UK Busts Money Laundering Network Linked to Russian Cybercrime
Read also: The MATRIX encrypted messaging network dismantled, the most wanted cybercriminal Wazawaka arrested, and more.
Thursday, December 5, 2024
The UK authorities dismantle a money laundering network used by Ryuk ransomware actors
The UK’s National Crime Agency (NCA) said it identified and disrupted Russian money laundering networks supporting global organized crime. The operation, dubbed ‘Operation Destabilise,’ targeted two Russian-speaking networks, Smart and TGR, which laundered money for criminal enterprises, including the Kinahan cartel and Russian cybercriminals. The networks also helped Russian clients evade financial sanctions and funded espionage activities.
As part of the law enforcement effort, 84 individuals have been arrested, with many already imprisoned, and over £20 million in cash and cryptocurrency has been confiscated. In addition, the US Treasury's OFAC sanctioned key individuals and four businesses linked to TGR.
According to the NCA, the Ryuk ransomware operators laundered over $2.3 million of illicit profits obtained via ransomware attacks through the Smart network. Both Smart and TGR used Garantex, a crypto exchange previously sanctioned for facilitating payments linked to Russia’s invasion of Ukraine.
In other news, a sophisticated criminal network behind large-scale online fraud has been dismantled by European police. The operation targeted an online marketplace that sold stolen personal data and phishing credentials. Over 50 servers containing 200 terabytes of evidence were seized, and two suspects, aged 27 and 37, were arrested in Germany and Austria. The marketplace enabled targeted fraud by allowing users to buy data sorted by region and account balance. Coordinated actions across Europe also dismantled fake online shops used for phishing.
Law enforcement operation dismantles MATRIX encrypted messaging network
French and Dutch authorities, in collaboration with Europol and Eurojust, have dismantled the MATRIX encrypted messaging service, a sophisticated communication network used by criminals for illegal activities. The operation, conducted by a joint investigation team (JIT), monitored the platform for three months before taking it offline on December 3, 2024.
Authorities intercepted over 2.3 million messages in 33 languages, uncovering critical information linked to international drug and arms trafficking, money laundering, and other serious crimes.
Allowing access only through invitation, the service's infrastructure spanned over 40 servers in multiple countries, with key servers located in France and Germany. During the coordinated takedown, the primary servers were seized.
In France, a suspect was arrested, and their property searched. In Spain, two individuals were detained under a European Arrest Warrant issued by the Netherlands, with six residences searched. Lithuanian authorities conducted similar searches at six locations. Also, over €600,000 in cash and cryptocurrency was seized, as well as 4 cars and over 970 phones. A freezing order was put on a villa in Spain with an estimated value of €15 million.
Cybersecurity Compliance
Prevent data breaches and meet regulatory requirements
Crimenetwork cybercrime market taken down, alleged admin arrested
German authorities have dismantled Crimenetwork, the country's largest German-language cybercrime marketplace, active since 2012. The operation resulted in the arrest of the suspected administrator, a 29-year-old known as ‘Techmin.’
Crimenetwork, with over 100,000 users and 100 registered sellers, was a hub for illegal activities, including the sale of drugs, stolen data, and illicit services. Transactions were conducted in cryptocurrencies like Bitcoin and Monero. Between 2018 and 2024, the platform facilitated transactions worth about €93 million ($98 million). It generated revenue through transaction fees, subscriptions, and advertisements, with operators reportedly profiting at least $5 million since 2018.
The arrested administrator faces multiple charges, including operating a criminal marketplace and narcotics offenses.
On the same note, Russian authorities have sentenced Stanislav Moiseyev, the leader of the criminal group behind the now-defunct Hydra Market, to life in prison and fined him 4 million rubles. Over a dozen accomplices were also convicted for their roles in producing and selling nearly a ton of drugs. They received prison terms of 8 to 23 years and fines totaling 16 million rubles. Hydra Market, once the world's largest Dark Web marketplace for drugs and money laundering, was dismantled in April 2022 through a joint operation by German and US authorities.
The most wanted cybercriminal Wazawaka arrested and charged
Russian authorities have arrested Mikhail Matveev, a cybercriminal wanted by the US for his involvement in ransomware operations tied to LockBit and Hive.
Matveev, also known as ‘Orange’ and ‘Wazawaka,’ is accused of developing and using malware to encrypt data and demand ransoms from commercial organizations. Russian prosecutors have sent his case to court for trial.
Matveev is linked to several ransomware gangs, including Babuk, and has allegedly participated in a series of attacks involving LockBit, Babuk, and Hive ransomware aimed at a US law enforcement agency, police department, and a healthcare organization from 2020 to 2022.
In 2023, the US Justice Department charged Matveev, and he has been sanctioned by the US Treasury Department for targeting law enforcement and critical infrastructure. A $10 million reward is being offered by the US Department of State for information leading to his arrest or conviction.
South Korean CEO and five others arrested for DDoS-enabled broadcast receivers
South Korean authorities have apprehended the CEO of a tech company and five other individuals for manufacturing and exporting satellite broadcasting receivers equipped with Distributed Denial of Service (DDoS) attack capabilities.
The unnamed company is accused of implementing a DDoS feature into the firmware of its product at the request of a client. The client, an illegal enterprise that provided unauthorized access to paid broadcasting services, claimed to be under cyber-attack from competitors and requested the capability to retaliate.
From January 2019 to September 2019, the company allegedly distributed over 240,000 of the modified devices to overseas markets. Investigations revealed that the malicious capability was first implemented in November 2018 and was not sold domestically. The company reportedly earned 6.1 billion won (approximately $4.7 million) from the scheme. The six suspects, including the CEO, face charges related to the development and distribution of malware.
In another case, a Chinese company executive and his wife have been arrested in Japan on suspicion of orchestrating a series of distributed denial-of-service (DDoS) attacks against an IT company in Kyoto City, causing significant disruptions. The male suspect, who previously interned at the company in 2019, had attempted to establish a business partnership with the victim company earlier in 2024, but his proposals were rejected. The police allege that he and his wife collaborated with an unnamed perpetrator to carry out the attacks by hiring a third party through WeChat. They reportedly paid 750 RMB (approximately 15,000 yen) per attack.
What’s next:
- Join our upcoming webinars
- Follow ImmuniWeb on Twitter, LinkedIn and Telegram
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Key Dutch has been working in information technology and cybersecurity for over 20 years, starting his first job with Windows 95 and dial-up modems. As the Editor-in-Chief of our Cybercrime Prosecution Weekly blog series, he compiles the most interesting news about police operations against cybercrime, as well as about regulatory actions enforcing data protection and privacy law. 
