P2P Cryptocurrency Exchange Chatex and Two Russian Nationals Indicted and Sanctioned for Roles in Ransomware Operations

Today, the Department of Justice (DOJ) and U.S. Treasury’s Office of Foreign Asset Control (OFAC) announced joint indictments, arrests, and sanctions designations against organizations and individuals associated with ransomware attacks against U.S. companies.

Telegram bot-based P2P cryptocurrency exchange Chatex, which shares a founder with recently sanctioned OTC service Suex, has now been added to the Specially Designated Nationals and Blocked Persons (SDN) List, thereby prohibiting Americans from doing business with the company. Additionally, three other companies were sanctioned for their role in setting up key infrastructure Chatex relied on to operate.

Two cybercriminals, Ukrainian national Yaroslav Vasinskyi and Russian national Yevgeniy Polyanin, were also sanctioned for their role in carrying out ransomware attacks against U.S. companies. In addition, the DOJ announced indictments against both men, arrested Vasinskyi, and seized $6.1 million in funds traceable to alleged ransom payments received by Polyanin. Both men acted as affiliates for the prolific ransomware strain Sodinokibi/REvil, which experts believe is run by the same cybercriminal organization behind the now defunct Gandcrab ransomware strain.

There were also new cryptocurrency addresses added to existing SDN list entries. Specifically, Artem Mikhaylovich Lifshits, a Russian national charged and added to the SDN List last year for his alleged role in a conspiracy to use the stolen identities of real U.S. persons to open fraudulent accounts at banking and cryptocurrency exchanges, and SouthFront, a Russia-based disinformation site added to the SDN List earlier this year, had new cryptocurrency addresses added to the SDN List as identifiers.

In addition to the actions described above, FinCEN released a new Advisory on ransomware trends, highlighting red flag indicators of ransomware-related illicit activities in order to assist financial institutions and exchanges in identifying and reporting suspicious activity.

Below, we’ll break these designations down further and tell you why this is good news in the fight against ransomware.

What is Chatex?

Chatex is a Russia-based Telegram chat bot that enables users to carry out peer-to-peer (P2P) cryptocurrency transactions within the Telegram app. On its website, Chatex claims to be the largest such service in the world, with over 366,000 users. Chatex was founded by Egor Petukhovsky, the same individual who founded Suex, an OTC service sanctioned in September for its role in laundering cryptocurrency on behalf of a wide variety of cybercriminals, including ransomware operators.

Using Chainalysis Reactor, we can see that Chatex’s addresses first became active in September 2018. Since then, the service has received at least $77.5 million worth of Bitcoin, with more than $17 million coming from illicit sources, including darknet markets (primarily Hydra Marketplace), scams (primarily Finiko and and various ransomware strains.

Sanctions on individuals involved in ransomware

OFAC also added to the SDN List two individuals associated with the Sodinokibi/REvil ransomware strain: Yaroslav Vasinskyi and Yevgeniy Polyanin. This strain has been responsible for some of the highest-profile attacks of the past year, including the attacks on meatpacking corporation JBS and IT management software provider Kaseya. In fact, according to OFAC and DOJ’s press releases on today’s designations and indictments, Vasinskyi played a direct role in the Kaseya attack specifically.

Chainalysis Reactor shows that both individuals received substantial amounts of cryptocurrency. Across all addresses named in his SDN designation, Polyanin received over $11.5 million worth of Bitcoin and over $2 million worth of USDT_ETH, while Vasinskyi received over $900,000 worth of Bitcoin.

Addresses added to the OFAC SDN List through today’s actions

Below, we list the cryptocurrency addresses added to the OFAC SDN List as part of today’s actions, grouped by the organization or individual to which they belong.

Addresses Associated with Chatex

  • 3E7YbpXuhh3CWFks1jmvWoV8y5DvsfzE6n (BTC)
  • 3NRJ8aXdUiZdHaiFX9ePX3DhGHzcEi14Fq (BTC)
  • 3K7PMJyMNVnxqsfpmK9r9nJDtzDw9wNwNV (BTC)
  • 3H3rh85qPaGLy2w6618yZNaH7i8asHv46B (BTC)
  • 3MTrJTFhYK9v1C6pjHtuweZSopfZa4b1wb (BTC)
  • 347QFbejDBdMZFTxpmn6evvvqyXiqZTCd7 (BTC)
  • 33xWfziVZesgo83U5izdNCBVTnrtBpSwK7 (BTC)
  • 32wdqwX3zCEX3DhAVEcKwXCEGdzgBnx1R9 (BTC)
  • 3N9YcPBDky9UsMx1RTk33tL4jDkZfSnsPk (BTC)
  • bc1q90zrdysy4flyacw7hsury3ajs9yzwtwp6guqpypx94w0d3p58hysvz6pde (BTC)
  • bc1qw7vfgv3r5vnehafl0y95sclg3uqsj87wxs9ad628yjjcq33cwessr6ndyw (BTC)
  • bc1q86tl9255vg5wldamfymaaz36uqxzm30gs7fhkljvzdlt9t38s3lqgdwdfq (BTC)
  • 3M7CGBPUJwXXSroWuZ6H5jiprdKCyf7V5M (BTC)
  • 34kWCKF2wCbe6uinit2uL4ND6d8yxsuxKM (BTC)
  • bc1qe95l438kzjcvnsm3kn8n5augf9gpctdlhsq7f7hpnkyvlr7rc7cqupapf7 (BTC)
  • 32VgTk8kGvBsqkHhkvtNooGdtqZm46jTVo (BTC)
  • 3NPognMSbzyA2JYW2fpkVKWyBMi2XTq2Zt (BTC)
  • 3MzLtBQ4Lz9J6w4Qu55TktgxFKZwxYWrP6 (BTC)
  • 36YGN5dGzqrxMomTHdkT6cYVMnWBw8S7hD (BTC)
  • bc1q4rzdtlt0uslyw86cp29sctl6ct29g9a95cuup7pn5md9ddj7xgmqpp5m73 (BTC)
  • 39KQvziHwUe2vddbpfC5WkQEV72qbQhxuh (BTC)
  • 3Qw9Fn19gCnga9LfHfpM99aGzuqxBNjR2i (BTC)
  • 0x67d40EE1A85bf4a4Bb7Ffae16De985e8427B6b45 (ETH)
  • 0x6f1ca141a28907f78ebaa64fb83a9088b02a8352 (ETH)
  • 0x6acdfba02d390b97ac2b2d42a63e85293bcc160e (ETH)
  • 0x48549a34ae37b12f6a30566245176994e17c6b4a (ETH)
  • 0x5512d943ed1f7c8a43f3435c85f7ab68b30121b0 (ETH)
  • 0xc455f7fd3e0e12afd51fba5c106909934d8a0e4a (ETH)
  • 3LtcaPbCj87CwJHnRX3vh7c2y9RZQqeSy8 (USDT)
  • rnXyVQzgxZe7TR1EPzTkGj2jxH4LMJYh66 (XRP)

