Credit: Edin Pasovic / OCCRP

US and Russia Spar Over Accused Crypto-Launderer

A clash between Russia and the US over the fate of a fallen cryptocurrency king has escalated to the Kremlin, where President Vladimir Putin raised the matter directly with Greek Prime Minister Alexis Tsipras.

At issue is who will prosecute Alexander Vinnik, a Russian citizen accused of helping launder at least US$ 4 billion through one of the world’s largest bitcoin exchanges.

Vinnik’s odyssey through the US, Russian, Greek, and French legal systems began in sunny Chalkidiki, Greece, in July 2017. His annual family vacation there slammed to a halt with his arrest at the hands of some 20 plainclothes police officers.

Vinnik, then 37, was known in the murky world of Moscow digital currency exchangers as “Sasha WME.” According to a 21-count US indictment unsealed by the Northern District of California the day after his arrest, he was an online money launderer and the brains behind the now-defunct cryptocurrency exchange known as BTC-e, once one of the world’s largest.

Vinnik was apprehended on the beach of the Avaton Luxury Villas Resort hotel, where the most extravagant suite runs more than $1,000 a night. Police seized five mobile phones, four credit cards, two laptops, two tablets, a 256-gigabyte thumb drive, and a router. He had apparently kept up with the office even on vacation.

And it was a busy office. US prosecutors estimate Vinnik helped launder between $4 billion and $9 billion in bitcoin tied to cybercrime, drug trafficking, public corruption, and tax refund fraud schemes.

(What is BitCoin? Click here to read.)

The Russian cyber-espionage group known as Fancy Bear was among BTC-e’s clients, according to the blockchain forensics company Elliptic, and US prosecutors allege Fancy Bear in turn used bitcoin to fund hacking the Democratic National Committee. US prosecutors have alleged in 2018 that Fancy Bear is actually part of the GRU, the acronym for Russian military intelligence, while other security firms and experts speculate the group works in cooperation with the GRU.

According to media reports, BTC-e processed $66 million worth of anonymous transactions every day at its peak in June 2017. In Vinnik’s indictment, the exchange is described as “one of the primary ways by which cybercriminals around the world transferred, laundered and stored the criminal proceeds of their illegal activities.”

Vinnik, who according to Russian media reports was recently hospitalized after going on a hunger strike, could spend 55 years behind bars if convicted of all the US charges against him.

No sooner was Vinnik detained on the American arrest order than Russia filed its own extradition request on separate and dubious petty-theft charges in the amount of $11,000 – a veritable jaywalking citation in comparison. The Russian request may have been an attempt to keep Vinnik from falling into US hands.

Sitting in Diavata Judicial Prison outside Thessaloniki, Vinnik was now caught between the US and Russia in a legal battle over who should prosecute him.

This struggle, waged over the past year, has revealed the extent to which the digital underworld has come to rely on cryptocurrencies. A new breed of financial criminal has adopted the blockchain — the distributed ledger that powers bitcoin — to conceal illicit assets from authorities.

Governments, including the US, are concerned that cryptocurrencies can undermine anti-money-laundering and sanctions-enforcement regimes. Drug trafficking organizations operating as far apart as Colombia and China, and even blacklisted nations such as North Korea, Venezuela, and Iran, have made headlines for their clandestine crypto maneuvers.

For the US, which wields significant power in the global banking system, the BTC-e case is a sobering example of how its foreign adversaries can use crypto to subvert cross-border financial surveillance.

Meanwhile, Moscow has fought strenuously to block Vinnik’s extradition to the United States.

One force driving the standoff might be BTC-e’s links to Fancy Bear. According to a July 2018 indictment by US Special Prosecutor Robert Mueller, the 12 Fancy Bear-associated suspects financed their hacking operations by laundering more than $95,000 worth of bitcoin. And, in a joint investigation with the BBC, researchers from Elliptic discovered that Fancy Bear controlled a wallet “worth around $100,000.” Elliptic traced the source of some of the funds in that wallet to the BTC-e exchange.

BTC-e’s alleged association with Fancy Bear raises the question of whether Vinnik may have material knowledge of Russian involvement in US election interference, which would make him a huge intelligence prize.

Former federal prosecutor David Hickton, who reorganized the US Attorney’s Office in Pittsburgh to create a dedicated national security and cyber division, said US law enforcement usually presumes that elite Russian cybercriminals are backed by state security forces. While no Russian official has publicly gone to bat for Vinnik, Igor Ashmanov, one of the country’s most powerful and politically connected tech tycoons, wrote an April op-ed for RIA Novosti in which he urged the Russian government to help Vinnik.

He argued that Vinnik is “a carrier of completely unique theoretical and practical knowledge in the most advanced areas of information technology” and that his expertise is “vital for those technological breakthroughs that the leadership of the country speaks about.” He framed Vinnik’s arrest as an American seizure of a “strategic intellectual resource.”

At the request of US officials, other Russian cybercriminals have been detained or extradited from Cyprus, the Netherlands, the Maldives, Canada, Latvia, the Czech Republic, Spain, Thailand, and Georgia. At least eight suspects were targeted in 2017 alone, including Vinnik. But apart from his case, there have been only six instances over the past 10 years in which Russian officials have submitted competing extradition claims.

