Russian cybercriminals may be evading Ukraine war sanctions through crypto: Expert

Since Russia’s invasion of Ukraine, blockchain data platform Chainalysis tracked just over $62 million worth of cryptocurrency sent from Russian-based whales (any private crypto wallet holding $1 million or more) to other addresses, marking an 8-month record in transfer levels during the first week of the invasion.

Some of these crypto payments were associated with over the counter (OTC) desks, Chainalysis Head of Research Kim Grauer told Al Arabiya English. OTC Desk acts as a dealer for anybody looking to trade a given asset and are generally used when a given trade would not be possible on exchanges.

For the latest headlines, follow our Google News channel online or via the app.

“While spikes in this activity are common, Russian whale transfers hit its highest levels in roughly eight months during the week of February 28, soon after the invasion, reaching $26.5 million,” she said.

“On-chain activity alone can’t tell us if these transfers constitute sanctions evasion, as we don’t know if the whale wallets are controlled by sanctioned individuals and entities. However, we will continue to monitor these transactions and provide updates as possible.”

Grauer added that the firm has also seen the Ukrainian government call for donations in cryptocurrency.

“This is surprising both due to the levels of crypto-literacy, but also due to the efficient and low-cost means of transferring crypto.”

As of March 9, crypto enthusiasts across the world donated over $50 million worth of cryptocurrency to addresses provided by the Ukrainian government, not to mention hundreds of non-fungible tokens (NFTs) and donations to other charitable organizations accepting crypto. The amount could be much higher now, as the Russian invasion of Ukraine surpasses its first month.

“Those donations stand not just as an example of the community’s generosity, but also of cryptocurrency’s utility as a cross-border value transfer mechanism in a time of emergency. We have seen reports that the government has used the donated crypto to buy supplies, including gas, food, and military equipment.”

Both Russia and Ukraine are countries with very high levels of grassroots crypto-adoption, according to Grauer, with Ukraine ranking fourth in the world in the firm’s Global Crypto Adoption Index 2021.

“In the early days of the invasion, many suggested that cryptocurrency may be a means for Russians to avoid the impact of sanctions. The reality is, however, that as in the traditional financial system, the cryptocurrency ecosystem can put measures in place to detect and monitor transactions from identified sanctioned entities and individuals, making it much harder to evade sanctions undetected,” she warned.

As the invasion persists, cryptocurrency continues to play a huge role in the conflict amid sanctions from the West. Since the beginning of the invasion, western allies froze Russia’s central bank’s foreign currency assets, banned key Russian banks and wealthy elites from hard currency transactions and put restrictions on several parts of its supply chain.

The West imposed sanctions on several Russian public figures and oligarchs in retaliation against the invasion in an effort to cripple Moscow’s economy.

The US and its allies are planning to impose new sanctions on Russian supply chains, Deputy US Treasury Secretary Wally Adeyemo said, according to a Reuters report.

Conti declared loyalty to Russian government

Conti, the most active ransomware group of 2021, according to Chainalysis, declared its loyalty to the Russian government on the second day of the Ukraine invasion, promising to launch cyberattacks against anyone who moves against Russia.

“The Conti Team is officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy,” the cybercriminal group declared in a blog post on February 25.

“Soon after, an unknown party [ContiLeaks] retaliated by leaking sensitive information on Conti, including the group’s internal chat logs, source code, and more. The US and its allies must stay on high alert for possible retaliatory cyberattacks from Russian cybercriminal groups like Conti, as President Joe Biden recently warned,” said Grauer.

Russian cybercrime: Darknet, money laundering, ransomware

Russian cybercriminals were very active prior to the invasion, with the majority of ransomware revenues being made by Russia-affiliated cybercriminals, Grauer told Al Arabiya English.

“We have also identified money laundering operations concentrating in Moscow City, specifically a tower called Federation Tower. This means criminals are not only carrying out attacks such as ransomware, but they are also successfully able to reintegrate those funds successfully into global markets through this money laundering operation,” she added.

“Russia is also home to the world’s largest darknet market, Hydra.”

Cybercrime traced to Russia before Ukraine invasion

Russian cybercriminals were not always after money, according to Chainalysis head of research.

“Even before the invasion, there was evidence indicating that attacks being carried out by cybercriminals traced to Russia were not just financially motivated,” said Grauer.

“In cases where a ransomware strain contains no mechanism to collect payment or allow victims to recover their files, we can be more certain that money isn’t the attackers’ primary motivation. And that’s exactly what we saw in the January 2022 ransomware attack on Ukrainian government agencies by hackers believed to be associated with the Russian government.”

As outlined by the Computer Emergency Response Team of Ukraine (CERT-UA) on January 26, the attack which occurred on January 13 disrupted several government agencies from being able to operate.

“The attack came against a backdrop of increasing tensions between the two countries, we saw a similar situation unfold in 2017, when tensions between the two nations were also running high,” she said in reference to the January 13 attack on Ukrainian government entities.

“At the time [of 2017 tensions], the Russia-based Notpetva ransomware strain, which contained no viable payment mechanism, targeted several Ukrainian organizations and was also widely judged to be a geopolitically motivated disruption attempt by the Russian military rather than a money-making effort,” she explained.

Read more:

Russian invasion: UN chief appeals for ‘immediate humanitarian ceasefire’ in Ukraine

Tinder Swindler Simon Leviev: New documentary, potential collabs with US rappers

Billionaire Abramovich, Ukrainian peace negotiators hit by poisoning: Reports