Mr Doomits - stock.adobe.com

NCA takes out network that laundered ransomware payments

NCA-led Operation Destabilise disrupts Russian crime networks who funded the drugs and firearms trade in the UK, helped Russian oligarchs duck sanctions, and laundered money stolen from the NHS and others by ransomware gangs

The UK’s National Crime Agency (NCA) has exposed and disrupted two Russian money laundering networks that handled cash stolen by the Ryuk ransomware gang, among others.

Operation Destabilise took out the Smart and TGR criminal networks, which besides providing services to cyber criminals also played a key role in drugs and firearms trafficking into the UK.

The two networks also helped Russian clients bypass financial restrictions to invest money illegally in the UK, transferred money to support the activities of a sanctioned Russian-language media organisation, alleged to be banned propaganda network Russia Today (RT), and provided financial assistance to fund Russian espionage activities.

The NCA said it had also demonstrated clear links between the cryptocurrency addresses used by Smart and TGR, and sanctioned crypto exchange Garantex, which allegedly has links to payments made for weapons components for Russian troops in Ukraine.

“Operation Destabilise has exposed billion-dollar money laundering networks operating in a way previously unknown to international law enforcement or regulators,” said Rob Jones, NCA director general of operations.

“For the first time, we have been able to map out a link between Russian elites, crypto-rich cyber criminals, and drugs gangs on the streets of the UK. The thread that tied them together – the combined force of Smart and TGR – was invisible until now.

“The NCA and partners have disrupted this criminal service at every level. We have identified and acted against the Russians pulling the strings at the very top, removing the air of legitimacy that enabled them to weave illicit funds into our economy,” he added.

“We also took out the key coordinators that enabled the cash-based element of their operation in the UK, making it extremely difficult for them to operate here and sending a clear message that this is not a safe haven for money laundering,” said Jones.

The NCA also named six key players in the two networks – all of whom have been sanctioned by the United States Office of Foreign Assets Control (OFAC) today – Ekaterina Zhdanova, Khadzi-Murat Magomedov, and Nikita Krasnov, who between then led the Smart operation, and George Rossi, Elena Chirkinyan, and Andrejs Bradens (aka Andrejs Carenoks), who headed up TGR.

The NCA said that dating back to 2021, Zhdanova played a key role in laundering $2.3m (£1.8m) of crypto-based ransoms paid to the Ryuk ransomware crew. The Ryuk gang – a predecessor to Conti – callously targeted health sector organisations in both the UK and US during the Covid-19 pandemic in 2020.

Members of Ryuk, sanctioned by the UK in 2023, were responsible for extorting over £27m from at least 149 known victims in the UK – the gang’s true impact was likely much higher.

"This is stellar work from the NCA, OFAC and partners, demonstrating the simple truth that paying ransoms contributes to crime on the streets in the UK and other countries,” said Don Smith, vice president of threat intelligence at the Secureworks Counter Threat Unit.

“Paying ransoms is, and always has been, nothing more than putting funds in the hands of criminals,” he said.

84 arrests

NCA-coordinated activity against Smart and TGR has so far resulted in 84 arrests, with many individuals already behind bars, and over £20m in assets seized.

The networks formed the core of a complex scheme that collected money in one jurisdiction and performed a series of crypto-for-cash swaps to make the equivalent value available elsewhere. In this manner, they were able to not only launder money for cyber criminals but streamline the movement of money made by other organised crime gangs, and help Russian oligarchs and elites bypass sanctions.

The UK unwittingly played a key role as a hub for Smart and TGR, with investigators frequently witnessing in-person, street-level cash handovers which were followed almost immediately by cryptocurrency movements.

After receiving their crypto funds back, the networks enabled criminals to reinvest in drugs or firearms without needing to move actual money across borders, perpetuating a cycle of violence and harm in Britain.

 “The networks disrupted by Operation Destabilise were hidden in plain sight, operating from within our communities, moving vast sums of money linked to the drugs trade and serious violence on our streets,” said Nik Adams, T/assistant commissioner for City of London Police and National Police Chiefs’ Council lead for economic crime.

Cash couriers run by Smart and TCG used over 50 different locations in England, Scotland, Wales, and even the Channel Islands, over a four-month period, to swap funds for over 20 distinct criminal groups. One of the couriers, Fawad Saiedi, who is now serving a four year and four month prison sentence, personally oversaw the laundry of £15m of funds.

A different group, coordinated by Krasnov, ran couriers to laundered over £12m in just two-and-a-half months. Three individuals are currently serving time for these offences in the UK and Ireland.

The NCA also revealed how its investigation did not go unnoticed by the networks, with many members speaking openly about their reservations over operating in London as the agency and its partners slowly turned up the heat.

By the summer of 2024, a few short months ago, Russian money laundering networks in London were charging extremely high commission rates as it became harder and harder for them to work in the city. This proved extremely costly to both groups, which were operating on extremely low profit margins.

Read more about cyber crime

Read more on Hackers and cybercrime prevention