According to convicted Russian cybercriminal and online payment entrepreneur Pavel Vrublevsky, Moscow’s tactic is to file “fake” and significantly lighter charges against certain Russian hacking suspects when they are detained on foreign soil. Having served separate six- and nine-month stints in Russian jails and penal colonies for what he says were trumped-up cybercrime and witness-intimidation offenses, Vrublevsky knows how the Russian criminal justice system works.

He previously exposed elite Federal Security Service (FSB) cyber-operatives and Kaspersky Lab officials as double agents for US intelligence, leading to their arrests in Russian for treason in December 2016.

While he doesn’t know Vinnik personally, Vrublevsky says Sasha WME was well-known in the Moscow underworld as a reliable crypto broker for credit card thieves and high-risk merchants in online pornography, gambling, and pharmaceutical sales. He added that Moscow doesn’t go to such lengths to protect just any hacker.

The US went after Vinnik on the grounds that BTC-e was an unlicensed “money service business,” such as a currency exchanger or check casher, which had customers and operations in the country, making it subject to US laws. Vinnik’s Russian defense lawyer, Timofey Musatov, disputes that interpretation.

“BTC-e is just a website that allows people to use new technology and digital currency, which only recently became exchangeable for fiat [physical] money,” Musatov said. “You call it an ‘exchange,’ but it’s not a financial exchange similar to stock or currency exchanges. It’s simply a platform.”

The indictment against Vinnik is flawed, Musatov said, because it relies in part on statements by two discredited US agents who bought bitcoin on the website and alleged that their backgrounds had not been properly checked.

The men are former Drug Enforcement Administration agent Carl Mark Force and ex-Secret Service agent Shaun Bridges, who were convicted of funneling cryptocurrency stolen from the 2013 Silk Road dark web drug-trafficking probe into BTC-e.

Russia’s Countermove

In December 2017, Greece’s Supreme Court ruled that Vinnik should be extradited to the US, but his legal ordeal only got more complicated. Although he applied for political asylum in Greece in January, four months later he submitted a written confession to Russian authorities admitting to cyberfraud and money laundering on a large scale through the BTC-e exchange.

In June, Russia filed a new set of charges based on that confession, accusing him of computer fraud that bilked Russians out of $12.4 million. The new charges carry a sentence of up to 10 years and enabled Moscow to file a second extradition request.

Then France submitted a competing request, accusing Vinnik of defrauding French citizens and continuing to operate BTC-e even after being jailed in Greece. In July, Vinnik was shuffled back and forth between Thessaloniki and Athens, where courts issued conflicting decisions: The Thessaloniki authority ordered him extradited to France while the supreme court in Athens ruled in Russia’s favor.

Because France is a European Union member, extraditing Vinnik there doesn’t require approval by the Greek justice minister. The accused’s lawyer says the US orchestrated the French request to bypass the minister and ultimately get Vinnik transferred to the United States.

“The US monetary system controls the world’s financial environment,” Musatov said. “The appearance of any new ideas to tackle that control scares and worries the current controllers as a threat to their dominance. As such, the creators of such technologies are being thrown on the pyre of inquisition.”

Sasha WME

Vinnik was born in the provincial Russian town of Kurgan in the late 1970s, according to his testimony in the Thessaloniki court, during which he frequently invoked his devout Orthodox Christian faith. His father was a carpenter, his mother a cook. He grew up assembling radios and learning to program on a rented ZX Spectrum home computer.

Vinnik’s first wife, Natalya Molokova, told Russia’s RBC media conglomerate that the budding tech entrepreneur moved to Moscow with his mother in the early 2000s. He pursued internet ventures there before pivoting to a more lucrative business model: servicing online payments.

The RBC investigation linked Vinnik’s former email address to Wm-Exchanger.com, a now-defunct website registered in 2004, which allowed people to convert rubles and E-Gold, the first widely adopted electronic currency, into WebMoney, another digital currency then popular in Russia.

Earning a commission for every transfer, Vinnik’s Wm-Exchanger business grew. He marketed his skills in online forums under the username WME (for WebMoney Exchanger). In 2006, he went to work for WMExpress, a company that helped clients exchange digital and physical currencies. For almost three years, he worked for its owner, Andrey Klimov.

Klimov told RBC that Vinnik’s Wm-Exchanger became increasingly sought-after because Vinnik was one of just five or six online currency brokers in Russia that had offshore bank accounts at that time. Foreign exchange traders and internet professionals were the first to use digital currency exchange services, but were soon joined by cybercriminals and credit card scammers.

In 2009, the emergence of bitcoin opened Vinnik’s eyes to a new opportunity.

Posting on the cryptocurrency forum bitcointalk in October 2011, Vinnik wrote under his WME handle: “I’ve been doing exchanges for more than 10 years. Now, I’ve started working with bitcoins. I can exchange them for anything. I give priority to cash in Moscow.”

