Russian hackers are seeking alternative money-laundering options

The Russian cybercrime community, one of the most active and prolific in the world, is turning to alternative money-laundering methods due to sanctions on Russia and law enforcement actions against dark web markets.

Although the options are few, cybecriminals are discussing viable solutions to cash out or safe keep stolen funds and cryptocurrency, analysts at Flashpoint observed in conversations from threat actors.

A "perfect storm"

First came the bank sanctions and the blocking of SWIFT payments, a result of the Russian invasion of Ukraine. This crippled the regular channels for cash flows used by cybercriminals.

Then came the suspension of Russian operations of direct money transfer services such as Western Union and MoneyGram. Scammers and extortionists typically used those to receive payments from victims without revealing their real identity.

On April 5, the servers of Hydra Market, the largest Russian darknet platform, were seized by the German police, taking down a massive business (over $1.35 billion annual turnover) that also sustained money-laundering services.

The following day, the U.S. sanctioned Garantex, one of the most important platforms Russian cybercriminals used for laundering stolen funds, which followed a wave of sanctions on similar platforms starting in 2021.

Finally, yesterday, Binance became the first large cryptocurrency exchange to essentially ban Russian users from performing transactions or investments, and more are expected to follow soon. Even coin mining operations of significant size in Russia are being sanctioned.

Cybercriminals turn to China

According to Flashpoint data collected from cybercriminal forums, Russian hackers have mostly turned to Chinese payment systems, including Chinese banks and the Union Pay cards system.

However, even Union Pay is now considering to refuse serving Russian customers, so the option is not viable on a longer term.

Since bank problems arose, a new category of money launderers has emerged, offering money routes through banks in countries like Armenia, Vietnam, or China, that have not imposed sanctions on Russian banks.

Cryptocurrency exchanges with rising KYC (known your customer) requirements, even those within Russia, are not an option, so darknet coin-mixing and cash-out services are among the few options available.

Since the money-laundering providers on Hydra no longer have a stable place to advertise their services, crooks are reduced to turning to smaller, less trustworthy operations.

Flashpoint says some cybercriminals responded to this situation by adopting a long term approach and investing in gold or storing their cryptocurrency in cold wallets until the conditions change.

The situation is unlikely to have an impact on financially-motivated threat activity, though. Lower-tier threat groups and less capable hackers will be impacted the most, but the private laundering channels established by more sophisticated groups are likely to continue to operate.