Anti-Money Laundering (AML) , Fraud Management & Cybercrime , Standards, Regulations & Compliance

Feds Indict Russian Over BTC-e Bitcoin Exchange

Greek Police Arrest Man, Accused of $4 Billion in Bitcoin Money Laundering
Feds Indict Russian Over BTC-e Bitcoin Exchange

Police in Greece on Tuesday arrested Alexander Vinnik, 38, for allegedly running a massive money laundering operation that processed $4 billion in bitcoins, many of which may be tied to the largest bitcoin exchange heist in history.

See Also: Small Business. Large security risks.

Vinnik, indicted in January by a California federal grand jury, has been accused of owning and operating a cryptocurrency exchange called BTC-e, the U.S. Department of Justice announced Wednesday.

The Greek embassy confirmed the arrest of Vinnik, a Russian national, according to the government-owned Russian news agency Sputnik.

Vinnik has been charged with operating an unlicensed money service business as well as with money laundering and related crimes, according to a partially redacted, 21-count indictment unsealed Wednesday. The indictment says numerous transfers from m BTC-e administrator accounts went straight to personal bank accounts registered in Vinnik's name.

The Justice Department is now seeking Vinnik's extradition from Greece. Vinnik appeared Wednesday before the Thessaloniki Court of Appeals, where he said he was innocent of all charges filed against him, Greek media outlet Daily Thess reports. It adds that the court will make an extradition recommendation to the country's minister for justice, who has two months to make a final decision on the extradition request.

U.S. authorities have accused BTC-e, founded in 2011, of not only operating as an unlicensed money service business, but also laundering funds for numerous cybercriminal enterprises. "BTC-e facilitated crimes, including computer hacking and ransomware, fraud, identity theft, tax refund fraud schemes, public corruption and drug trafficking," according to the indictment. "Since its inception, Vinnik and others developed a customer base for BTC-e that was heavily reliant on criminals, including by not requiring users to validate their identity, obscuring and anonymizing transactions and source of funds, and by lacking any anti-money laundering processes."

The value of a bitcoin continues to fluctuate wildly, hitting a record high of $2,895 in June. (Source: XE Trade)

From 2011 until the end of 2016, the exchange processed more than 9.4 million bitcoins, according to court documents. While a bitcoin's fluctuating value - from a low of $2 to a high of nearly $3,000 - make it difficult to put a dollar value on that quantity of cryptocurrency, at current exchange rates that quantity of bitcoins would be worth $24 billion.

BTC-e on its website says that its operations are based in Bulgaria, but subject to the laws of Cyprus. "The exchange allegedly maintains a base of operations in the Seychelles Islands and its web domains are registered to shell companies in, among other places, Singapore, the British Virgin Islands, France, and New Zealand," authorities say.

The indictment also alleges that many BTC-e users - as well as the site's operators - also used the notorious Liberty Reserve virtual currency system, based in Costa Rica, which was shuttered by the Justice Department in 2013 (see Virtual Currency Kingpin Pleads Guilty).

Alleged Mt. Gox Connection

Authorities say BTC-e also connects to the heist of more than $500 million from the Tokyo-based Mt. Gox digital currency exchange.

That squares with research conducted by a Tokyo-based group of bitcoin security researchers called WizSec. "We won't beat around the bush with it: Vinnik is our chief suspect for involvement in the Mt. Gox theft - or the laundering of the proceeds thereof," the researchers say in a Thursday blog post.

While the group had previously named Vinnik as responsible, it says much of its legwork had previously been shared only with police. "Everyone who worked on the case has patiently kept quiet while forwarding findings to law enforcement so as not to tip suspects off and to maximize the chances of arrests," the group says.

Bitcoin Exchange Meltdown

Once the world's largest cryptocurrency exchange, handling 80 percent of all bitcoin trades, Mt. Gox went dark in spectacular fashion in February 2014, triggering an investigation by Japanese authorities.

At the time, Mt. Gox's CEO, French national Mark Karpeles, said that "weaknesses in our system" had been exploited to steal 850,000 bitcoins, then worth about $500 million, as well as $28 million in cash from bank accounts. He quickly filed for bankruptcy protection.

Earlier this month, 32-year old Karpeles pleaded not guilty in Tokyo District Court to charges that he had embezzled funds and illegally manipulated related data, Reuters reports.

As a result of the Mt. Gox meltdown, Japan has become one of the first countries to regulate cryptocurrency exchanges at a national level to better protect investors.

WizSec Follow the Bitcoins

WizSec says that Mt. Gox's security troubles appear to have begun in September 2011, when "the Mt. Gox hot wallet private keys were stolen," allowing an unnamed hacker to immediately steal "a sizable number of bitcoins immediately," as well as to drain bitcoins that paid into any of the multiple bitcoin addresses contained in the wallet.

"Over time, the hacker regularly emptied out whatever coins they could spend using the compromised keys, and sent them to wallet(s) controlled by Vinnik," WizSec says. "By mid-2013, when the funds spendable from the compromised keys had slowed to a near halt, the thief had taken out about 630,000 BTC [bitcoins] from Mt. Gox."

WizSec says that the wallet abuse confused Mt. Gox's system "into mistakenly interpreting some of the thief's spending as deposits," thus leading to erroneous credits to some users accounts, totaling another 40,000 bitcoins. "The majority of these funds were hurriedly withdrawn by their recipients rather than being reported."

The researchers say they traced 300,000 stolen Mt. Gox bitcoins being sent to BTC-e, where they were "presumably sold off or laundered," and noted that the other bitcoins were processed via other exchanges, and in some cases even via Mt. Gox. They say that other large cryptocurrency exchange thefts dating from 2011, including thefts from Bitcoinica and Bitfloor, also appear to have been laundered via wallets tied to Vinnik and BTC-e.

"Moving coins back onto Mt. Gox was what let us identify Vinnik, as the Mt. Gox accounts he used could be linked to his online identity 'WME,'" they say. "As WME, Vinnik had previously made a public outcry that coins had been confiscated from him - the coins in question coming from Bitcoinica."

Post to a bitcoin forum on June 7, 2012, that WizSec researchers say tied Vinnik to the online identity 'WME,' which had previously discussed bitcoins tied to the theft from Bitcoinica. (Source: Bitcoin Forum)

Potential Prison Sentence: 55 Years

On Tuesday, the BTC-e website announced that the bitcoin exchange was offline due to "unplanned data center maintenance."

Outage notice on the BTC-e homepage, pictured Thursday.

Vinnik was reportedly arrested in the Halkidiki region in northern Greece on the same day, after having arrived at the Greek city of Thessaloniki with his wife and children, apparently on vacation. If so, Vinnik is only the latest in a long line of accused hackers that have been arrested while on vacation, at the request of the U.S. government (see Hackers' Vacation Plans in Disarray After Prague Arrest).

If convicted of all charges filed against him, Vinnik faces 55 years in prison and at least $500,000 in fines, or else "twice the value of the property involved in the transaction."

The wide-ranging investigation into BTC-e involved the Internal Revenue Service, Department of Homeland Security's Homeland Security Investigations, FBI, U.S. Secret Service Criminal Investigative Division and the Federal Deposit Insurance Corp.'s Office of the Inspector General.

Meanwhile, the Department of the Treasury's Financial Crimes Enforcement Network, aka FinCEN, says it has fined BTC-e $110 million and Vinnik $12 million for willfully violating U.S. anti-money laundering laws.

"We will hold accountable foreign-located money transmitters, including virtual currency exchangers, that do business in the United States when they willfully violate U.S. AML laws," said Jamal El-Hindi, acting director of FinCEN.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.