 | It seems like every few hours a user posts about getting their crypto stolen in this forum or similar forums on Reddit. We hear about the theft and feel sorry for the victim, but rarely do we get a glimpse inside the operations of the person responsible for moving the stolen funds. Today, let's investigate the infrastructure of one man's decade long money laundering operation. Introduction to CrimeMeet Ilya Sergeevich Obozny. He goes by the following usernames on forums and social media profiles:
Ilya is a Russian national that likes to travel around Europe, frequently staying in Airbnbs and luxury hotels for months at a time. He's active in a number of public forums offering to help facilitate the laundering of stolen funds. I was able to connect Ilya Obozny to the above usernames through a series of public forum posts that included his phone number + email and cross referenced with data breaches that included the same information. Over the course of about a decade, Ilya has worked with a number of groups (mostly Russian) to launder funds for large scale botnet operations, celebrity endorsed rug pulls, and various cryptocurrency scams. Geost BotnetIn 2016, an Android banking trojan called Geost botnet, was unleashed on over 800,000 Russian citizens. The goal of the botnet was to steal banking information of Russian and Eastern European citizens. The trojan had full access to the phone's SMS data with the ability to read account balances, intercept 2-factor authentication (2FA) codes, and send SMS commands to silently drain bank accounts. The botnet relied on hundreds of malicious domains and various international servers to manage the infected users. Researchers discovered the Geost Botnet by monitoring traffic from another malware operation called HtBot. Once a user was infected, the HtBot trojan converted its victims into proxies. The Geost botnet connected to the HtBot proxy network to initiate the thefts and drain victims banks accounts. The total losses was said to be in the 10's of millions (I couldn't find an accurate account), but numerous victims were drained of their entire bank accounts. As far as I can tell, no arrests were made in the thefts. The below details Ilya's role in the operation. Amateur Opsec HourWhat made this a unique case study was security researchers found a 6,200-line unencrypted Skype chat log that had accidentally been uploaded revealing the usernames and conversations of the 29 perpetrators involved in the Geost Botnet. Ilya Obozny was the main money launderer of this operation. The below chat log confirms his involvement. The user "powerfaer" was later identified as the ring leader of the Geost Botnet. The chat logs spanned the course of 8 months and went into intimate details about:
Additionally, the Skype conversations provided a unique insight into the personal lives of the bad actors during the heist. Some individuals had 2nd thoughts about continuing to go through with the operation while others discussed their feelings openly. All of the discussions about payments and where to launder the funds lead directly to Ilya. The preferred method was to use online payment systems like WebMoney, Qiwi, and Yandex Money. Cryptocurrency Laundering OperationShortly after getting involved with Russian botnet threat actors, Ilya moved into laundering cryptocurrency for rug pulls, hacks, and other scams. Ilya's main Binance deposit address is 0xf0a59E87f09024966493B912D8687336Bee2f4D9 He is connected to another Russian threat actor, Konstantin Pylinskiy the current CEO of Moonward Capital in Dubai, who was implemented recently in the 1.6M Fake Rabby Wallet scam and a number of other hacks/scams. A look inside of \"konpyl\" depositing into Ilya's Binance deposit address. Konstantin's main wallet of 0x44BdB19dB1Cd29D546597AF7dc0549e7f6F9E480 (konpyl on Opensea) sent about 77K into Ilya's deposit address, presumably for services rendered and has interacted with a number of Ilya's wallets. Russian Laundering Methods Typically the way funds are moved is by: Chain-hopping /Bridges --> Mixers --> Non-Compliant Exchanges / OTC Desks --> Cash Out. The obscuration of the funds can get extremely sophisticated and difficult to trace. Below is a simplified version of a Russian Money Laundering Operation similar to Ilya's. In many of Ilya's money laundering activities he skipped the initial layer obfuscation entirely and went straight into depositing funds into OFAC sanctioned exchange deposit addresses. Garantex Based in Moscow, Garantex is an OFAC sanctioned cryptocurrency exchange that acts as the primary liquidity engine for Russian cybercrime. Garantex operates with virtually non-existent KYC/AML protocols and does not respond to international law enforcement subpoenas. As a Russian national, Ilya is easily able to open up Garantex deposit addresses to launder stolen funds. I found a number of Ilya's wallets using Garantex to directly deposit stolen funds into. Depending on who Ilya was working with he could swap the funds into fiat like Russian Rubles to off-ramp or swap into another coin on a different chain like Tron. OTCs and High Risk Exchanges While Ilya can charge higher fees, depositing into heavily sanctioned exchanges like Garantex is risky as many anti-laundering and blockchain analytics firms will instantly blacklist any funds associated with the entity. Additionally, these exchanges are at great risk for server takedowns, asset forfeitures, and domain seizures. In Garantex's case, over 26 million was seized and law enforcement took control of Garantex's domains even though the physical location was safe from international law in Moscow. Exchanges like Kyrrex and Kucoin are a preferred destination of Ilya's laundering operation. While subject to regulations, these exchanges tend to turn a blind eye towards cybercrime and make things extremely difficult for law enforcement. Kyrrex is considered a nested exchange and functions like an offshore broker. The exchange holds accounts inside HTX. Above is a view on how Kyrrex operates as a Nested Exchange inside HTX. I was able to trace a number of stolen funds laundered by Ilya to single Kyrrex deposit addresses. These can be incredibly difficult to attribute as the wallet routes directly into HTX's deep liquidity pools. On the blockchain, it looks like the funds are going directly into HTX, but in reality they hit Kyrrex deposit addresses before landing in HTX. Timeline of Money LaunderingI was able to connect Ilya's money laundering activities to a number of rug pulls, hacks, and scams. While I can't confirm Ilya is directly involved in these thefts, he does appear to be the one facilitating the laundering through OTC (Over the Counter) trades and various money changing methods to help clean the funds. The below, except the Geost Botnet, were all connected to Ilya directly through his main Binance deposit address and other wallets in which he played a role in laundering the funds.
