U.S. Government Targets Russian Influence Operations with Cryptocurrency Nexus

Today, in coordination with the issuance of a new Executive Order and a six-count federal indictment from the Department of Justice, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) took sweeping action against 16 entities and 16 individuals who attempted to influence the 2020 U.S. presidential election at the direction of the leadership of the Russian Government. Three of the entities and one of the individuals that were added to the Specially Designated Nationals and Blocked Persons List (SDN List) have digital currency addresses associated with them.

The entities and individual are:

  • SouthFront, an online disinformation site registered in Russia that receives taskings from the Federal Security Service (FSB), a Russian security service.
  • The Association for Free Research and International Cooperation (AFRIC), a front company for Yevgeniy Prigozhin’s influence operations in Africa. Prigozhin is a Russian financier of the Internet Research Agency (IRA), the Russian troll farm that OFAC previously designated for interfering in the 2016 presidential election. Prigozhin has also been previously designated.
  • Secondeye Solution (SES), also known as Forwarderz, is a Pakistan-based synthetic identity document vendor that provided fake identity documents for people to sign up for accounts with cryptocurrency exchanges, payment providers, banks, and more under false identities. SES assisted the IRA in concealing its identity to evade sanctions. According to the Department of Justice indictment, SES provided documents to over 200 countries and territories.
  • Mujtaba Ali Raza, the owner and operator of SES.

Below, we list information about the digital currency addresses included on the SDN List. These addresses, as well as additional addresses we identified as associated with these entities, are now labeled in Chainalysis products.

We also provide a case study on SES to demonstrate how blockchain analysis can reveal insights into their operations and scale.

Addresses Added to the SDN List

Here’s the full list of all addresses added to the SDN list as part of this enforcement action:

  • 3Gbs4rjcVUtQd8p3CiFUCxPLZwRqurezRZ
  • 0x9f4cda013e354b8fc285bf4b9a60460cee7f7ea9
  • qpf2cphc5dkuclkqur7lhj2yuqq9pk3hmukle77vhq
  • t1MMXtBrSp1XG38Lx9cePcNUCJj5vdWfUWL
  • XyARKoupuArYtToA2S6yMdnoquDCDaBsaT
  • 1G9CKRHA3mx22DoT1QyNYrh85VSQ19Y1em
  • 1EYitrwBYNWuTBcjZFbEUdqHppe2raLpaF
  • 182NGZbPJXwg2WDrhrPpR7tpiGQkNPF844
  • 1NayLEVF3bEEbDtdF2Cwso1VdEtvVNh2qX
  • 16PhXY3hNNMTo8kpuJx2emh713KbWpkqci
  • 1GqChmWqGtsaLrGbHfgdrV5Nkvahtjjuxr
  • 18Ke1QWE9nQfXuhJijHggZuPJ5ZYxapoBK
  • 19D8PHBjZH29uS1uPZ4m3sVyqqfF8UFG9o
  • 1QJUiNsNfji6mR1FjAwf6Eg9NxxHPoxpWL
  • 1DtGgdCi9VPKz2Bpq8GQhUQEPnQ5HwaT9n
  • 1NE2NiGhhbkFPSEyNWwj7hKGhGDedBtSrQ
  • LgwmgYnraU2uBWHVFUDgAmFCPYj5Yw8C9L
  • LeKvNdNEzgQkzVVnRdV3fAu2DSF1nLsNw6
  • LQAhYwwK5AR1JQiQPr7vu8Pu4b6qcxxvNB
  • 0x7Db418b5D567A4e0E8c59Ad71BE1FcE48f3E6107
  • 0x1da5821544e25c636c1417Ba96Ade4Cf6D2f9B5A
  • 0x72a5843cc08275C8171E582972Aa4fDa8C397B2A
  • 0x7F19720A857F834887FC9A7bC0a0fBe7Fc7f8102
  • 18M8bJWMzWHDBMxoLqjHHAffdRy4SrzkfB
  • 1KSAbh5trMCTZwhiNsuUQvfTtSSTT8zqRk
  • 1BiUFjzH6wsT73U3tfy4aXHCQsYQHzjk5h
  • LeKvNdNEzgQkzVVnRdV3fAu2DSF1nLsNw6
  • DFFJhnQNZf8rf67tYnesPu7MuGUpYtzv7Z

Below, we break down those addresses by the specific entity each is associated with and summarize their transaction history.

Addresses Associated with SouthFront

Addresses Associated with AFRIC

Addresses Associated with SES

*Note this address is listed on the SDN List under both SES and Raza.

Addresses Associated with Mujtaba Ali Raza

*Note this address is listed on the SDN List under both SES and Raza.

