Moscow’s Tallest Tower Is a Cybercriminal Cash Machine
The crown jewel of Moscow’s business district, a 97-story glass tower known alternately as Federation Tower East or Vostok, is a tribute to Russia’s post-Soviet economic influence and national strength. Promotional materials for the building, which was the tallest in Europe when it was completed in 2017 and is now No. 2, boast of its highly paid staff and its supposed fortification against “missiles and explosions.” Its apartments are rented and owned by high-ranking government officials and C-suite executives. Residential units sell for upwards of $36 million.
The building has also been home to more than a dozen companies since 2018 that convert cryptocurrencies to cash, judging from the addresses listed on company websites. Although there’s nothing inherently illegal about this, such businesses can enable criminals to cash out profits from digital crimes if they don’t vigilantly monitor their customers, and some find lax oversight to be a useful market niche. Experts have linked at least four of the companies in Vostok to money laundering associated with the ransomware industry, which has generated $1.6 billion in ransom payments since 2011, according to the U.S. Treasury Department.
The perception that the Russian government tolerates, or even encourages, some types of cybercrime has been at the heart of the Biden administration’s conflict with Russian President Vladimir Putin. According to the Treasury Department, this year criminal hackers, mostly based in Russia or Eastern Europe, have made $590 million from ransomware attacks against schools, businesses, government entities, and health-care providers—42% more than they did in all of 2020. At a summit about a month after a Russia-linked cybergang extracted $4.4 million from Colonial Pipeline Co., Biden warned Putin that failure to end these attacks would be met with retaliation. Nevertheless, profit-driven hackers have continued to target U.S.-based networks.
It’s hard to come up with a stronger illustration of the ineffectiveness of Russian enforcement than the existence of multiple entities with links to ransomware operating out of what is perhaps Moscow’s most prestigious office tower. One of the Vostok companies is Suex OTC, the first Russian company to face U.S. sanctions for helping ransomware cartels launder money. Suex, which operates out of Suite Q on the 31st floor, has processed at least $160 million in Bitcoin from illicit and high-risk sources since 2018, according to the blockchain research firm Chainalysis. These transactions account for 40% of the company’s known business.
Egor Petukhovsky, Suex’s largest shareholder at the time of the Treasury Department’s sanctions, denied in a Facebook post in October that he or his business helped launder money for hackers and vowed to “firmly defend my name in litigation” in the U.S.
An occupant of the 22nd floor, EggChange, is under investigation in the U.S. and Europe for allegations of money laundering, according to three sources familiar with the probe who sought anonymity because they’re not authorized to discuss the investigation. (The Treasury Department declined to confirm the existence of the investigation.)
Binance, the world’s largest cryptocurrency marketplace, says it has also “flagged several accounts and illicit flows associated with” platforms including EggChange and CashBank, another company operating out of Vostok. After alerting law enforcement of “potentially illicit activities,” Binance says it shut down the accounts it identified.
Buy-bitcoin.pro, which also lists Vostok as its headquarters, has processed hundreds of thousands of dollars in ransomware funds and for other illicit operators including Hydra, the largest darknet market based in Russia, according to Chainalysis. EggChange, CashBank, and Buy-bitcoin.pro didn’t respond to requests for comment.
Cryptocurrency companies are a major presence in Moscow City, the business district surrounding Vostok. Spreading over about a quarter square mile on the former site of an industrial park that was razed just after the fall of the Soviet Union, the financial district has housed at least 50 companies that convert cryptocurrencies into cash, some with connections to illicit activities. That makes it one of the world’s most influential stations for cashing out digital coins, according to cybersecurity and cryptocurrency experts.
Russian law requires companies to conduct know-your-customer, or KYC, checks for cash transactions exceeding 600,000 rubles (about $8,500), although cryptocurrency exchanges aren’t regulated and their reporting obligations aren’t entirely clear, according to Maria Agranovskaya, a lawyer who represents Binance in Russia. KYC rules typically involve cross-referencing an individual’s personal information against public databases; financial institutions can also limit the size of large transactions involving newly created accounts until they’re satisfied about the account holder’s identity and source of funds.
These requirements aren’t particularly onerous, according to Jackie Singh, a former senior cybersecurity staffer at the Biden campaign who’s now an adviser and senior strategist to the blockchain security startup Metaversable. She sees skipping customer identification norms as a red flag for investigators hunting for illicit operators. “There’s no reason for a person who is conducting legal business to seek out an exchange of any kind that does not comply with their country’s legal KYC processes,” she says.
One reason Vostok has become a locus for this activity is the credibility the address conveys, according to Stanislav Bibik, a partner at Colliers, the property investment firm. Operating there “gives status to the tenant and says that he has a solid business,” Bibik says. The reality is that companies operating in the building don’t necessarily have any direct connection to its management firm, billionaire Roman Trotsenko’s Aeon Corp. Aeon manages the building and acts as its broker while owning a small percentage of its space, and individual floors are now owned by more than 100 other entities. These have recruited their own tenants without any direct involvement from Aeon, according to real estate experts in Moscow. Aeon didn’t respond to requests for comment.
The cryptocurrency companies operating within the building are using it as more than a P.O. box—in at least one instance it’s the location where money actually changes hands. A digital coin trader recently described the experience of cashing out coins at Vostok through EggChange, requesting anonymity to protect the identities of those involved in an investigation aimed at identifying players central to global cryptocurrency laundering.
The transaction, like most others, began by exchanging messages with an account on the messaging service Telegram, which EggChange advertised on its website and on cryptocurrency web forums. The person running the account provided a document with formal terms of exchange, including the vendor’s commission of 1.7%.
The document had spaces for the trader to include a name, passport number, and signature, which the trader was instructed to return to EggChange. But the trader never provided the information, and EggChange never demanded it. All the platform wanted was a name—any name—so the front desk at Vostok could print out a visitor’s badge. Bloomberg Businessweek confirmed the trader’s account by reviewing Telegram chats with EggChange.
EggChange allows customers to cash out cryptocurrencies through couriers in multiple countries, but it has presented its office at Vostok as a kind of salon for cryptocurrency enthusiasts. “Besides a safe and quick exchange—we guarantee fun and educational conversations about the world of crypto, coffee, tea and strong beverages,” reads a 2018 forum post advertising its services.
The reality was more pedestrian. The trader sent a proxy, also known as a money mule, to pick up the cash. The mule was equipped with a fake passport, but the trader says no one at the security desk or EggChange’s office ever asked to see any identification. Instead, the mule gave a fake name to obtain a generic plastic badge and was given instructions to ride an elevator to the 22nd floor to gain access to Suite 9.
Upon arrival, the mule found a metal door and keypad. The Telegram contact had provided the four-digit code 2209. At entry, the mule was met by a nondescript, two-room office with views of the meandering banks of the Moskva River. A receptionist was waiting, equipped with a mobile phone and barricaded behind a desk with a bowl of candies, coffee, and tea. There was no EggChange signage, no fun or educational crypto conversations, and no indication that anyone else worked there.
The mule was asked to recite another passcode that had been shared over Telegram, this one to identify and verify the transaction, then asked to deposit any electronics into a locker to defend against electronic surveillance. The receptionist directed the mule toward another door, which swung open to reveal a man who handed over an envelope of cash.
That was the end of the transaction. The mule walked out of the gleaming tower and back onto Moscow’s streets, blending into foot traffic, pocketing the cash without ever having to reveal an identity. It was as if no one had been there at all.
Article credit: https://www.bloomberg.com/news/articles/2021-11-03/bitcoin-money-laundering-happening-in-moscow-s-vostok-tower-experts-say