What Federal Charges Against Bitzlato Mean for CybercrimeFeds Say a Firm Nobody's Heard of Was Part of a 'High-Tech Axis of Crypto Crime'
When the U.S. Department of Justice recently said it would announce a "major, international cryptocurrency enforcement action," observers in the Web3 community expected to see federal charges filed against the likes of well-known companies such as FTX, Genesis and Terra.
Instead, in a move applauded by security and regulatory experts in the space, the agency last week charged a lesser-known cryptocurrency figure, Anatoly Legkodymov - aka "Gandalf," the Russian founder of Bitzlato - with operating a "notorious" Hong Kong-based crypto exchange. Prosecutors say he facilitated more than $700 million in illegal activity on the massively popular and now-dismantled cybercrime marketplace Hydra.
Hydra and Bitzlato, the DOJ says, formed the "high-tech axis of crypto crime." Hydra buyers funded the purchase of stolen financial information and hacking services from crypto accounts hosted at Bitzlato. Those who sold these goods on Hydra used Bitzlato to launder money for illicit gains between 2018 and 2022, the announcement says.
While the DOJ said its move was "a significant blow to the crypto crime ecosystem," few outside the investigation agency teams, including perhaps Eastern District of New York authorities who misspelled Bitzlato in the downloadable complaint's file name, likely knew what the company did and why the federal action could be a win in the war against cybercrime.
Some in the Web3 community called the Bitzlato announcement a "nothing burger," but investigations into high-profile crypto cases and lesser-known entities aren’t mutually exclusive. Even though Bitzlato may not have been a household name, it was "one of the most significant actors in the Russian cybercrime ecosystem," says Andrew Fierman, head of sanctions strategy at Web3 analytics and security company Chainalysis.
Detangling Bitzlato's Connection with Cybercrime, Russia
Bitzlato is a cryptocurrency service that enabled cybercriminals -including ransomware attackers, scammers and illicit darknet market users - to launder "significant amounts" of money on its platform, according to Chainalysis.
A "large share" of the $2.5 billion Bitzlato received between 2019 and 2021 came from "risky" or illicit sources. Chainalysis, which categorized "risky" funds as those sent from cryptomixers, high-risk exchanges and services based in high-risk jurisdictions, says $206 million of the funds in the period came from darknet markets, $224.5 million from scams and $9 million from ransomware attackers.
Specifically, the virtual asset service provider had "significant operations" in Russia, offering crypto exchange and peer-to-peer services, the Financial Crimes Enforcement Network says. Bitzlato played a "critical" role in facilitating deposits and funds transfers for Russian ransomware groups, especially Conti. "FinCEN has documented numerous transactions between Conti-associated convertible virtual currency addresses and Bitzlato," it says.
Bitzlato served as a VASP that "ultimately enabled the profitability of ransomware attacks," FinCEN says. The platform facilitated transactions for Conti-affiliate ransomware strain Trickbot, Russian-speaking ransomware-as-a-service provider DarkSide, and Russia-connected darknet marketplaces BlackSprut, OMG!OMG! and Mega (see: Hydra Aftermath: Where Do Criminals Lurk Now?).
"Even if Bitzlato is not knowingly affiliated with DarkSide or other ransomware groups, FinCEN assesses that it provides an enabling environment for such ransomware criminals to utilize its services to cash out ransomware proceeds due to its minimal anti-money laundering and countering-the-financing-of-terrorism protocols, solidifying its reputation as a go-to CVC exchanger for such groups," it says.
Bitzlato's top receiving and sending counterparties were linked to darknet markets or scams between May 2018 and September 2022, according to FinCEN. Bitzlato's top three receiving counterparties, by total amount of BTC received in the period, were crypto exchange Binance, darknet market Hydra and alleged Russian Ponzi scheme Finiko, it says.
It appears that federal agencies shuttered several of Bitzlato's top illicit contributors over the years, including crypto exchanges Chatex and Garantex and cryptomixer Blender.io, as well as Hydra and Finiko.
Despite its larger illicit contributors being out of the picture, Bitzlato continued to service other players in the criminal ecosystem. Dismantling Bitzlato will disrupt the functioning of money laundering service providers, which will significantly affect the wider crypto crime ecosystem, Chainalysis says.
These services, FinCEN says, are "crucial" to cybercriminals associated with ransomware, crypto scams and darknet market sales. "If cybercriminals can't reliably convert the cryptocurrency generated by their activities into cash, the incentives to commit those crimes plummet," it says. "This also makes conducting illicit businesses more difficult and less profitable," Fierman added.
We must view the Bitzlato action through the lens of a broader effort to stop Russian illicit finance, particularly in the digital assets space, says Ari Redbord, a former senior adviser to the Department of the Treasury on money laundering and a contributor to ISMG. The Treasury Department, the DOJ and other law enforcement agencies in recent months took actions against Suex, Chatex and Garantex - all Russia-based, noncompliant exchanges that allowed the flow of illicit finance.
When viewed at a macro level, the seemingly separate actions, especially coupled with a seizure of the services' infrastructure, make it difficult for ransomware actors to cash out ill-gotten gains, which ultimately could disincentivize their illicit businesses, Fierman says.
"Essentially, the Bitzlato action was a continuation of what law enforcement has been doing for the last 18 months - going after the illicit underbelly of the overwhelmingly lawful crypto economy," says Redbord, currently the head of legal and government affairs at blockchain intelligence company TRM Labs.
The U.S. DOJ and the Treasury Department, along with French lawmakers and Europol, directly tied the Bitzlato action to the earlier takedown of Hydra, Redbord says.
As cryptocurrency is a cross-border market, cooperation among global law enforcement agencies is often a key element to successful takedowns and arrests, Fierman added.
"While it is more of a challenge when cybercriminals are based in jurisdictions like Russia, where law enforcement usually does not collaborate with U.S. law enforcement or other agencies, there may still be opportunities to impact these services, as we saw in the cases of Hydra and now Bitzlato," he says.
On its own, the action against Bitzlato marks the first-ever designation the Treasury Department made under section 9714(a) of the Combating Russian Money Laundering Act, which allows the agency to take severe action against a foreign financial institution to combat Russian money laundering, Redbord says. "Bitzlato is just the type of global cooperation anticipated in the White House framework for digital assets and sends a message to the broader crypto ecosystem that anti-money laundering controls are not optional, no matter where you operate," he says.