Secondeye Case Study

Surprisingly, Secondeye operated openly on the clearnet, rather than on the dark web like many other fraud shops and illegal businesses we study. The company was also explicitly clear in promoting its products to people looking to sign up for fintech and cryptocurrency platforms using falsified documents. In fact, Secondeye’s documents were only in digital JPEG format, with no physical documents provided, making it difficult to imagine use cases other than fooling remote photo or video-based KYC checks. The company even offered to sell users fake selfies in which they appear to be holding identifying documents, as are commonly required for remote KYC checks during onboarding.

Another key difference: Unlike most fraud shops we track on the dark web, Secondeye helped its customers carry out synthetic identity fraud as opposed to stolen identity fraud. Whereas stolen identity fraud involves the use of stolen information to steal an existing person’s identity, perpetrators of synthetic identity fraud typically use a mix of real and fake information, such as social security numbers and names, to create new false identities in order to commit fraud.

As we see in the screenshot below, Secondeye offered several different types of fake identification documents.

After customers chose the documents they wanted to purchase, Secondeye would ask them to specify the services at which they planned to use them so that the documents could be tailored accordingly. Most fake documents were priced between $30 and $80. Customers could pay using cryptocurrencies like Bitcoin, Ethereum, Litecoin, and Bitcoin Cash, or with online payment services like WebMoney, PerfectMoney, and Payoneer.

The DOJ indictment notes that threat actors associated with Russia’s Internet Research Agency (IRA) bought fake identification documents from the company in order to set up online accounts under assumed identities. The IRA is a “troll farm” that uses digital and social media manipulation to push public opinion on behalf of the Russian government, and is known for having interfered in the 2016 U.S. election. OFAC previously sanctioned the IRA in March 2018, September 2019, and September 2020, and according to the Treasury, selling to the IRA is the specific offense that has now landed Secondeye on the SDN List.

Secondeye’s cryptocurrency transaction history

Using Chainalysis Reactor to analyze the cryptocurrency addresses cited in OFAC’s designation and those we have identified, we see that Secondeye received over $2.5 million worth of cryptocurrency across 31,000 transactions since becoming active in 2013. That works out to roughly $80 per transaction, which fits the pricing listed on its website.

The Reactor graph above shows the incoming transactions for Bitcoin addresses associated with Secondeye and its administrator, Raza, which are positioned in a row at the bottom of the image. Some of the addresses Secondeye used to accept payment were unhosted wallets, while others were hosted at large cryptocurrency exchanges. At the top, we see that most of Secondeye’s customers sent cryptocurrency from their addresses at other large exchanges. Secondeye has one active Bitcoin address as of April 14, 2021, hosted at a large exchange that has received over $1.3 million worth of Bitcoin across more than 13,000 transactions.  The red lines on the graph show direct transactions from other exchanges to the active address. Secondeye addresses have also received significant funds from darknet markets, mixers, and several high-risk exchanges.

Nation state actors and synthetic identity providers present challenges for cryptocurrency businesses

The cases today’s law enforcement actions address underline the compliance and safety challenges nation state actors represent for cryptocurrency businesses. Despite its inherent transparency, cryptocurrency is still attractive to groups like those associated with Russia’s influence operations due to its pseudonymous nature and ease of use. It’s vital for our industry that cryptocurrency businesses recognize this threat and adopt rigorous compliance measures to ensure their platforms aren’t abused by nation state actors.

Those rigorous compliance measures have to include robust solutions for remote KYC information collection. Currently, there are no comprehensive, international standards for digital identification documents, though some countries have proposed legislation to change that. That lack of standards has created a global cybersecurity risk. Whether they fall into the synthetic or stolen category, fake digital identity documents allow cybercriminals — including, as we saw in this case, nation state threat actors — to abuse cryptocurrency businesses by skirting their compliance processes and evading bans put in place to prevent money laundering and terrorist financing. As cryptocurrency and other digital payments systems continue to grow, the Financial Action Task Force (FATF) has recognized the problem and called for a more standardized digital identification system. We hope that the shutdown and sanctioning of Secondeye reinforces the need for such measures.

As criminology researchers Thomas Holt and Jin Lee note in a recent study, vendors specializing in fraudulent identity documents remain an under-analyzed part of online illicit market research. However, we’re working to change that. That’s why we recently rolled out a new “fraud shops” category in all Chainalysis products, to supplement the larger “darknet markets” category that fraud shops were formerly housed in. While the Secondeye addresses specifically will be in our Sanctions category due to their OFAC status, all other fraud shops we identify will be included in the new fraud shops category.