Behind the Crypto Broker Accused of Enabling Ransomware Hackers
(Bloomberg) -- (Bloomberg) – A cryptocurrency broker that the Biden administration considers a key cog in the recent ransomware epidemic is legally registered in the Czech Republic but doesn’t appear to have an office there. It may be operating out of Moscow’s tallest skyscraper despite its not being listed at the address. It earned the distinction last month of being the first crypto exchange to be blacklisted by the U.S. as governments try to stem further attacks. And while it denies any part in the recent spate of cyber crimes, experts say it’s a prime example of a shadowy corner of the industry that has allowed hackers to thrive by giving them the means to launder millions of dollars in illicit digital proceeds through “nested” middlemen that tap larger exchanges to process transactions.
Suex OTC, a virtual currency exchange, is a transactions platform that allows cryptocurrency traders to buy and sell digital coins. It is accused by the U.S. of mixing legitimate digital currency trades with illegal transfers from ransomware gangs, allowing them to launder profits from the kind of attacks that have crippled hospitals, businesses, school districts and even a major U.S. fuel pipeline. The U.S. Treasury Department alleges that Suex has played an integral role helping criminal hackers clean and cash out their loot, mostly Bitcoin paid by ransomware victims, before converting it to a traditional currency.
“There is an illicit underbelly that’s formed in this ecosystem,” said Todd Conklin, counselor to the deputy secretary of the Treasury. “We haven’t yet cleansed the entire ecosystem and we’re definitely continuing to investigate other nested exchanges and mixers, like Suex.”
Since at least 2018, Suex has converted cryptocurrency holdings into cash inside brick-and-mortar offices in Moscow, St. Petersburg and possibly in the Middle East, according to Chainalysis Inc., a blockchain forensics firm specializing in following the movement of digital currencies whose clients have included U.S. federal agencies. Suex is legally registered in the Czech Republic but apparently doesn’t have an office there, according to Chainalysis. At the official address in a nondescript house in Prague’s old town, there’s a clothing store and antiques shops on the ground floor, and several residential units and a law firm. The law firm at the address where Suex is registered specializes in incorporation and corporate governance services. A person at the firm who answered a call from Bloomberg denied having any knowledge of Suex and hung up the phone.
The company does appear to be operating from Moscow’s 97-story-high Federation Tower East building, according to Chainalysis. There’s no public directory of tenants at the entrance, and the receptionist bans entry to anyone who hasn’t been invited. While, per the building’s management, Suex’s name isn’t listed at the address, a company called Art of Web –- which counts Egor Petukhovsky, Suex’s chief executive officer and largest shareholder -- is.
Suex’s Petukhovsky didn’t respond to requests for comment. He denied in a recent Facebook post that he or his business helped launder money for hackers and vowed to “firmly defend my name in litigation” in the U.S. “I believe in independent justice and hope to come back to normal life as soon as possible,” he said. Other Suex officials couldn’t be located for comment.
By adding Suex to the Treasury Department’s list of sanctioned entities, U.S. based companies and individuals are prohibited from conducting any transactions with them. While these sanctions will likely do little to expose Suex to legal authorities half a world away, the Biden administration is hoping it may dissuade U.S.-based ransomware victims from quickly paying ransom to resolve their ordeal.
Brokers like Suex don’t typically build their own software systems to execute cryptocurrency trades. Instead, these operators trade on third-party crypto exchanges. The Treasury Department declined to identify which exchanges it believes Suex had utilized except to say “several.” Regulators globally have called for tighter enforcement and regulations requiring exchanges to collect data identify their clients.
Suex has so far received at least $160 million in Bitcoin from illicit and high-risk sources since 2018, according to Chainalysis. If this is correct, that’s about 40% of Suex’s known transaction history linked to the activity of hackers, including nearly $13 million from some of the more infamous ransomware groups: Ryuk and Conti, according to Chainalysis.
Many of the ransomware groups have been traced to Russia and other countries that the U.S. says has provided safe haven for them. At a June summit, President Joe Biden warned Russian President Vladimir Putin about continued attacks, particularly on critical infrastructure. But the the cyber gangs are still “operating in the permissive environment that they’ve created there,” U.S. Federal Bureau of Investigation Deputy Director Paul Abbate said earlier this month.
What’s unclear is the extent to which Suex is aware that it is being used to launder money, if it is simply turning a blind eye to illegal behavior by failing to vet their customers carefully or if the U.S. made a mistake in branding Suex an illicit broker, as its CEO claims. While the company’s leadership denies any ties to cyber gangs and their illegal activity, Maxim Kurbangaleev, who described himself as Suex’s co-founder on LinkedIn, described how quickly customers can start trading “without the long and tedious sending of documents and passing endless checks.”
The post, which was provided by TRM Labs, a blockchain intelligence firm, has since been removed. It wasn’t clear when Kurbangaleev posted the statement.
Many services that work with exchanges conduct “know-your-customer” checks to verify customer identities; Suex doesn’t, said Ari Redbord, head of legal and government affairs at TRM Labs and a former federal prosecutor and treasury official, who described Suex as a “parasitic exchange.” “The difference between those and Suex is that Suex is part of a shadow crypto economy that thrives on skipping appropriate compliance controls,” he said, adding that the sanctions against Suex show that “the U.S. government is going to go after the unregulated exchanges.”
Suex largely communicated with its clients via the Telegram app and accepted new customers on a system of referrals from trusted sources, according to TRM. Transactions were only completed at Suex’s offices, where, one ad bragged, customers would be treated to cookies and tea. Suex “appeared to deal almost exclusively in high-value deals - its minimum acceptable transaction was $10,000,” says TRM. Then Suex executed clients’ transactions on other exchanges, likely without their knowledge of where Suex was getting the funds.
Warning to Enablers
The U.S. actions against Suex follow other efforts to hold cryptocurrency brokerages accountable for illicit activity.
BTC-e was shuttered in 2017 after the U.S. accused Russian national Alexander Vinnik of supervising a platform that was being used by cyber criminals to move illicit digital proceeds anonymously and without vetting. BTC-e allegedly handled some Bitcoin traced to the same Russian hacking group implicated in hacking Democratic Party emails ahead of the 2016 presidential election, according to blockchain forensics firm Elliptic. Vinnik was extradited from Greece to France, where he was sentenced in December to five years in a French prison.
Chainalysis’s data indicates that Suex processed more than $50 million in illicit funds on behalf of BTC-e and its users following the BTC-e takedown, including some transfers as recently as this year.
Law enforcement agencies have long worried that cryptocurrency businesses could be used to launder money and for criminal purposes. But it turns out, most coins can be traced, as all transactions happening outside of centralized exchanges are recorded on digital ledgers, typically called blockchains. Regulators and law enforcement has been actively using such services to catch bad actors across the globe. Suex was just the latest business to get caught.
Despite Suex’s denial, the Treasury Department’s crackdown should, at least temporarily, narrow the illicit pipeline of digital currency transfers, according to Tom Robinson, co-founder of Elliptic.
“It means one less place for ransomware gangs to cash out their earnings, although there are still plenty of other ways they can still do that,” he said. “For crypto exchanges, it means that it’s even more critical to ensure that they are not laundering proceeds of crime. They now have the real prospect of being cut off from the mainstream financial system if they are enabling their actors.”
©2021 Bloomberg L.P.