Authorities dismantle crypto exchange Bitzlato, allege it was cybercrime “haven”

JIG’S UP —

Criminal groups served allegedly include Conti, DarkSide, Phobos, and Hydra.

Federal authorities on Wednesday arrested the founder of Bitzlato, a cryptocurrency exchange they said has been a financial haven for Russia-aligned criminals engaged in ransomware and illicit drug sales on the dark web.

Anatoly Legkodymov, a 40-year-old Russian national residing in Shenzhen, China, was arrested on Wednesday in Miami, US prosecutors said. The prosecutors alleged that on Legkodymov’s watch, Bitzlato processed roughly $4.58 billion worth of cryptocurrency transactions and that a “substantial portion of those transactions constitute the proceeds of crime, as well as funds intended for use in criminal transactions.” Bitzlato is known as a virtual asset service provider (VASP).

Ransomware and cybercrime bazaars—no questions asked

The US Justice Department took action in conjunction with the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN), which enforces laws prohibiting domestic and international money laundering, terrorist financing, and other financial crimes. A centerpiece of the FinCEN agenda is enforcing sanctions against Russian entities, including ransomware groups affiliated with that country.

Ransomware groups that Bitzlato allegedly worked with include (1) the Russian-speaking DarkSide, which was responsible for the Colonial Pipeline cyberattack in 2021 that caused gas shortages in the southeastern US; (2) Phobos, whose ransomware has attacked hospitals; and (3) Conti, which has pledged its allegiance to Russia following its invasion of Ukraine.

“Bitzlato plays a critical role in facilitating transactions for the Conti ransomware group and other global ransomware actors, including actors that operate out of Russia,” FinCEN acting director Himamauli Das wrote. “As a result, FinCEN assesses that Bitzlato serves as a VASP that ultimately enables the profitability of ransomware attacks and, at least in the case of Conti, advances the political and economic destabilization interests of the Government of Russia.”

Besides those groups, Das said, Bitzlato also worked with sanctioned cryptocurrency exchange Chatex and Hydra, a massive cybercrime marketplace that facilitated sales of more than $5 billion of illicit goods and services for some 17 million customers before it was shut down last year.

“A substantial portion of the cryptocurrency that Hydra received was sent directly from wallets at Bitzlato,” FBI Special Agent Ryan Rogers wrote in an affidavit. “Hydra was Bitzlato’s largest counterparty for cryptocurrency transactions, and Bitzlato served as Hydra’s second-largest counterparty. Hydra buyers routinely funded their illicit purchases from cryptocurrency accounts hosted at Bitzlato, and in turn, sellers of illicit goods and services on the Hydra site routinely sent their illicit proceeds to accounts at Bitzlato.”

The affidavit alleged that Legkodymov was personally aware that his exchange was processing funds from illicit activities. The court document cited the Bitzlato website that advertised “simple registration without KYC,” using the abbreviation for a requirement called “know your customer,” which mandates financial institutions know the identity of their customers.

Other evidence included a portion of a seized 2019 chat discussion in which Legkodymov allegedly told a colleague: “All traders are known to be crooks. Trading on ‘drops,’ etc. You do realize that they all (I think 90%) do not trade on their [identity] cards.” The colleague allegedly replied, “Yes.”

Prosecutors also alleged that Bitzlato did substantial business with US-based customers and that service representatives repeatedly advised users they could transfer funds from US-based financial institutions. Legkodymov allegedly administered the business from Miami last year and this year and personally received reports of his website receiving large numbers of visits from US-based IP addresses. Last August, for instance, the founder allegedly received an email reporting 264 million visits from such IP addresses, making the US the fourth most common source of Internet traffic for Bitzlato.

Concurrent with the actions taken in the US on Wednesday, authorities in France worked with Europol and partners in Spain, Portugal, and Cyprus to dismantle Bitzlato’s domain name and digital infrastructure and to seize Bitzlato’s cryptocurrency.

Legkodymov is charged with conducting an unlicensed money-transmitting business. If convicted, he faces a maximum penalty of five years in prison. The Russian national was scheduled to make his first court appearance on Wednesday.