New analysis suggests that 74% of all money made through ransomware attacks in 2021 went to Russia-linked hackers.
Researchers say more than $400 million worth of crypto-currency payments went to groups “highly likely to be affiliated with Russia”.
Russia has denied accusations that it is harbouring cyber-criminals.
Researchers also claim “a huge amount of crypto-currency-based money laundering” goes through Russian crypto-companies.
Follow the money
Chainalysis, which carried out the research, said it was able to follow the flow of money to and from the digital wallets of known hacking groups using public blockchain transaction records.
Analysts say they know which hacking groups are Russian because they display various characteristics, for example:
- Their ransomware code is written to prevent it from damaging files if it detects the victim’s computers are located in Russia or a CIS country
- The gang operates in Russian on Russian-speaking forums
- The gang is linked to Evil Corp – an alleged cyber-crime group wanted by the US
The research is further evidence that many cyber-criminal groups operate either in Russia or in the surrounding Commonwealth of Independent States (CIS) – an intergovernmental organization of Russian-speaking, former Soviet countries.
However, the report only looks at the flow of money to cyber-criminal gang leaders, and many run affiliate operations – essentially renting out the tools needed to launch attacks to others – so it’s not known where the individual hackers who work for the big gangs are from.
A major international operation was launched in 2021 to stop ransomware hackers, after many high-profile and disruptive attacks – for example on Ireland’s health service and an oil pipeline in the US.
Alleged hackers were arrested in Romania, Ukraine, South Korea and Kuwait.
The US has also successfully retrieved millions of dollars from the digital wallets of multiple ransomware criminals.
For years Russia has denied that it was harbouring hackers.
Russian President Vladimir Putin told reporters at his 2021 summit with US President Joe Biden that his own intelligence shows “Russia is not listed in this ranking of countries that see the most significant number of cyber-attacks from their territory.”
However, last month Russian authorities announced they’d dismantled ransomware group REvil at the request of the United States.
The operation is an extremely rare case of the US and Russia collaborating on cyber-crime.
In the Chainalysis report, it’s highlighted that 9.9% of all known ransomware revenue is going to Evil Corp – an alleged cyber-crime group which the US has issued sanctions and indictments against, but who are operating in Russia with apparent impunity.
A BBC investigation in November found that Igor Turashev, one of the accused leaders of Evil Corp, is operating several businesses out of Moscow City’s Federation Tower.
The tower is one of Russia’s most prestigious addresses, home to prominent businesses and with apartments going for millions of dollars.
Chainalysis claims several crypto-currency companies based in the tower were used by hackers to launder illicit funds, turning crypto-currency from digital wallet addresses to mainstream money.
“In any given quarter, the illicit and risky addresses account for between 29% and 48% of all funds received by Moscow City crypto-currency businesses”, researchers allege.