Russian Crypto Operation: An Endgame

October 3, 2024

green-dino_thumb_thumb_thumb_thumb_t[2]This essay is the work of a dumb dinobaby. No smart software required.

The US Department of the Treasury took action to terminate “PM2BTC—a Russian virtual currency exchanger associated with Russian individual Sergey Sergeevich Ivanov (Ivanov)—as being of “primary money laundering concern” in connection with Russian illicit finance.” The DOT’s news release about the multi-national action is located at this link. Fogint has compiled a list of details about this action.

The write up says:

Today, the U.S. Department of the Treasury is undertaking actions as part of a coordinated international effort to disrupt Russian cybercrime services. Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing an order that identifies PM2BTC—a Russian virtual currency exchanger associated with Russian individual Sergey Sergeevich Ivanov (Ivanov)—as being of “primary money laundering concern” in connection with Russian illicit finance. Concurrently, the Office of Foreign Assets Control (OFAC) is sanctioning Ivanov and Cryptex—a virtual currency exchange registered in St. Vincent and the Grenadines and operating in Russia. The FinCEN and OFAC actions are being issued in conjunction with actions by other U.S. government agencies and international law enforcement partners to hold accountable Ivanov and the associated virtual currency services.

Here’s a selection of the items which may be of interest to cyber crime analysts and those who follow crypto activity.

  • Two individuals were added to the sanctions list: Sergey Ivanov and Timur Shakhmametov. A reward or bounty has been offered for information leading to the arrest of these individuals. The payment could exceed US$9 million
  • The PM2BTC and Cryptex entities has worked or been associated with other crypto entities; possibly  Guarantex, UAPS, Cryptex, Hydra, FerumShop, Bitzlato, and an underground payment processing service known as Bitzlato
  • Among the entities working on this operation (Endgame) were Europol, Germany, Great Britain, Latvia, Netherlands, and the US
  • In 2014, the two persons of interest want to set up an automated (smart) service and may have been working with PerfectMoney and Paymer
  • The activities of Messrs. Ivanov and Shakhmametov involved “carding” and other bank-related fraud

Russian regulations provide wiggle room for certain types of financial activity not permitted in the US and countries associated with this take down.

Several observations:

  1. The operation was large, possibly exceeding billions in illegal transactions
  2. The network of partners and affiliated firms illustrates the appeal of illegal crypto services
  3. One method of communication used by PM2BTC was Telegram Messenger.
  4. “The $9 Million US reward / bounty for those two Russian crypto exchange operators wanted by US DOJ is a game changer due to the enormous reward,” Sean Brizendine, blockchain researcher told  the FOGINT team.

Additional information may become available as the case moves forward in the US and Europe. FOGINT will monitor public information which appears in Russia and other countries.

Stephen E Arnold, October 3, 2024

FOGINT: New Lingo for Crypto Laundering

October 2, 2024

Moving Bricks: Money-Laundering practices in the Online Scam Industry? uses a number of interesting terms. These may be of value for those who monitor bad actors’ behavior when crypto payments are laundered. The terms which caught FOGINT’s attention were:

Bricks. A block of crypto to be laundered.

Channel. A “gateway” through which laundered money flows.

Frozen. A dead bank account.

Gateway. A channel thorough which the crypto flows.

Motorcades. Bank account providers.

Money farm. A traditional or modern money laundering operation.

Moving bricks. The business process of laundering crypto.

Pankou. Scam groups preying on money laundering businesses and individual operators.

Right buyers. Entities which would receive funds to be laundered.

Risk control risk. The friction of anti-money laundering efforts by law enforcement.

Sellers. Entities which provide accounts set up to launder crypto.

Telegram. The next-generation stock exchange, a ready-made technology platform.

Trading groups. Private groups on Telegram working in money laundering.

Trading rules. Guidelines the laundering service provider enforces.

Water house. Another terms for a company which maintains and accesses bank accounts.

As we notice other terms, the FOGINT team will post them.

Stephen E Arnold, October 2, 2024

Hamster Kombat: Does It Matter?

October 2, 2024

green-dino_thumb_thumb_thumb_thumb_t[2]_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

The Fogint team pays attention to crypto plays like Hamster Kombat. Those engaged in cyber fraud investigations, analysis, and research may want to take a quick look at what is called a “click to earn” game. I was asked the question at a recent lecture to cyber fraud professionals, “Why should I care about Hamster whatever?” This free, public blog is not the place for a detailed answer. However, I am willing to share several observations offered by Coin Telegraph.

First, check out this chart. From zero users in late March 2024 to a few weeks ago. The hockey stick is what is reported at 300 million users. Anecdotal information suggests that one third may be agentic; that is, bots. And “only” 100 million are people looking to make a quick buck on a crypto play.

image

Note that the chart only shows growth through June 2024. The number cited above is derived by normalizing user estimates from a range of sources which the Fogint team has compiled and reviews on a daily basis.

