U.S., EU authorities crush crypto exchange Bitzlato as $700 million Russian laundering hub, FinCEN unsheathes new authority to blacklist operation from financial system

By Brian Monroe
bmonroe@acfcs.org
Jan 18, 2023

Law enforcement agencies in the United States and Europe took down virtual currency exchange Bitzlato in a coordinated strike Wednesday, arresting its owner in Miami and blacklisting the operation with the scarlet letter of illicit finance.

The U.S. Department of Justice (DOJ) and law enforcement partners arrested Anatoly Legkodymov, 40, a Russian national residing in Shenzhen, China, for allegedly operating an illegal money transmission business that openly flouted and even advertised its disdain for anti-money laundering (AML) rules and restraints.

Bitzlato was a “money laundering engine that fueled a high-tech axis of cryptocrime,” said Deputy Attorney General Lisa Monaco.

“Today’s actions send the clear message: whether you break our laws from China or Europe – or abuse our financial system from a tropical island – you can expect to answer for your crimes inside a United States courtroom.”

In lock step, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) brandished new authority to blacklist the Hong Kong-registered operation as a global money laundering hub helping Russian cyber fraudsters.

In the action, FinCEN designated Bitzlato as a “Primary Money Laundering Concern” for moving more than $700 million in suspect funds for an illicit cabal using and selling drugs, scheming, scamming, spamming, hacking and laundering between roughly January 2016 and December 2022.

The order prohibits certain transmittals of funds involving Bitzlato by any covered financial institution, but in reality makes the entity radioactive to large U.S. and international banking groups – and compliance-minded crypto exchanges.

This is the first order issued pursuant to section 9714(a) of the Combating Russian Money Laundering Act, which came into being at the same time as the seminal Anti-Money Laundering Act (AMLA) on the heels of a Congressional budget package.

As part of its FinCEN designation, starting next month, covered financial institutions are prohibited from funds transfers from or to Bitzlato, or from or to any account or CVC address administered by or on behalf of Bitzlato.

The designation also puts more pressure on brick-and-mortar banks with ties to crypto customers and crypto trading houses and virtual value exchanges themselves to review current and past links to the battered Bitzlato or run afoul of AML compliance and other counter money laundering directives.

To read the 29-page FinCEN order, click here.

To read the 18-page DOJ complaint, click here.

To read the Europol notice, click here.

The case also highlights the importance of AML controls, said Ari Redbord, Head of Legal and Government Affairs at TRM Labs, the blockchain intelligence company, in a social media posting.

The DOJ complaint highlights that Bitzlato “advertised weak AML controls as a selling point,” a tactic that should not be employed by other reticent, recalcitrant exchanges – or they could suffer the same fate.  

“This is obviously another message from regulators that compliance is critical to protecting the [crypto] ecosystem as it grows,” he said.

To read the full post and be part of the conversation, click here.

Prior to joining TRM, Redbord was the Senior Advisor to the Deputy Secretary and the Undersecretary for Terrorism and Financial Intelligence at the United States Treasury.

To read an in-depth analysis of the action by Redbord published in Forbes, click here.

The exchange played a critical role in laundering Convertible Virtual Currency (CVC) by facilitating illicit transactions for ransomware groups operating in Russia, including Conti, a Ransomware-as-a-Service operator with links to the Government of Russia.

Not able to get at the Russian hackers at home, investigators took an international approach to uncover how these groups were turning their crypto value into cash – and what individuals and equipment touched their jurisdictions.

The operation involved a host of regions and agencies, including:

• Belgium
• Cyprus
• Europol
• France
• The Netherlands
• Portugal
• Spain
• United States  

Overall, Bitzlato processed nearly $4.6 billion worth of cryptocurrency transactions since May 2018.

The issue that got it on the radar of law enforcement: a “substantial portion of those transactions constituted the proceeds of crime, as well as funds intended for use in criminal transactions,” according to data publicly available on the blockchain, as cited in the criminal complaint.

Europol put that figure of illicit transactions as high as 46 percent, or nearly $1.1 billion.

For negative news and name screen purposes, Legkodymov also went by “Gandalf” and “Tolik,” a popular Russian moniker of Greek origin and diminutive of Anatoliy, according to online naming convention sites.

Ironically, though his site has now gone dark, the name Tolik translates to “sunrise.”

The company’s YouTube channel, however, is still up and running, with a handful of videos posted from about two years ago detailing the benefits of crypto transactions with little in the way of customer verification needed or government oversight attached.