How BTC-e Worked

The BTC-e website was initially registered in Crimea in June 2011. The crypto exchange platform went live the following month with “no meaningful anti-money laundering processes in place,” according to the US Justice Department. All that was needed to create a BTC-e account was a username and an email address. The US indictment alleges that BTC-e deliberately avoided creating a paper trail by declining to collect any bank transaction data from its customers.

One popular method of funding BTC-e accounts involved a company called Mayzus Financial Services. Another used so-called BTC-e codes.

In the first case, users looking to buy crypto with regular money would transfer funds from their bank accounts through one of two companies run by Mayzus Financial Services. Sergey Mayzus, its owner, said his businesses handled about $100 million for BTC-e between 2011 and 2017.

From there, the funds went into the bank accounts of two companies (one offshore and one in the UK) that prosecutors allege Vinnik controlled: Canton Business Corp. and Always Efficient.

The second method of funding a BTC-e account, BTC-e codes, allowed users to anonymously exchange cash for crypto (or vice versa) without posting transaction records to the blockchain. In a cash-for-crypto exchange, a customer could show up in person to a WebMoney exchange office with a duffel bag of cash and buy a code, which essentially worked like a prepaid gift card.

The code holder could punch that code into the BTC-e website and have their BTC-e account merge with another containing the bitcoin equivalent of the cash they had deposited. This process allowed the user to avoid creating any record of the transfer on the blockchain. Brokers like Vinnik charged a commission for the service.

The codes also worked in the reverse order. Bitcoin owners — including those who obtained the currency illegally — could transfer it into a BTC-e account, obtain a code, and sell it for cash to a third party.

The seeds of BTC-e’s demise can be traced to the collapse of a cryptocurrency exchange in Japan known as MtGox. In 2014, some $500 million worth of bitcoins were stolen from the company’s investors, and one of them, a Tokyo-based programmer named Kim Nilsson, set out to track down his losses.

Nilsson and the other defrauded MtGox customers formed a bitcoin investigation group called WizSec, and discovered that in the fall of 2011, an attacker had gained access to private encryption keys for several MtGox online wallets.

For the next three years, the thief or thieves siphoned funds from them into a different group of bitcoin virtual wallets. Nilsson found that many of the stolen tokens were transferred to virtual wallets that Vinnik controlled.

WizSec fingered Vinnik as a key intermediary in laundering stolen bitcoins because some of the stolen funds were deposited back into MtGox accounts Vinnik used between 2011 and 2014. Nilsson also found a bitcointalk forum thread where Vinnik posted as WME (his online handle) and revealed his real name.

“He wasn’t even trying to hide,” Nilsson said.

Nilsson soon brought Vinnik to the attention of a criminal investigator with the US Internal Revenue Service.

The Feds Move In

In May 2016, the FBI began surveilling Vinnik when he logged into a WebMoney account from a luxury hotel in Abu Dhabi, according to Greek media.

Investigators traced 17 transfers of stolen MtGox funds to Trade Hill, a now-defunct cryptocurrency exchange in San Francisco, and then back to an account Vinnik controlled. Authorities also allege that Vinnik was the real owner of bank accounts belonging to Canton Business, the company that managed BTC-e.

The day Vinnik was arrested in 2017, BTC-e users reported website outages. The exchange responded on Twitter, saying that it was undergoing “unplanned maintenance.” Six days later on bitcointalk, the company assured customers they would receive full refunds and declared that “Alexander Vinnik never was the head or [an] employee of the BTC-e service.”

Management moved fast to salvage what it could. Within three weeks, BTC-e announced it was negotiating its sale to an investment company. In August 2017, new managers relaunched BTC-e in Singapore as World Exchange Services, or WEX, under the ownership of Dmitri Vasiliev, a Belarusian card player. (Vasiliev also testified in Vinnik’s defense at an October 2017 extradition hearing in Thessaloniki.)

Though BTC-e initially promised customers that every penny of their investments would be returned, the terms of the company’s sale stipulated that new management would only reimburse 55 percent.

WEX blamed Mayzus — the man whose companies had helped BTC-e customers buy crypto — for the shortfall. The allegation sparked angry online attacks and even threats on his life, Mayzus said in an interview, and in fall 2017 he sued Vinnik and 17 related legal entities for 200 million euros (about $232 million) in Cyprus, alleging fraud and reputational damage.

Vinnik denied any connection to the companies Mayzus named, according to a 2017 interview with RIA. Mayzus dropped the case in November.

WEX, the exchange that emerged from BTC-e’s ashes, has since changed ownership, with Vasiliev selling his stake for an undisclosed amount to the family of Dmitry Khavchenko, a former pro-Russia militiaman who fought in the Donbass region of Ukraine following the 2014 annexation of Crimea. Khavchenko’s daughter, Daria, is now WEX’s registered owner.

In December, Greece’s supreme court upheld a Thessaloniki judicial panel ruling that Vinnik should be extradited to France. On Jan. 15, the Russian state publication RT ran a photograph of him looking emaciated after what it described as 50 days on a hunger strike. The report quotes Vinnik theorizing that the Russian state is paying his legal bills and saying that he hopes ultimately to return home.

Recent stories

Subscribe to our weekly newsletter!

And get our latest investigations on organized crime and corruption delivered straight to your inbox.