News

U.S. officials for the first time imposed sanctions on a cryptocurrency exchange Tuesday after the company allegedly helped the perpetrators of at least eight ransomware attacks launder their profits.

More than 40 percent of all transactions handled by Suex, a Czech Republic-incorporated platform for customers seeking to exchange Bitcoin, Ethereum and other cryptocurrencies for other forms of digital token as well as for government-issued banknotes, involved illicit proceeds, the Treasury Department’s Office of Foreign Assets Control said Tuesday.

Since February 2018, cyberthieves and ransomware perpetrators have deposited more than $160 million in bitcoins into digital wallets that Suex held at large regulated exchanges, according to a review by Chainalysis, a blockchain analytics firm that supported OFAC’s investigation.

The company’s business model appears to consist of helping clients convert their cryptocurrencies into government banknotes only in person, primarily at its brick-and-mortar locations in Moscow and St. Petersburg, according to the review.

“Suex is also found to have received over $50 million worth of Bitcoin sent from addresses hosted at illicit cryptocurrency exchange BTC-e from 2018 through 2021, well after BTC-e was shut down by U.S. authorities for its own money laundering activity on behalf of cybercriminals,” Chainalysis found.

The company claims on LinkedIn to operate as “licensed crypto broker” in the EU. That claim could not be verified by press time, but Chainalysis and TRM Labs, a blockchain analytics firm in San Francisco, have assessed that the firm’s corporate presence in the Czech Republic is only a front for the virtual and brick-and-mortar commerce it conducts from Russia and elsewhere.

Suex has affiliates in disparate locales such as Estonia in the Baltics and St. Vincent in the Caribbean, and lists high-profile Russian and Czech shareholders as owners, including Egor Petukhovvsky, who also holds interest in a second exchange that shares “extensive corporate and legal” ties to the platform, according to a Sept. 21 analysis by TRM Labs.

It primarily acts as a secretive, “concierge” cryptocurrency broker that onboards clients only after receiving a personal referral, communicates with them through the encrypted messaging platform Telegram and only handles transactions of $10,000 or more in value, TRM Labs found.

Rather than maintain direct custody of cryptocurrency deposited by clients, the exchange appears to piggyback on the technology and liquidity of witting or unwitting global exchanges to serve its own customers without conducting due diligence on them, Ari Redbord, head of legal and government affairs at TRM Labs, told ACAMS moneylaundering.com.

“This action sends a message to larger exchanges, and the banks that serve them, to be careful that nested, ‘parasite’ platforms do not exploit their infrastructure to funnel ransomware payments or other illicit transactions,” said Redbord, a former federal prosecutor who also served as a senior advisor at the Treasury Department before joining TRM Labs in October of last year.

OFAC said Tuesday that exchanges such as Suex play a “critical” role within an underground global financial ecosystem that helps cybercriminals profit from ransomware payments, which according to the agency quadrupled from 2019 to more than $400 million last year.

Suex alone received $13 million in Bitcoin deposits from the perpetrators of the Ryuk, Conti, Maze and other ransomware attacks since February 2018, according to Chainalysis, and another $45 million from cyberfraudsters and darknet markets during that period.

In tandem with Tuesday’s designation of Suex, OFAC updated guidance first issued in October 2020 to further underscore that parties caught assisting, sponsoring or providing financial, material or technological support to ransomware attacks also expose themselves to sanctions.

Contact Valentina Pasquali at vpasquali@acams.org