Second, the word game does not convey exactly what Hamster Combat and similar “games” offer their users. Cointelegraph.com reports that an expert named Sébastien Borget uses the phrase “play to earn games.” The question some may pose is, “What is a play to earn game?” The clicks on icons or the actions of the user generate money in the form of crypto for those who play them. The easiest way to understand the business model is to get a burner mobile phone, a pay-as-you-go SIM, a disposable email address, and the Telegram app. Search for Hamster Kombat and “play.” If you cannot figure out the interface, ask a mobile-dependent teen.

Third, this facet of Telegram is one that helps differentiate its “games” from those available on other platforms. Everything in Hamster Kombat is about revenue generation, the belief that the HMSTR coin will be increasingly valuable, and the addictive nature of clicks, buying software items from Hamster Kombat, and becoming “addicted” to or dependent upon the Open Network, a “spin off” or “spin up” from Telegram and its plumbing.

The Fogint team believes that Telegram itself will be monitoring more closely than the fate of Pavel Durov (Telegram’s founder who is possibly enjoying the ministrations of the French bureaucracy) how the TON blockchain handles validation. This process is not going to be explained in this blog post, but for those who are curious, just email benkent2020 at yahoo dot and a Fogint professional will respond with options for getting more information about what is likely to be a significant digital fraud event in 2025. “INDOAX Exchange the first Exchange to list Hamster Kombat coin does not allow US residents to open accounts,” Sean Brizendine, blockchain researcher told the FOGINT team.

When this post becomes public, the mining of HMSTR coins will be underway. Hamster Kombat is a combination of old-fashioned online games, crypto mining, and human enthusiasm to get rich quick. And what does one need to join in the craze? The Telegram application and the mini app Hamster Kombat.

Stephen E Arnold, October 2, 2024

FOGINT: Telegram Changes Its Tune

October 1, 2024

green-dino_thumb_thumb_thumb_thumb_t[2]_thumbThis essay is the work of a dumb dinobaby. No smart software required.

Editor note: The term Fogint is a way for us to identify information about online services which obfuscate or mask in some way some online activities. The idea is that end-to-end encryption, devices modified to disguise Internet identifiers, and specialized “tunnels” like those associated with the US MILNET methods lay down “fog”. A third-party is denied lawful intercept, access, or monitoring of obfuscated messages when properly authorized by a governmental entity. Here’s a Fogint story with the poster boy for specialized messaging, Pavel Durov.

Coindesk’s September 23, 2024, artice “Telegram to Provide More User Data to Governments After CEO’s Arrest” reports:

Messaging app Telegram made significant changes to its terms of service, chief executive officer Pavel Durov said in a post on the app on Monday. The app’s privacy conditions now state that Telegram will now share a user’s IP address and phone number with judicial authorities in cases where criminal conduct is being investigated.

Usually described as a messaging application, Telegram is linked to a crypto coin called TON or TONcoin. Furthermore, Telegram — if one looks at the entity from 30,000 feet — consists of a distributed organization engaged in messaging, a foundation, and a recent “society” or “social” service. Among the more interesting precepts of Telegram and its founder is a commitment to free speech and a desire to avoid being told what to do.

image

Art generated by the MSFT Copilot service. Good enough, MSFT.

After being detained in France, Mr. Durov has made several changes in the way in which he talks about Telegram and its precepts. In a striking shift, Mr. Durov, according to Coindesk:

said that “establishing the right balance between privacy and security is not easy,” in a post on the app. Earlier this month, Telegram blocked users from uploading new media in an effort to stop bots and scammers.

Telegram had a feature which allowed a user of the application to locate users nearby. This feature has been disabled. One use of this feature was its ability to locate a person offering personal services on Telegram via one of its functions. A person interested in the service could use the “nearby” function and pinpoint when the individual offering the service was located. Creative Telegram users could put this feature to a number of interesting uses; for example, purchasing an illegal substance.

Why is Mr. Durov abandoning his policy of ignoring some or most requests from law enforcement seeking to identify a suspect? Why is Mr. Durov eliminating the nearby function? Why is Mr. Durov expressing a new desire to cooperate with investigators and other government authority?

The answer is simple. Once in the custody of the French authorities, Mr. Durov learned of the penalties for breaking French law. Mr. Durov’s upscale Parisian lawyer converted the French legal talk into some easy to understand concepts. Now Mr. Durov has evaluated his position and is taking steps to avoid further difficulties with the French authorities. Mr. Durov’s advisors probably characterized the incarceration options available to the French government; for example, even though Devil’s Island is no longer operational, the Centre Pénitentiaire de Rémire-Montjoly, near Cayenne in French Guiana, moves Mr. Durov further from his operational comfort zone in the Russian Federation and the United Arab Emirates.

The Fogint team does not believe Mr. Durov has changed his core values. He is being rational and using cooperation as a tactic to avoid creating additional friction with the French authorities.

Stephen E Arnold, October 1, 2024

  • Archives

  • Recent Posts

  • Meta