Uncover the story behind the 'Biggest Heist Ever' — a gripping new Netflix documentary! Watch the trailer.

US Treasury Takes Coordinated Actions Against Illicit Russian Virtual Currency Exchanges and Cybercrime Facilitators PM2BTC and Cryptex

TRM InsightsInsights
US Treasury Takes Coordinated Actions Against Illicit Russian Virtual Currency Exchanges and Cybercrime Facilitators PM2BTC and Cryptex

Today, the U.S. Department of the Treasury announced a comprehensive and coordinated international action targeting Russian cybercrime services. Through actions spearheaded by the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC), Treasury is taking aim at key facilitators of illicit finance, specifically focusing on virtual currency exchanges and individuals closely linked to Russian actors. These actions target entities involved in ransomware, sanctions evasion, and other criminal activities conducted via virtual currencies.

FinCEN used its authority under the Combating Russian Money Laundering Act, as amended by the National Defense Authorization Act (NDAA) for Fiscal Year 2022, to issue an order designating PM2BTC as a “primary money laundering concern,” pursuant to 9714(a). Concurrently, OFAC utilized Executive Orders 13694 and 14024 to sanction Sergey Sergeevich Ivanov and Cryptex, a virtual currency exchange registered in St. Vincent and the Grenadines but operating out of Russia.

In addition to Treasury’s actions, the U.S. Department of State announced rewards of up to $10 million each for information leading to the arrests or convictions of Sergey Ivanov and Timur Shakhmametov, who are accused of participating in transnational organized crime. Separate rewards of up to $1 million are also being offered for information identifying other leaders of the Joker’s Stash criminal marketplace, as well as key figures in the UAPS, PM2BTC, and PinPays transnational criminal groups.

The Department of Justice also took action announcing charges against two Russian nationals, Ivanov and Timur Shakhmametov. According to DOJ, Ivanov, also known as "Taleon," and Shakhmametov, known as "JokerStash," allegedly provided critical financial support for various cybercrime operations, including ransomware groups, darknet drug traffickers, and the infamous carding website Joker’s Stash. Ivanov's services, including the illicit cryptocurrency exchanges UAPS, PinPays, and PM2BTC, processed over $1.15 billion in cryptocurrency transactions, a substantial portion of which were tied to criminal activities.

Shakhmametov, the creator of Joker’s Stash, facilitated the sale of stolen payment card data, contributing to hundreds of millions in financial losses. The website became one of the largest carding markets in history. Concurrent with these charges, the U.S. government seized multiple domains associated with Cryptex and other illicit crypto exchanges that laundered funds for cybercriminals.

The operation included Dutch authorities the Financial Information and Investigation Service (FIOD) and the National High Tech Crime Unit (NHCTU) of the Netherlands Police, who, in coordination with the US Secret Service, took down servers hosting PM2BTC and Cryptex, and cryptocurrency worth 7 million euros was seized. Both exchanges had infrastructure based in the Netherlands and were intertwined in criminal activities.

Action Against PM2BTC: Designation as a Primary Money Laundering Concern

FinCEN has identified PM2BTC, a Russian-linked virtual currency exchanger, as a primary money laundering concern due to its involvement in Russian illicit finance. Operated by Sergey Sergeevich Ivanov, PM2BTC plays a crucial role in facilitating ransomware payments, fraud schemes, and sanctions evasion. According to FinCEN’s findings, nearly 50% of PM2BTC’s operations are tied to criminal activities, and the exchange uses sophisticated obfuscation techniques to evade detection by law enforcement.

PM2BTC’s direct conversion of CVCs into Russian rubles has made it a preferred platform for cybercriminals such as the Conti and Trickbot ransomware groups. 

According to TRM, PM2BTC's obfuscation techniques and ties to sanctioned Russian financial institutions have exacerbated its role in laundering criminal proceeds. FinCEN’s order prohibits U.S. financial institutions from engaging in any transactions involving PM2BTC, effectively severing its access to the U.S. financial system.

Prior to today’s special measures against PM2BTC, FinCEN had only used this authority to designate non-compliant Hong Kong-registered cryptocurrency exchange Bitzlato for its connection to Russian illicit finance - particularly, ransomware and darknet markets.

Cryptex: Facilitating Russian Cybercrime at Scale

In conjunction with FinCEN’s actions against PM2BTC, OFAC has sanctioned Cryptex, a virtual currency exchange that is registered in St. Vincent and the Grenadines but predominantly operates within Russia. OFAC’s sanctions, imposed under Executive Orders 13694 and 14024, target Cryptex for its involvement in laundering over $51.2 million from ransomware operations and processing $720 million in transactions linked to various cybercriminal enterprises. Cryptex’s services are frequently used by entities connected to Russian ransomware groups, including Garantex and other mixing services that facilitate fraud and darknet market transactions.

According to TRM, CryptexPay, a payment processor associated with Cryptex, is a key facilitator of illicit financial flows within the dark web ecosystem. CryptexPay’s advanced anonymization techniques, including generating new wallet addresses for each transaction and mixing deposits, make it a favored tool for criminals seeking to obfuscate their financial activities. This dual role of processing both legitimate and illicit transactions places CryptexPay in a critical position within the global cybercrime ecosystem.

Sergey Sergeevich Ivanov: A Central Figure in Russian Cybercrime

Sergey Sergeevich Ivanov is a central figure in the cybercriminal ecosystem connecting PM2BTC, Cryptex, and UAPS (PinPays). Ivanov has been involved in laundering hundreds of millions of dollars for ransomware actors, initial access brokers, and other criminal enterprises for nearly two decades. His role as a payment processor for various fraud shops, including Genesis Market, which was taken down by law enforcement in 2023, underscores his deep involvement in Russian cybercrime.

OFAC’s sanctions against Ivanov under Executive Order 14024 aim to curb his ability to facilitate illicit financial flows within the Russian Federation and beyond. Ivanov’s extensive network of virtual currency exchanges and payment processors has allowed him to operate with relative impunity, helping cybercriminals launder funds from ransomware operations and evade international sanctions.

The Role of PinPays and UAPS: Interconnected Dark Web Payment Networks

Further complicating this web of illicit finance, according to TRM Labs, is UAPS, also known as PinPays, which is a payment processor controlled by Ivanov. PinPays has been identified as a payment processor linked to cybercriminal services such as carding shops, the now-sanctioned Genesis Market, and other darknet operations. Blockchain analysis reveals that PinPays aggregates deposits from multiple cybercrime services and launders funds through interconnected wallets before sending them to Cryptex.

According to TRM, between 2022 and 2024, over $500 million was laundered through UAPS/ PinPays, with a portion of these funds flowing directly to Cryptex. PinPays employs a “mixer” technique, which involves pooling and redistributing funds from various sources to obscure their origins facilitating the processing of ransomware and darknet market related payments as shown in TRM graphs below.

Coordinated International Efforts and Broader Implications

The Treasury, State and the US Department of Justice actions against PM2BTC, Cryptex, and Ivanov are part of a larger international effort to dismantle financial networks supporting Russian cybercrime. In collaboration with the U.S. Secret Service, the Netherlands Police, and the Dutch Fiscal Intelligence and Investigation Service (FIOD), the U.S. has seized domains and infrastructure tied to these exchanges. As part of Operation Endgame, a multinational initiative targeting transnational cybercrime, these actions aim to disrupt the financial enablers of organized cybercrime on a global scale.

An International Effort to Combat Russian Illicit Finance

Today’s efforts underscore the importance of international cooperation in combating the misuse of virtual currencies for illicit activities. The interconnected nature of platforms like CryptexPay and payment processors such as PinPays and UAPS highlights the need for continued vigilance in identifying and disrupting these networks. As the U.S. and its allies pursue these actors, the message is clear: the virtual asset ecosystem will not be allowed to serve as a safe haven for criminal enterprises, and the global financial system must remain steadfast in countering these threats. TRM is proud to support global law enforcement and regulators in the fight against illicit activity in the cryptocurrency ecosystem.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.