On April 5, 2022 the U.S. The Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced sanctions against “the world’s largest and most prominent darknet market, Hydra Market” and Garantex, a virtual currency exchange registered in Estonia but operating in Moscow and St. Petersburg, Russia.
The sanctions are part of a larger initiative targeting Russian cybercrime that spans across multiple federal departments—including the U.S. Department of Justice, Federal Bureau of Investigations, Drug Enforcement Administration, Internal Revenue Service Criminal Investigation, and Homeland Security Investigations—and across the globe—including international partners like the German Federal Criminal Police and Estonia’s Financial Intelligence Unit. The sanctions follow September and November sanctions of SUEX OTC, S.R.O. and CHATEX, two virtual currency exchanges operating out of Moscow that allegedly facilitated transactions for ransomware actors. SUEX was the first virtual currency exchange subject to OFAC sanctions (and the subject of a previous post).
While ostensibly focused on closing another avenue for ransomware purveyors to profit off of their wares, the sanctions may also cut off all types of cybercriminals who allegedly find “a haven” in Russia and used Hydra or Garantex.
Darknets and Ransomware
A darknet is an “Internet-based network” that is accessed through particular software. Darknets enhance anonymity. Markets running on darknets often offer illegal goods and services and facilitate payment almost exclusively through virtual currency. For example, in 2015, the U.S. The Attorney’s Office for the Southern District of New York was successful in convicting Ross Ulbricht, the alleged creator and owner of the Silk Road (a darknet market), on a number of criminal charges (including money laundering). The Silk Road infamously sold everything from illegal drugs to fake identification documents and hacking services. At the time, $1 million worth of Bitcoin was seized. Some darknet markets now facilitate the sale of “ransomware-as-a-service” (“RaaS”) whereby ransomware developers sell or license their ransomware to others.
As we blogged previously, ransomware has been a top enforcement priority for OFAC and the Financial Crimes Enforcement Network (“FinCEN”). OFAC has focused recently on guidance for the virtual currency industry on how to address sanctions-related risk and FinCEN noted a troubling jump in ransomware-related Suspicious Activity Reports (“SARs”). It appears that OFAC has continued its focus not only on suspected cybercriminals but also on the entities that permit cybercriminals to profit from their activities and launder the proceeds. That focus is evident with the designation of Hydra and Garantex.
Hydra, launched in 2015, is the “most prominent Russian darknet market.” Goods and services offered range from ransomware and hacking services to stolen personal information to counterfeit currency and illicit drugs. Buyers often used virtual currency. Hydra’s profits rose dramatically from 2016 to 2020, from $10 million to $1.3 billion. A Department of Justice press release estimated that the market received approximately $5.2 billion in cryptocurrency since 2015. OFAC determined that the growth was “enabled by Hydra’s association with Russian illicit finance.”
According to the DOJ, “vendors” on Hydra “offered a robust array of money laundering and so-called ‘cash-out’ services” as well as “an in-house mixing service.” These services permitted users to convert virtual currency to cash or otherwise obscure the source of virtual currency tied to illicit activity. The DOJ reports that “Hydra’s money laundering features were so in-demand that some users would set up shell vendor accounts for the express purpose of running money through Hydra’s bitcoin wallets as a laundering technique.”
OFAC also determined that Hydra served as a major market for stolen Bitcoin and as a hub for the proceeds of ransomware attacks, including from the Ryuk, Sodinokibi, and Conti ransomware variants.” OFAC calculated that approximately $8 million in ransomware proceeds passed through Hydra and 86% of all stolen Bitcoin on Russian exchanges was sold on Hydra.
As a result of international efforts, Hydra’s servers in Germany have been shut down and approximately $25 million in Bitcoin was seized. According to Elliptic, a blockchain analysis company, this appears to be the fall of the darknet market leader. Elliptic’s estimates show Hydra facilitated well over $100 million more in Bitcoin transactions per month than the next largest darknet market. The Department of Justice also announced criminal charges against Dmitry Olegovich Pavlov, a Russian resident, for conspiracy to distribute narcotics and to commit money laundering by allegedly administering the hosting of Hydra’s servers, and thereby provided “the critical infrastructure that allowed Hydra to thrive in a competitive darknet market environment.”
Garantex, founded in 2019, is a virtual currency exchange operating out of Moscow and St. Petersburg that was formerly licensed in Estonia. OFAC believes that certain operations were carried out at Federation Tower in Moscow, the same location where SUEX and CHATEX allegedly operated. OFAC estimates that approximately $100 million in transactions on Garantex were connected to illicit actors and darknet markets. Of that $100 million, OFAC connected $6 million to the “Russian RaaS gang Conti” and $2.6 million to Hydra.
Although Garantex is still in operation, Estonia’s Financial Intelligence Unit (in coordination with the U.S. Treasury Department) revoked its licensing after determining there were “critical AML/CFT deficiencies” and that “wallets were used for criminal activity.” OFAC claims that Garantex “continues to provide services to customers through unscrupulous means.”
Emphasizing the importance of AML to the virtual currency industry, the Treasury Department’s press release declares:
Russia is a haven for cybercriminals. Today’s action against Hydra and Garantex builds upon recent sanctions against virtual currency exchanges SUEX and CHATEX. . . . Treasury is committed to taking action against actors that, like Hydra and Garantex, willfully disregard anti-money laundering and countering the financing of terrorism (AML/CFT) obligations and allow their systems to be abused by illicit actors. Wanton disregard for regulations and compliance by persons that run virtual currency exchanges will be rigorously investigated, and where appropriate, perpetrators will be held accountable. Additionally, the United States urges the international community to effectively implement international standards on AML/CFT in the virtual currency area, particularly regarding virtual currency exchanges. The virtual currency industry has a critical role to play in implementing appropriate AML/CFT and sanctions controls to prevent sanctioned persons and other illicit actors from exploiting virtual currencies to undermine the national security of the United States and our partners.
Both Hydra and Garantex have been designated by OFAC. OFAC’s Specially Designated Nationals List (the “SDN List”) was also updated with over 100 new virtual currency wallet addresses. While a few addresses relate to Garantex, the vast majority relate to Hydra. According to OFAC, those addresses have been linked to “illicit transactions.”
It remains unclear whether the sanctions are more appropriately categorized as part of the whole-of-government approach to ransomware announced by the White House on October 13, 2021 or whether these sanctions are in some way tied to the sanctions stemming from Russia’s invasion of Ukraine. Whether or not explicitly connected, these sanctions limit the avenues for illicit actors to profit off of illicit activity through virtual currencies. It also deals a blow to the world’s largest darknet market and a third Russian virtual currency exchange. Both permitted users to convert virtual currency to fiat (and vice versa) and possibly spirit funds outside of Russia and evade European and U.S. sanctions.
April 6, 2022 Published by The Money Laundering News.