Companies Linked to Russian Ransomware Hide in Plain Sight
MOSCOW — When cybersleuths traced the millions of dollars American companies, hospitals and city governments have paid to online extortionists in ransom money, they made a telling discovery: At least some of it passed through one of the most prestigious business addresses in Moscow.
The Biden administration has also zeroed in on the building, Federation Tower East, the tallest skyscraper in the Russian capital. The United States has targeted several companies in the tower as it seeks to penalize Russian ransomware gangs, which encrypt their victims’ digital data and then demand payments to unscramble it.
Those payments are typically made in cryptocurrencies, virtual currencies like Bitcoin, which the gangs then need to convert to standard currencies, like dollars, euros and rubles.
That this high-rise in Moscow’s financial district has emerged as an apparent hub of such money laundering has convinced many security experts that the Russian authorities tolerate ransomware operators. The targets are almost exclusively outside Russia, they point out, and in at least one case documented in a U.S. sanctions announcement, the suspect was assisting a Russian espionage agency.
“It says a lot,” said Dmitri Smilyanets, a threat intelligence expert with the Massachusetts-based cybersecurity firm Recorded Future. “Russian law enforcement usually has an answer: ‘There is no case open in Russian jurisdiction. There are no victims. How do you expect us to prosecute these honorable people?’”
Recorded Future has counted about 50 cryptocurrency exchanges in Moscow City, a financial district in the capital, that in its assessment are engaged in illicit activity. Other exchanges in the district are not suspected of accepting cryptocurrencies linked to crime.
Cybercrime is just one of many issues fueling tensions between Russia and the United States, along with the Russian military buildup near Ukraine and a recent migrant crisis on the Belarus-Polish border.
The Treasury Department has estimated that Americans have paid $1.6 billion in ransoms since 2011. One Russian ransomware strain, Ryuk, made an estimated $162 million last year encrypting the computer systems of American hospitals during the pandemic and demanding fees to release the data, according to Chainalysis, a company tracking cryptocurrency transactions.
The hospital attacks cast a spotlight on the rapidly expanding criminal industry of ransomware, which is based primarily in Russia. Criminal syndicates have become more efficient, and brazen, in what has become a conveyor-belt-like process of hacking, encrypting and then negotiating for ransom in cryptocurrencies, which can be owned anonymously.
At a summit meeting in June, President Biden pressed President Vladimir V. Putin of Russia to crack down on ransomware after a Russian gang, DarkSide, attacked a major gasoline pipeline on the East Coast, Colonial Pipeline, disrupting supplies and creating lines at gas stations.
American officials point to people like Maksim Yakubets, a skinny 34-year-old with a pompadour haircut whom the United States has identified as a kingpin of a major cybercrime operation calling itself Evil Corp. Cybersecurity analysts have linked his group to a series of ransomware attacks, including one last year targeting the National Rifle Association. A U.S. sanctions announcement accused Mr. Yakubets of also assisting Russia’s Federal Security Service, the main successor to the K.G.B.
But after the State Department announced a $5 million bounty for information leading to his arrest, Mr. Yakubets seemed only to flaunt his impunity in Russia: He was photographed driving in Moscow in a Lamborghini partially painted fluorescent yellow.
The cluster of suspected cryptocurrency exchanges in Federation Tower East, first reported last month by Bloomberg News, further illustrates how the Russian ransomware industry hides in plain sight.
The 97-floor, glass-and-steel high-rise resting on a bend in the Moscow River stands within sight of several government ministries in the financial district, including the Russian Ministry of Digital Development, Signals and Mass Communications.
Two of the Biden administration’s most forceful actions to date targeting ransomware are linked to the tower. In September, the Treasury Department imposed sanctions on a cryptocurrency exchange called Suex, which has offices on the 31st floor. It accused the company of laundering $160 million in illicit funds.
In an interview at the time, a founder of Suex, Vasily Zhabykin, denied any illegal activity.
And last month, Russian news media outlets reported that Dutch police, using a U.S. extradition warrant, had detained the owner, Denis Dubnikov, of another firm called EggChange, with an office on the 22nd floor. In a statement issued by one of his companies, Mr. Dubnikov denied any wrongdoing.
Ransomware is attractive to criminals, cybersecurity experts say, because the attacks take place mostly anonymously and online, minimizing the chances of getting caught. It has mushroomed into a sprawling, highly compartmentalized industry in Russia known to cybersecurity researchers as “ransomware as a service.”
The organizational structure mimics franchises, like McDonald’s or Hertz, that lower barriers to entry, allowing less sophisticated hackers to use established business practices to get into the business. Several high-level gangs develop software and promote fearsome-sounding brands, such as DarkSide or Maze, to intimidate businesses and other organizations that are targets. Other groups that are only loosely related hack into computer systems using the brand and franchised software.
The industry’s growth has been abetted by the rise of cryptocurrencies. That has made old-school money mules, who sometimes had to smuggle cash across borders, practically obsolete.
Laundering the cryptocurrency through exchanges is the final step, and also the most vulnerable, because criminals must exit the anonymous online world to appear at a physical location, where they trade Bitcoin for cash or deposit it in a bank.
The exchange offices are “the end of the Bitcoin and ransomware rainbow,” said Gurvais Grigg, a former F.B.I. agent who is a researcher with Chainalysis, the cryptocurrency tracking company.
The computer codes in virtual currencies allow transactions to be tracked from one user to another, even if the owners’ identities are anonymous, until the cryptocurrency reaches an exchange. There, in theory, records should link the cryptocurrency with a real person or company.
“They are really one of the key points in the whole ransomware strain,” Mr. Grigg said of the exchange offices. Ransomware gangs, he said, “want to make money. And until you cash it out, and you get it through an exchange at a cash-out point, you cannot spend it.”
It is at this point, cybersecurity experts say, that criminals should be identified and apprehended. But the Russian government has allowed the exchanges to flourish, saying that it only investigates cybercrime if Russian laws are violated. Regulations are a gray area in Russia, as elsewhere, in the nascent industry of cryptocurrency trading.
Russian cryptocurrency traders say the United States is imposing an unfair burden of due diligence on their companies, given the quickly evolving nature of regulations.
“The people who are real criminals, who create ransomware, and the people working in Moscow City are completely different people,” Sergei Mendeleyev, a founder of one trader based in Federation Tower East, Garantex, said in an interview. The Russian crypto exchanges, he said, were blamed for crimes they are unaware of.
Mr. Mendeleyev, who no longer works at the company, said American cryptocurrency tracking services provide data to non-Russian exchanges to help them avoid illicit transactions but have refused to work with Russian traders — in part because they suspect the traders might use the information to tip off criminals. That complicates the Russian companies’ efforts to root out illegal activity.
He conceded that not all Russian exchanges tried very hard. Some based in Moscow’s financial district were little more than an office, a safe full of cash and a computer, he said.
At least 15 cryptocurrency exchanges are based in Federation Tower East, according to a list of businesses in the building compiled by Yandex, a Russian mapping service.
In addition to Suex and EggChange, the companies targeted by the Biden administration, cyberresearchers and an international cryptocurrency exchange company have flagged two other building tenants that they suspect of illegal activity involving Bitcoin.
The building manager, Aeon Corp., did not respond to inquiries about the exchanges in its offices.
Like the banks and insurance companies they share space with, those firms are likely to have chosen the site for its status and its stringent building security, said Mr. Smilyanets, the researcher at Recorded Future.
“The Moscow City skyscrapers are very fancy,” he said. “They can post on Instagram with these beautiful sights, beautiful skyscrapers. It boosts their legitimacy.”