces, ransomware groups, and hackers responsible for large-scale data breaches targeting major U.S. companies.
Image: Indictment document for Sergey Ivanov, a Russian national charged with conspiracy to commit bank fraud and money laundering.
Ivanov’s alleged schemes involved providing payment processing support to the carding website Rescator, which specialized in the illegal trade of stolen credit and debit card information. “Carding” refers to the illicit acquisition and trafficking of stolen financial data for fraudulent purposes. He also laundered proceeds from Joker’s Stash, another notorious carding website.
Cryptocurrency blockchain analysis has unveiled the staggering scale of Ivanov’s operations. Between July 2013 and August 2023, transactions linked to Ivanov’s alleged money laundering services reached approximately $1.15 billion in value. Alarmingly, around 32% of all Bitcoin traced to these addresses originated from cryptocurrency addresses associated with known criminal activities. This includes over $158 million from fraud proceeds, more than $8.8 million from ransomware payments, and approximately $4.7 million from darknet drug markets. The U.S. Secret Service has since obtained authorization to seize domains connected to UAPS and PM2BTC.
Rescator, the carding website Ivanov allegedly supported, was a hub for stolen payment card data from U.S. financial institutions and personally identifiable information (PII) of U.S. citizens. At one point, it advertised the sale of data from up to 40 million payment cards and the PII of roughly 70 million individuals stolen from a major U.S. retailer in 2013. This breach alone cost the victimized U.S. retailer at least $202 million and exposed millions of customers to identity theft.
Joker’s Stash and the Scale of Carding Operations
The indictment also names Russian national Timur Shakhmametov, known online as “JokerStash” and “Vega,” charging him with conspiracy to commit bank fraud, access device fraud, and money laundering. These charges are linked to his role in operating the infamous carding website Joker’s Stash and laundering its substantial proceeds. Joker’s Stash was one of the largest carding markets in history, offering data from approximately 40 million payment cards annually, totaling hundreds of millions of cards over its lifespan. Profit estimates range from $280 million to over $1 billion. Shakhmametov and his associates actively promoted Joker’s Stash and its illicit wares on numerous online cybercrime forums.
Image: Notice of seizure displayed on the JokerStash website, indicating law enforcement action against the illicit carding marketplace.
Cryptex: Anonymity for Cybercriminals and Conversion to Dollars
In a parallel operation, the U.S. Secret Service executed a seizure order against two domain names associated with the cryptocurrency money laundering exchange “Cryptex.net.” Court records reveal that Cryptex.net and Cryptex.one were central to the administration of Cryptex. This exchange attracted cybercriminals by offering complete anonymity, allowing users to register accounts without standard Know-Your-Customer (KYC) compliance requirements. Similar to UAPS and PM2BTC, Cryptex directly marketed its services to the cybercriminal community.
Blockchain analytics data shows that Cryptex processed over 37,500 transactions involving Bitcoin addresses linked to the exchange. These transactions totaled approximately 62,586 Bitcoin, valued at $1.4 billion at the time of transaction. Of this massive sum, around 31% (or $441 million) originated from cryptocurrency addresses linked to criminal conduct, including $297 million in fraud proceeds and over $115 million from ransomware payments. A further 9% ($162 million) came from cryptocurrency addresses associated with services frequently used by cybercriminals. Moreover, a concerning 28% of Bitcoin sent from Cryptex was directed to entities or darknet markets sanctioned by the United States.
The government’s seizure of these domains effectively prevents the operators and third parties from continuing to use these sites for money laundering, disrupting a key avenue for converting illicit Russian Money To Dollars. Visitors to these seized sites now encounter a message indicating federal government seizure.
International Cooperation and Further Actions
Dutch authorities played a crucial role in this international effort, seizing servers hosting PM2BTC and Cryptex. These servers, located in various locations globally, have been taken offline, and the Dutch authorities have seized over $7 million worth of cryptocurrency from them.
In conjunction with these actions, other U.S. government agencies and foreign law enforcement partners are undertaking related measures. The U.S. Department of State has issued rewards of up to $11 million through its Transnational Organized Crime Rewards Program for information leading to the arrest and/or conviction of Ivanov and Shakhmametov, and others involved in their respective operations. The Treasury’s Financial Crimes Enforcement Network (FinCEN) has identified PM2BTC as being of “primary money laundering concern” related to Russian illicit finance. Simultaneously, the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Cryptex and Ivanov, further isolating them from the legitimate financial system.
These coordinated actions send a clear message that international law enforcement is actively working to dismantle the networks that enable cybercriminals to convert illicit gains, including Russian money, into usable dollars and other forms of currency. The ongoing investigations and collaborations promise to further disrupt these operations and bring those responsible to justice.
This case is under investigation by the U.S. Secret Service Cyber Investigative Section. The prosecution of Ivanov and Shakhmametov is being handled by the U.S. Attorney’s Office for the Eastern District of Virginia. The investigation into Cryptex is being managed by the Criminal Division’s Computer Crime and Intellectual Property Section and the U.S. Attorney’s Office for the District of Maryland. The Justice Department’s Office of International Affairs provided crucial assistance in these international collaborations.
Valuable assistance was also provided by the Netherlands Police, Dutch Fiscal Information and Investigation Service, the International Cooperation Department of the Central Criminal Police of the State Police of Latvia, Europol, the National Cyber-Forensics & Training Alliance, the German Federal Criminal Police Office, and the UK National Crime Agency, highlighting the global nature of this fight against cybercrime and money laundering.