Addresses Associated with Yevgeniy Igorevich Polyanin

  • 158treVZBGMBThoaympxccPdZPtqUfYrT9 (BTC)
  • 389Sft4nJFkPGhbagk9FN4jXncA9piYTuU (BTC)
  • 39Te8MbphSgs7npDJPj2hbNzhke61NTcnB (BTC)
  • 31p6woV4e55HUfC2aGynFhzQnGoJFW26cD (BTC)
  • 3DNsaQnaUz7wkQny1ZDSmtz6QfbEShxoDD (BTC)
  • 3AjyprBY5yhijiCjUC5NUJutGbwhd3AQdE (BTC)
  • 0xfec8a60023265364d066a1212fde3930f6ae8da7 (USDT_ETH)

Addresses Associated with Yaroslav Vasinskyi

  • 35QpLWYkvD3ALhjbge5bK2kd7HfHYcDMu3 (BTC)
  • 3NQ1aa9ceirMJ1JvRq3eXefvXj1L639fzX (BTC)
  • 3BsyZ7qRFSi3NsaoV1Ff724qAgrEpjVUHm (BTC)
  • 372Wk9NLrMkJzKgqJdatWJy4bYRfxFjgat (BTC)

Addresses Associated with Artem Mikhaylovich Lifshits

  • 12udabs2TkX7NXCSj6KpqXfakjE52ZPLhz (BTC)
  • 1DT3tenf14cxz9WFNxmYrXFbB6TFiVWA9U (BTC)
  • 0x901bb9583b24d97e995513c6778dc6888ab6870e (ETH)
  • 0xa7e5d5a720f06526557c513402f2e6b5fa20b008 (ETH)
  • ​​Leo3j36nn1JcsUQruytQhFUdCdCH5YHMR3 (LTC)
  • Xs3vzQmNvAxRa3Xo8XzQqUb3BMgb9EogF4 (DASH)

Addresses Associated with SouthFront

  • 3Gbs4rjcVUtQd8p3CiFUCxPLZwRqurezRZ (BTC)
  • bc1qv7k70u2zynvem59u88ctdlaw7hc735d8xep9rq (BTC)
  • bc1qw4cxpe6sxa5dg6sdwxjph959cw6yztrzl4r54s (BTC)
  • 0x9f4cda013e354b8fc285bf4b9a60460cee7f7ea9 (ETH)
  • 0x9f4cda013e354b8fc285bf4b9a60460cee7f7ea9 (ETH)
  • 0x3cbded43efdaf0fc77b9c55f6fc9988fcc9b757d (ETH)
  • qpf2cphc5dkuclkqur7lhj2yuqq9pk3hmukle77vhq (BCH)
  • qpf2cphc5dkuclkqur7lhj2yuqq9pk3hmukle77vhq (BCH)
  • qzjv8hrdvz6edu4gkzpnd4w6jc7zf296g5e9kkq4lx (BCH)
  • qq3vlashthktqpeppuv7trmw070e3mydgq63zq348v (BCH)
  • 884Bz8UH63aYsjVdkfWfScRYWZGGNbjFL7pztqvWNSrtYT4reFSwyvkCj9KEGUtheHhhMUj87ciTBFyzoesrMJ4L1FvSoxL (XMR)
  • 49HqitRzdnhYjgTEAhgGpCfsjdTeMbUTU6cyR4JV1R7k2Eej9rGT8JpFiYDa4tZM6RZiFrHmMzgSrhHEqpDYKBe5B2ufNsL (XMR)

Chainalysis is in the process of labeling these addresses in all of our products as being associated with a sanctioned entity and will be alerting any customers with exposure to these addresses.

The fight against ransomware continues

Today’s DOJ indictments and OFAC designations, together with FinCEN’s Advisory, represent three important strategies government agencies are taking against ransomware: Detect, Disrupt, Deter.

Financial institutions, cryptocurrency exchanges, and incident response firms play a vital role in helping law enforcement identify illicit activity and develop a full picture of illicit organizations. Using the red flags highlighted by FinCEN, the private sector can better detect ransomware activity and alert the authorities in a timely manner. That reporting enables agencies to do what OFAC and DOJ did today: disrupt ransomware operators and the services that enable them to launder ill-gotten funds by arresting, indicting, and sanctioning the relevant individuals and entities. These actions not only make it harder for existing ransomware operators to carry out attacks and access stolen funds, but also deter affiliates and other potential operators from carrying out future attacks. We commend the Treasury Department for today’s designations and look forward to continuing our work with government agencies leading the fight against ransomware.