Behind the crypto broker accused of aiding ransomware hackers
A cryptocurrency broker that the US considers a key cog in the recent ransomware epidemic is legally registered in the Czech Republic, but does not appear to have an office there. It may be operating out of Moscow’s tallest skyscraper despite its not being listed at the address.
Suex OTC earned the distinction last month of being the first digital-currency firm to be sanctioned by the US as governments try to stem further attacks. And while it denies any part in the recent spate of cyber crimes, experts say it is a prime example of a shadowy corner of the industry that has allowed hackers to thrive by giving them the means to launder millions of dollars in illicit digital proceeds, either themselves or through “nested” middlemen working through an exchange.
Suex OTC is a transactions platform that allows cryptocurrency traders to buy and sell digital coins. The virtual currency exchange is accused by the US of mixing legitimate digital currency trades with illegal transfers from ransomware gangs, allowing them to launder profits from the kind of attacks that have crippled hospitals, businesses, school districts and even a major U.S. East Coast gasoline pipeline.
The U.S. Treasury Department alleges that Suex has played an integral role helping criminal hackers clean and cash out their loot, mostly Bitcoin paid by ransomware victims, before converting it to a traditional currency.
“There is an illicit underbelly that’s formed in this ecosystem,” said Todd Conklin, counsellor to the deputy secretary of the Treasury. “We haven’t yet cleansed the entire ecosystem and we’re definitely continuing to investigate other nested exchanges and mixers, like Suex.”
Since at least 2018, Suex has converted cryptocurrency holdings into cash inside brick-and-mortar offices in Moscow, St. Petersburg and possibly in the Middle East, according to Chainalysis Inc., a blockchain forensics firm specializing in following the movement of digital currencies whose clients have included U.S. federal agencies. It is legally registered in the Czech Republic but apparently does not have an office there, according to Chainalysis. At the official address in a nondescript house in Prague’s old town, there’s a clothing store and antiques shops on the on the ground floor, and several residential units and a law firm.
The law firm at the address where Suex is registered specializes in incorporation and corporate governance services. A person at the firm who answered a call from Bloomberg denied having any knowledge of Suex and hung up the phone.
The company does appear to be operating from Moscow’s 97-story-high Federation Tower East building, according to Chainalysis. There is no public directory of tenants at the entrance, and the receptionist bans entry to anyone who hasn’t been invited. While Suex’s name is not listed at the address, per the building’s management, a company called Art of Web - which counts Suex’s chief executive officer and largest shareholder Egor Petukhovsky - is.
Suex’s Petukhovsky did not respond to requests for comment. He denied in a recent Facebook post that he or his business helped launder money for hackers and vowed to “firmly defend my name in litigation” in the US.
“I believe in independent justice and hope to come back to normal life as soon as possible,” he said. Other Suex officials couldn’t be located for comment.
By adding Suex to the Treasury Department’s list of sanctioned entities, US-based companies and individuals are prohibited from conducting any transactions with them. While these sanctions will likely do little to expose Suex to legal authorities half a world away, the Biden administration is hoping it may dissuade US-based ransomware victims from quickly paying ransom to resolve their ordeal.
Brokers like Suex do not typically build their own software systems to execute cryptocurrency trades. Instead, these operators trade on third-party crypto exchanges. The Treasury Department declined to identify which exchanges it believes Suex had utilized except to say “several.” Regulators globally have called for tighter enforcement and regulations requiring exchanges to collect data identify their clients.
Suex has so far received at least $160 million in Bitcoin from illicit and high-risk sources since 2018, according to Chainalysis. If correct, that’s about 40% of Suex’s known transaction history linked to the activity of hackers, including nearly $13 million from some of the more infamous ransomware groups: Ryuk and Conti, according to Chainalysis.
Many of the ransomware groups have been traced to Russia and other countries that the US says has provided safe haven for them. At a June summit, President Joe Biden warned Russian President Vladimir Putin about continued attacks, particularly on critical infrastructure. But the the cybergangs are still “operating in the permissive environment that they’ve created there,” FBI Deputy Director Paul Abbate said earlier this month.
What is unclear is the extent to which Suex is aware that it is being used to launder money, if it is simply turning a blind eye to illegal behaviour by failing to vet their customers carefully or if the US simply made a mistake in branding Suex an illicit broker, as its CEO claims. While the company’s leadership denies any ties to cyber gangs and their illegal activity, Maxim Kurbangaleev, who described himself as Suex’s co-founder on LinkedIn, described how quickly customers can start trading “without the long and tedious sending of documents and passing endless checks.”
The post, which was provided by blockchain intelligence firm TRM Labs, has since been removed. It was not clear when Kurbangaleev posted the statement.
Many services that work with exchanges conduct “know-your-customer” checks to verify customer identities; Suex does not, said Ari Redbord, head of legal and government affairs at TRM Labs and a former federal prosecutor and treasury official, who described Suex as a “parasitic exchange.”
“The difference between those and Suex is that Suex is part of a shadow crypto economy that thrives on skipping appropriate compliance controls,” he said. The sanctions against Suex show that “the U.S. government is going to go after the unregulated exchanges,” Redbord said.
Suex largely communicated with its clients via the Telegram app and accepted new customers on a system of referrals from trusted sources, according to TRM. Transactions were only completed at Suex’s offices, where, one ad bragged, customers would be treated to cookies and tea.
Suex “appeared to deal almost exclusively in high-value deals - its minimum acceptable transaction was $10,000,” says TRM. Then Suex executed clients’ transactions on other exchanges, likely without their knowledge of where Suex was getting the funds.
Warning to Enablers
The US actions against Suex follow other efforts to hold cryptocurrency brokerages accountable for illicit activity.
BTC-e was shuttered in 2017 after the US accused Russian national Alexander Vinnik of supervising a platform that was being used by cyber criminals to move illicit digital proceeds anonymously and without vetting. BTC-e allegedly handled some Bitcoin traced to the same Russian hacking group implicated in hacking Democratic Party emails ahead of the 2016 presidential election, according to blockchain forensics firm Elliptic.
Vinnik was extradited from Greece to France, where he was sentenced in December to five years in a French prison.
Chainalysis’s data indicates that Suex processed more than $50 million in illicit funds on behalf of BTC-e and its users following the BTC-e takedown, including some transfers as recently as this year.
Law enforcement agencies have long worried that cryptocurrency businesses could be used to launder money and for criminal purposes. But it turns out, most coins can be traced, as all transactions happening outside of centralized exchanges are recorded on digital ledgers, typically called blockchains. Regulators and law enforcement has been actively using such services to catch bad actors across the globe. Suex was just the latest business to get caught.
Despite Suex’s denial, the Treasury Department’s crackdown should, at least temporarily, narrow the illicit pipeline of digital currency transfers, according to Elliptic cofounder Tom Robinson.
“It means one less place for ransomware gangs to cash-out their earnings, although there are still plenty of other ways they can still do that,” he said. “For crypto exchanges, it means that it’s even more critical to ensure that they are not laundering proceeds of crime. They now have the real prospect of being cut off from the mainstream financial system if they are enabling their actors.”
©2021 Bloomberg L.P.
The Luxembourg Times has a new mobile app, download here! Get the Luxembourg Times delivered to your inbox twice a day. Sign up for your free newsletters here.