Tech
Russian money launderers bought a bank to disguise ransomware profit | Computer Weekly
A billion-dollar money laundering network active in the UK bought a bank in the Central Asian state of Kyrgyzstan to facilitate the washing of profits from cyber crime and other criminal activity, and convert it into cryptocurrency that was used to evade sanctions on Russia in support of the Putin regime’s war on Ukraine, according to the National Crime Agency (NCA).
So-called cash-to-crypto swaps are a core part of the global criminal ecosystem. In 2024, the NCA and its European and North American partners came down hard on two full-service Russian-run money laundering networks, TGR and Smart, which washed money on behalf of multiple ransomware crews, including the likes of Evil Corp, Conti and Ryuk, in an ongoing series of actions dubbed Operation Destabilise.
In the past 12 months, Operation Destabilise has seen 45 suspected money launderers arrested and £5.1m in cash seized. Since its inception, 128 arrests and over £25m have been seized in cash and crypto assets in the UK, plus millions more abroad.
“Today, we can reveal the sheer scale at which these networks operate and draw a line between crimes in our communities, sophisticated organised criminals and state-sponsored activity,” said NCA deputy director for economic crime, Sal Melki.
“The networks disrupted through Destabilise operate at all levels of international money laundering, from collecting the street cash from drug deals, through to purchasing banks and enabling global sanctions breaches.”
The connection into Kyrgyzstan, a former Soviet state sandwiched between Kazakhstan and China, was uncovered in August, when a company linked to TGR ringleader George Rossi, Altair Holding SA, was sanctioned in the UK as part of a crackdown on known Russian efforts to circumvent Western sanctions by exploiting the Kyrgyz financial system.
It can now be revealed that Altair bought a 75% stake in Kyrgyzstan-based Keremet Bank on 25 December 2024. The NCA has subsequently found that Keremet facilitated extensive cross-border payments on behalf of state-owned Promsvyazbank.
Promsvyazbank, which was nationalised by the Russian government in 2018, was also sanctioned by the US and UK following the invasion of Ukraine, and has been accused of links to Russian attempts to rig elections in Moldova through the populist, pro-Russian politician and oligarch Ilon Shor, who also orchestrated the theft of over $1bn from the country’s banking system in 2014.
Shor’s A7 company at one time collaborated with Promsvyazbank on the launch of a rouble-backed cryptocurrency stablecoin, A7A5, and networks linked to the firm have likely been designed to allow cross-border payments to circumvent sanctions in support of Russia’s military-industrial complex, said the NCA.
Beyond ransomware
It was cyber crime, specifically the network’s links to Evil Corp and bitcoin payments made by its victims, that first led the NCA and its partners to the activity, when they spotted the profits of ransomware attacks going into an individual crypto exchange account that was linked to UK-based money launderers it had already identified.
However, the activities of TGR and Smart extend into other areas of organised criminality across the UK, including the drugs and firearms trade and immigration fraud. The NCA would not, however, be drawn at this stage on any involvement in its other investigations into cyber criminal activity or any of the major cyber attacks that have unfolded this year in the UK.
Besides funnelling these funds into propping up Russia’s war on Ukraine – the agency described a “clear thread” between small-time Friday night cocaine deals in UK bars and clubs to Russian missile strikes on Ukrainian civilians – the network also made money available to wealthy Russians living in the West as a concierge service, and even incorporated some of it back into the UK banking system through traditionally cash-rich businesses, such as small building firms.
The identified and arrested individuals linked to money laundered through the network include two Russian nationals who bought cars and vans in the UK, shipped them to Ukraine and sold them to the Ukrainian government, which was unaware it was funding its enemy’s war effort.
Operation Destabilise also ensnared a number of Brits, such as Scottish footballer James Keatings, who investigators witnessed transferring boxes of cash from a van during a June 2024 handover of almost £400,000.
Keatings, a former member of Celtic’s youth development programme who went on to play for both Heart of Midlothian and Hibernian during his career, was jailed for 13 months earlier this year after he admitted possessing and transferring criminal property at Falkirk Sheriff Court.
Like Keatings, many of the network’s UK operatives were mules tasked by the network’s “managers” with driving all over the country to pick up cash from lower-level criminals.
They have been targeted by NCA poster campaigns in locations they frequent, often in motorway service station toilets. The NCA said its objective had been to “make these courier networks sweat”, and it has seen some success in scaring them off.
“Millions of Britons will have seen these messages at service stations, but rest assured, they were not for you,” said Melki. “To the launderers who will have seen them, your choice is simple: either stop this line of work, or prepare to come face to face with one of our officers and the reality of your choices. Easy money leads to hard time.”