Ransomware money laundering operation disrupted, founder arrested

The US Department of Justice (DOJ) has released information about the arrest of Anatoly Legkodymov, the founder and majority owner of a cryptocurrency exchange called Bitzlato, on money laundering charges. Legkodymov, a Russian national who lives in China, is accused of processing over $700 million of illicit funds.

The US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) also issued an order that identifies Bitzlato as a “primary money laundering concern” in connection with Russian illicit finance.

The exchange is thought to have fueled crypto-related crimes like ransomware by helping cybercriminals launder illegally obtained money.

As stated by Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division:

As alleged, the defendant helped operate a cryptocurrency exchange that failed to implement required anti-money laundering safeguards and enabled criminals to profit from their wrongdoing, including ransomware and drug trafficking.

Bitzlato’s largest counterparty in cryptocurrency transactions was Hydra, a Russian language dark web marketplace for narcotics, stolen financial information, fraudulent identification documents, and money laundering services.

What made Bitzlato popular among criminals was the fact that it marketed itself as requiring minimal identification from its users. Where other exchanges require users to submit selfies and official IDs, Bitzlato said this was not required, and allowed  “straw man” registrants. According to the DOJ these deficient know-your-customer (KYC) procedures, allegedly made Bitzlato a haven for criminal proceeds and funds intended for use in criminal activity.

Bitcoin—the most popular cryptocoin used in cybercrime—is pseudonymous, meaning that transactions between entities are public and easy to trace, but the identity of the entities is hidden behind numeric addresses. If law enforcement can identify the owner of a bitcoin address they can see the transactions that person has made. As a result, some countries insist that exchanges take identifying information from customers when they open an account so that their transactions can be attributed to a real identity easily.

The lax procedures at Bitzlato would have given its users piece of mind that any illicit transactions can’t be traced back to them, since they were able to use stolen identities to register their accounts.

To reassure its users, Bitzlato issued a statement saying it suffered a minor hack:

Our service was hacked, part of the funds was withdrawn from the service. 

We ask you DO NOT REPLENISH our service during the proceedings!

Withdrawals will also be suspended indefinitely.

The Bitzlato Team.

It later added:

We want to inform you that the funds are completely safe. 

The attackers were able to withdraw a small part of the funds, but for all victims, we guarantee a refund!

As a security measure, we have disabled the service, we ask you not to replenish the wallets of our service until the work is restored.

The Bitzlato website was replaced by a notice saying that the service had been seized by French authorities as part of a coordinated international law enforcement action.

Whie Bitzlato is far from a leading name in cryptocurrency exchanges, according to Chainanalysis, Bitzlato is one of the major cryptocurrency businesses with a presence in Moscow City that have facilitated the most money laundering.

FinCEN  said:

Bitzlato plays a critical role in laundering Convertible Virtual Currency (CVC) by facilitating illicit transactions for ransomware actors operating in Russia, including Conti, a Ransomware-as-a-Service group that has links to the Government of Russia.

While the crypto-exchange claimed not to allow users from the United States to register accounts, prosecutors said Bitzlato knowingly serviced US customers and conducted transactions with US-based exchanges using US online infrastructure. For at least some period of time, it was being managed by the defendant while he was in the United States.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.