Celebrity ScamsTokenStars TokenStars is one of many failed ICOs during the peak ICO boom in 2017. The idea was to tokenize the performance of athletes, particularly Russian ones. This one turned out to be a legit project where real infrastructure was built. Ambassadors like Martina Hingis, Nikita Kucherov, and Lothar MatthΓ€us hyped up the project up but only a handful of Russian athletes signed up to tokenize their talents. The project fizzled out in 2018. Who would of thought tokenizing human beings based on performance would work? If TokenStars was a failed project at best and a soft rug pull at worst, the next celebrity project Ilya was involved with was 100% a scam. Mark SPACE Mark SPACE (MRK) was intended to be a project that allowed investors to buy virtual real estate to sell clothes, host a virtual office, or create a social hangout space. Future NHL Hall of Famer Evgeni Malkin was a co-founder, and face of the project. Malkin ended up getting scammed out of over 4MM and the MRK token went to nearly zero shortly after launch. Retail investors lost another 11MM. Investigative reporting in Russia revealed the full details of the project and who was involved. The wallets 0x71E4c641310Bb5883A920E2F5072BC8B1BC37B95 and 0xE26AeC623286AEd41991a7257370f9a7f07b88d0 flow directly in deposit addresses associated with Ilya Obozny. He appears to have deep involvement in the project though he is not listed as an official member of the Mark Space project. Most of the funds from the team project move into wallets and deposit addresses associated with Ilya. Impersonation & Phishing ScamsImpersonation Scams A single victim lost 1000 ETH out of their Coinbase account in 2020. I traced the Coinbase impersonation scam to outflows of Ilya's wallet. While I don't think he took part in the scam itself, on-chain data clearly shows funds from the victim's Coinbase account getting laundered through wallets associated with Ilya. Elon Giveaway Phishing Scams During the peak bull run of 2021 and early 2022, scams involving Elon Musk's likeness were everywhere. A Twitter post would claim that Elon Musk or Tesla was launching a massive giveaway and use FOMO to lure unsuspecting victims. The scammers set up professional-looking landing pages telling users to "Send between 10 to 100 ETH to this wallet, and we will instantly send you back double the amount"! Sounds too good to be true, because it was. I came across a number of these scams connected to Ilya. Here's one such wallet where all the inflows come from Elon or Michael Saylor Giveaway scams - 0x80293f92AEE5E1dB39fe90D89ebBE101C8B68010. Drainer Scams Wallet drainers like Inferno, Angel, and Pink started becoming a problem around early 2023. The business model, Drainer as a Service, allowed affiliates to participate in cyber crime without having to provide any of the infrastructure. Typically, the affiliates would just do the marketing, (Twitter, Discord, Google, Reddit, and Youtube) were the most common places to lure victims while the software and receive at least 80% of the proceeds. Many of these "affiliates" do not have the expertise to launder the stolen funds. I was able to trace mostly Inferno & Angel drainer affiliate funds getting laundered through wallets associated with Ilya. Connecting the Dots: 10 Years of Money LaunderingMoney Launders are the engine that allow rug-pullers, hackers, scammers, and malware developers to profit off the misery of everyday retail investors. Ilya Sergeevich Obozny has managed to stay in the shadows while facilitating 10's of millions in money laundering activities over the course of a decade. I was only able to attribute a fraction of the total scale of his operation. In time, as deeper investigative work is done, we will get the full scope of Ilya's cybercrime operation. However, Ilyaβs past has permanently caught up with his present. He may be safe from international law for now, but on the blockchain, his footprint is cemented forever for anyone with the patience to look. I hope this type of post was insightful. As more information comes to light I'll be sure to update. Until then, be safe out there! [link] [comments] |
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments