fb-pixel Skip to main content

Companies linked to Russian ransomware hide in plain sight

People on high floor of Federation Tower East, the tallest building in Moscow, are reflected in a window of the glass and steel high-rise, Nov. 24, 2021. The U.S. has targeted several companies in Federation Tower East as it seeks to penalize Russian ransomware gangs, which encrypt their victims’ digital data and then demand payments to unscramble it.Sergey Ponomarev/NYT

MOSCOW — When cybersleuths traced the millions of dollars American companies, hospitals, and city governments have paid to online extortionists in ransom money, they made a telling discovery: At least some of it passed through one of the most prestigious business addresses in Moscow.

The Biden administration has also zeroed in on the building, Federation Tower East, the tallest skyscraper in the Russian capital. The United States has targeted several companies in the tower as it seeks to penalize Russian ransomware gangs, which encrypt their victims’ digital data and then demand payments to unscramble it.

Those payments are typically made in cryptocurrencies, virtual currencies like Bitcoin, which the gangs then need to convert to standard currencies, like dollars, euros, and rubles.

Advertisement



That this high-rise in Moscow’s financial district has emerged as an apparent hub of such money laundering has convinced many security experts that Russian authorities tolerate ransomware operators. The targets are almost exclusively outside Russia, they point out, and in at least one case documented in a US sanctions announcement, the suspect was assisting a Russian espionage agency.

“It says a lot,” said Dmitry Smilyanets, a threat intelligence expert with the Massachusetts-based cybersecurity firm Recorded Future. “Russian law enforcement usually has an answer: ‘There is no case open in Russian jurisdiction. There are no victims. How do you expect us to prosecute these honorable people?’”

Recorded Future has counted about 50 cryptocurrency exchanges in Moscow City, a financial district in the capital, that in its assessment are engaged in illicit activity. Other exchanges in the district are not suspected of accepting cryptocurrencies linked to crime.

Cybercrime is just one of many issues fueling tensions between Russia and the United States, along with the Russian military buildup near Ukraine and a recent migrant crisis on the Belarus-Polish border.

The Treasury Department has estimated that Americans have paid $1.6 billion in ransoms since 2011. One Russian ransomware strain, Ryuk, made an estimated $162 million last year encrypting the computer systems of American hospitals during the pandemic and demanding fees to release the data, according to Chainalysis, a company tracking cryptocurrency transactions.

Advertisement



The hospital attacks cast a spotlight on the rapidly expanding criminal industry of ransomware, which is based primarily in Russia. Criminal syndicates have become more efficient, and brazen, in what has become a conveyor-belt-like process of hacking, encrypting and then negotiating for ransom in cryptocurrencies, which can be owned anonymously.

At a summit meeting in June, President Biden pressed President Vladimir Putin of Russia to crack down on ransomware after a Russian gang, DarkSide, attacked a major gasoline pipeline on the East Coast, Colonial Pipeline, disrupting supplies and creating lines at gas stations.

US officials point to people like Maksim Yakubets, a skinny 34-year-old with a pompadour haircut whom the United States has identified as a kingpin of a major cybercrime operation calling itself Evil Corp. Cybersecurity analysts have linked his group to a series of ransomware attacks, including one last year targeting the National Rifle Association. A US sanctions announcement accused Yakubets of also assisting Russia’s Federal Security Service, the main successor to the KGB.

But after the State Department announced a $5 million bounty for information leading to his arrest, Yakubets seemed only to flaunt his impunity in Russia: He was photographed driving in Moscow in a Lamborghini partially painted fluorescent yellow.

Advertisement



The cluster of suspected cryptocurrency exchanges in Federation Tower East, first reported last month by Bloomberg News, further illustrates how the Russian ransomware industry hides in plain sight.

The 97-floor, glass-and-steel high-rise resting on a bend in the Moscow River stands within sight of several government ministries in the financial district, including the Russian Ministry of Digital Development, Signals and Mass Communications.

Two of the Biden administration’s most forceful actions to date targeting ransomware are linked to the tower. In September, the Treasury Department imposed sanctions on a cryptocurrency exchange called Suex, which has offices on the 31st floor. It accused the company of laundering $160 million in illicit funds.

In an interview at the time, a founder of Suex, Vasily Zhabykin, denied any illegal activity.

And last month, Russian news media outlets reported that Dutch police, using a US extradition warrant, had detained the owner, Denis Dubnikov, of another firm called EggChange, with an office on the 22nd floor. In a statement issued by one of his companies, Dubnikov denied any wrongdoing.

The exchange offices are “the end of the Bitcoin and ransomware rainbow,” said Gurvais Grigg, a former FBI agent who is a researcher with Chainalysis, the cryptocurrency tracking company.

The computer codes in virtual currencies allow transactions to be tracked from one user to another, even if the owners’ identities are anonymous, until the cryptocurrency reaches an exchange. There, in theory, records should link the cryptocurrency with a real person or company.

Advertisement



“They are really one of the key points in the whole ransomware strain,” Grigg said of the exchange offices. Ransomware gangs, he said, “want to make money. And until you cash it out, and you get it through an exchange at a cash-out point, you cannot spend it.”

It is at this point, cybersecurity experts say, that criminals should be identified and apprehended. But the Russian government has allowed the exchanges to flourish, saying that it only investigates cybercrime if Russian laws are violated. Regulations are a gray area in Russia, as elsewhere, in the nascent industry of cryptocurrency trading.

At least 15 cryptocurrency exchanges are based in Federation Tower East, according to a list of businesses in the building compiled by Yandex, a Russian mapping service.

In addition to Suex and EggChange, the companies targeted by the Biden administration, cyber researchers and an international cryptocurrency exchange company have flagged two other building tenants that they suspect of illegal activity involving Bitcoin.

The building manager, Aeon Corp., did not respond to inquiries about the exchanges in its offices.

Like the banks and insurance companies they share space with, those firms are likely to have chosen the site for its status and its stringent building security, said Smilyanets, the researcher at Recorded Future.

“The Moscow City skyscrapers are very fancy,” he said. “They can post on Instagram with these beautiful sights, beautiful skyscrapers. It boosts their legitimacy.”