To visit the Bitzlato YouTube channel, which at the top of the page loudly proclaims “no KYC,” click here.

No AML, NO KYC, NO CDD, no problem

For most of Bitzlato’s corporate history, it was a staple of the company’s branding and online messaging that Bitzlato had loose or non-existent requirements as to “KYC.”

As an example, Bitzlato’s website advertised for years (and as recently as March 31, 2022) that the site offered “Simple Registration without KYC. Neither selfies nor passports required. Only your email needed.”

Similarly, a blog post on Bitzlato’s website stated: “On Bitzlato no KYC is required for you to trade,” according to DOJ.

Beginning in February 2022, Bitzlato began requiring new users to self-verify, but indicated in communications to users about the policy that verification for existing users was “not obligatory.”

Investigators noted that not only didn’t Bitzlato do anything to stop or prevent its services from being abused by criminals, its lack of AML controls was part of its marketing strategy.

Bitzlato billed itself as “requiring minimal identification from its users, specifying that ‘neither selfies nor passports [are] required,’” according to DOJ.

Even on occasions when Bitzlato did direct users to submit identifying documents, federal investigators uncovered that it “repeatedly allowed them to provide information belonging to ‘straw man’ registrants.”

Bitzlato sold itself to criminals as a “no-questions-asked cryptocurrency exchange, and reaped hundreds of millions of dollars’ worth of deposits as a result,” according to prosecutors.

Not surprisingly this drew a “substantially greater proportion of money laundering activity in connection with Russian illicit finance compared to other virtual currency exchanges.”

Serving, severing the heads of Hydra, contaminated by contagion of Conti

With lip service to any real commitment to AML safeguards, the virtual exchange quickly became the best option for the worst of the worst groups in the real world.

Bitzlato offered exchange and Peer-to-Peer (P2P) services, taking and moving money in and out of Russia for Russia-affiliated ransomware groups, affiliates and darknet markets.

Which ones?

The groups regularly rubbed elbows with the renowned and reviled Conti and the Russia-connected darknet market Hydra, which is the subject of both U.S. sanctions and law enforcement actions that have shuttered its operations.

Following Hydra’s closure in April 2022, Bitzlato continued to engage in transactions with growing Russia-connected darknet markets, including BlackSprut, OMG!OMG!, and Mega.

Cryptanalysis by authorities involved in the case also uncovered that the “majority of suspicious transactions are linked to entities sanctioned by the Office of Foreign Assets Control (OFAC), with others linked to cyber scams, money laundering, ransomware and child abuse material."

A Bitzlato tale of the tape: Who got arrested, what got seized and where?

Here is a snapshot of the final tally tied to the multijurisdictional, multiversal Bitzlato takedown:

• 5 individuals arrested so far (1 in Cyprus, 3 in Spain and 1 in the US);
• 1 individual questioned in Portugal;
• The main administrator arrested in the US;
• CEO, Financial director and Marketing director arrested in Spain;
• 8 house searches (4 in Spain, 1 in Cyprus, 2 in Portugal, 1 in US);
• Takedown of the digital infrastructure of the service, enabling further analysis and investigation;
• Seizures include crypto wallets worth about EUR 18 million in cryptocurrency at the time of writing, vehicles and electronic equipment;

100+ accounts at other crypto exchange frozen, involving a total of EUR 50 million.

Source: Europol

As hydra devoured lives, life savings, Bitzlato gorged on profits, profligate

Those figures give voice to the very real dangers of a virtual exchange blowing off AML and sanctions controls.

Hydra operated from approximately 2015 to April 5, 2022, when it was shut down by U.S. and German law enforcement.

During that time, it grew to be “notorious as the largest and longest-running darknet market in the world,” according to DOJ.

As Hydra rose to dark prominence, Bitzlato became its illicit financial partner – profiting from the misery of countless others around the globe.  

“Hydra was Bitzlato’s largest counterparty for cryptocurrency transactions, and Bitzlato served as Hydra’s second-largest counterparty,” investigators stated in the complaint.

In 2021, Hydra accounted for 80 percent of darknet market revenue worldwide, and from January 2016 to March 2022 it captured the equivalent of $5.2 billion in cryptocurrency, much of it sent from wallets at Bitzlato.

From Hydra to Bitzlato and back again. Here is a snapshot of the funds flow between the dread dark market and its erstwhile ally:

• Users of Hydra sent approximately $170.6 million in cryptocurrency to wallets on Bitzlato between May 2018 and April 2022.
• In that same timeframe, Hydra users sent an additional $218.7 million to non-Bitzlato addresses from which they were then sent to Bitzlato.
• The amount of money flowing from Bitzlato to Hydra was equally substantial between May 2018 and April 2022.
• Criminals using Hydra pulled some $124.4 million from Bitzlato accounts to make purchases on Hydra, and drew an additional $191.9 million from non-Bitzlato sources that had, in turn, been funded from Bitzlato.

In addition to funds exchanged with Hydra, Bitzlato has received, directly or indirectly, more than 15 million dollars’ worth of cryptocurrency representing the proceeds of ransomware attacks.

You didn’t know, I don’t think so, caught yet in the darknet: the cat in the chat

Historically, in a scenario where the customers of a company are engaging in illicit behavior, the first thing top executives do is say, “I am not responsible for what other people do and I didn’t know.”

That isn’t the case in this case, according to federal prosecutors.

Bitzlato’s senior managers, including Legkodymov, were “aware of the high volume of criminal funds, including narcotics-related funds, that were transacted on the site, due to their deliberate decision not to verify the true identities of its users.”

How did they find this out?

Bitzlato personnel used an internal chat service to discuss their administration of the service.

In one such chat in October 2018 an unnamed Executive-1 reported to Legkodymov that Bitzlato faced a “threatening situation” in the bitcoin market: “no small-time dealers, seems they’ve been scared off by the drug war.”

The result, he said, was that there were not enough users seeking to sell bitcoin cheaply on Bitzlato, according to investigators.  

“We’ve been advertising from 5,000 [rubles] to buy, but I guess junkies only buy for 1,000 to 3,000,” the person said.  

As a solution, Executive-1 advocated going easy on drug dealers: “[I]f we seriously announce the fight against drug traffickers, they will just be dumped on another platform. My suggestion is to fight them nominally, ie, block once a month when they can clearly be found.”

The current “zealous” approach to blocking drug-related users, Executive-1 said, would be “not very correct from a business point of view.”

Ever the entrepreneur and business opportunist, Legkodymov responded by noting that the proceeds from drug dealers’ seized cryptocurrency wallets was potentially “a bonus” to Bitzlato’s coffers.

He then recommended following “the policy of the banks” – “If you make a transfer ‘for cannabis’ then they will probably block you, of course, but no one will look for it that way.”

Legkodymov was also aware that Bitzlato’s customers were not using the service under their true identities.

In May 2019, he wrote to a colleague in a chat: “All traders are known to be crooks. Trading on ‘drops,’ etc. You do realize that they all (I think 90%) do not trade on their [identity] cards.”

“Yes,” the colleague responded.

For context, reference to the term “a drop” means that a scammer has stolen or paid someone to use their identity and identification documents – a widely-accepted practice in Russia with full sites, forums and apps to connect criminals and third-party individuals with a lack of scruples and need for quick cash.

Later that year, in June 2019, Legkodymov commented: “Scammers know that it is possible to be verified for a drop and 100% withdraw money.”

Bitzlato’s inadequate verification procedures and transactions in criminally linked funds were summed up in a document titled “Competitor Analysis,” drafted by Bitzlato’s Marketing Director, that was saved to a shared cloud drive associated with Bitzlato’s “management” email account.

The document contained an analysis of the pros and cons of Bitzlato and its competitor sites.

The document below noted the following regarding Bitzlato:

Where the bad guys go, DOJ allies will follow

With the hacker cryptosphere in a state of flux, wondering what darknet markets or exchanges will fill the void, international law enforcement agencies will be watching to see what mixers, companies and groups to target next – as they have racked up some stunning victories in recent years.

The Bitzlato takedown “builds on prior Treasury and DOJ actions,” Redbord stated in his analysis.

The operation was a continuation of the efforts against darknet market Hydra and is “consistent with the US going after bad actors without affecting the overall crypto economy,” he said.

For example, over the last 18 months “we have seen actions against non-compliant Russia-based exchanges Suex, Chatex, and Garantex, also for having weak or no AML controls and for facilitating ransomware and darknet activity,” Redbord said.

“We have also seen DOJ and Treasury target darknet mixing services like Helix and Bitcoin Fog as part of this strategy.”

The message to the industry: if you are a crypto exchange doing as little as possible on AML, get your house in order – including finding and reporting on illicit entities before authorities do.

If you are an exchange, mixer or darknet market thinking you are above the law and operating with impunity in Russia or another region without strong legal or jurisdictional ties to the U.S. and its foreign partners – you better not decide to party in Miami, the South of France or clog along gawking at tulip fields and windmills in Holland.