Normal view
- Security Affairs
- Alexander Vinnik, the operator of BTC-e exchange, pleaded guilty to money laundering
Alexander Vinnik, the operator of BTC-e exchange, pleaded guilty to money laundering
Alexander Vinnik, a Russian operator of virtual currency exchange BTC-e pleaded guilty to participating in a money laundering scheme.
Alexander Vinnik, a Russian national, pleaded guilty to conspiracy to commit money laundering for his involvement in operating the cryptocurrency exchange BTC-e from 2011 to 2017. BTC-e processed over $9 billion in transactions and served over one million users globally, including many in the United States. In July 2017 law enforcement shut down the virtual currency exchange.
Greek Police arrested the Russian national in 2017, and they accused the man of running the BTC-e Bitcoin exchange to launder billions worth of cryptocurrency.
The virtual currency exchange received criminal proceeds from various illegal activities, including computer intrusions, ransomware attacks, identity theft, corruption, and drug distribution.
Vinnik promoted unlawful activities carried out through BTC-e and was responsible for at least $121 million in losses.
“BTC-e had no anti-money laundering (AML) and/or “know-your-customer” (KYC) processes and policies in place, as federal law also requires. BTC-e collected virtually no customer data at all, which made the exchange attractive to those who desired to conceal criminal proceeds from law enforcement.” reads the press release published by DoJ. “BTC-e relied on shell companies and affiliate entities that were similarly unregistered with FinCEN and lacked basic anti-money laundering and KYC policies to electronically transfer fiat currency in and out of BTC-e. Vinnik set up numerous such shell companies and financial accounts across the globe to allow BTC-e to conduct its business.”
In July 2018, a Greek lower court agreed to extradite Vinnik to France to face charges of hacking, money laundering, extortion, and involvement in organized crime.
French authorities accused Vinnik of defrauding more than 100 people in six French cities between 2016 and 2018.
French prosecutors revealed that among the 188 victims of the Vinnik’s attacks, there were local authorities, businesses, and individuals across the world.
In June, New Zealand police had frozen NZ$140 million (US$90 million) in assets linked to a Russian cyber criminal. New Zealand police had worked closely with the US Internal Revenue Service on the case and the investigation is still ongoing.
Vinnik denied charges of extortion and money laundering and did not answer magistrates’ questions, his lawyer also announced that is evaluating whether to appeal.
French prosecutors believe Vinnik was one of the authors of the Locky ransomware that was also employed in attacks on French businesses and organizations between 2016 and 2018.
At his trial, Vinnik explained that he was not the kingpin of the organization, he claimed t have served only as a technical operator executing the instructions of BTC-e directors.
Vinnik was convicted of money laundering but prosecutors didn’t find enough evidence to convict him of extortion.
“The court convicted Vinnik of money laundering but didn’t find enough evidence to convict him of extortion, and stopped short of the 10-year jail term and 750,000 euros in fines that prosecutors had requested.” reported the Associated Press.
“One of his French lawyers, Ariane Zimra, said his conviction for money laundering “doesn’t make sense,” arguing that cryptocurrency is not legally considered “money.”
Subsequently, Vinnik returned to Greece before being extradited to the U.S..
“Today’s result shows how the Justice Department, working with international partners, reaches across the globe to combat cryptocrime,” said Deputy Attorney General Lisa Monaco. “This guilty plea reflects the Department’s ongoing commitment to use all tools to fight money laundering, police crypto markets, and recover restitution for victims.”
In February, the U.S. charged Aliaksandr Klimenka, a Belarusian and Cypriot national linked with the cryptocurrency exchange BTC-e. The man is facing charges of money laundering conspiracy and operation of an unlicensed money services business.
According to the indictment, Klimenka allegedly controlled the platform BTC-e with Alexander Vinnik and others. Klimenka also allegedly controlled a technology services company named Soft-FX, and the financial company FX Open.
The servers that were hosting the BTC-e were maintained in the United States, and according to the DoJ, they were allegedly leased to and maintained by Klimenka and Soft-FX.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Alexander Vinnik)
Last Week in Security (LWiS) - 2024-05-06
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-29 to 2024-05-06.
News
- FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data - The real question is how much did these companies profit from this data before they were caught?
- BBC presenter's likeness used in advert after firm tricked by AI-generated voice - It's happening. Deep-phishing perhaps is the term? Are you/your customers ready? Can you simulate this attack?
- JFrog Security research discovers coordinated attacks on Docker Hub that planted millions of malicious repositories - "nearly 20% of these public repositories (almost three million repositories!) actually hosted malicious content." :grimacing"
- A recent security incident involving Dropbox Sign - Where the juciy data goes, so go the attackers. This was an acquisition (HelloSign) from 2019, no it should have been fully integrated into DropBox's security practice.
- Sodinokibi/REvil Affiliate Sentenced for Role in $700M Ransomware Scheme - A Ukrainian national was sentenced today to 13 years and seven months in prison and ordered to pay over $16 million in restitution for his role in conducting over 2,500 ransomware attacks and demanding over $700 million in ransom payments. A rare conviction in the ransomware scene.
- What's new in Windows Server 2025 (preview) - Microsoft has decided to change the default on #pre2k computer accounts and has removed the checkbox entirely in upcoming server releases.
Techniques and Write-ups
- Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes - Per usual, amazing post by Dirk-Jan. Passwordless persistence and Entra-ID <-> On-Prem tradecraft. Must read.
- Uncharmed: Untangling Iran's APT42 Operations - Tradecraft details including their use of social engineering for initial access and credential harvesting. NGOs and journalists are being targeted.
- SCCM Exploitation: Compromising Network Access Accounts - An article on how fruitful Network Access Accounts are along with some mitigation and detection guidance. Even comes with wazuh and elastic parsers and rules! Thorough work.
- ADCS Attack Paths in BloodHound — Part 2 - New edges introduced with ADCS support in bloodhound.
- How I hacked into Google's internal corporate assets - Spoiler alert: dependency confusion. Has anyone used technique on a red team?
- CVE-2024-2887: A Pwn2own Winning Bug in Google Chrome - Type confusion in web assembly leads to shellcode execution in the V8 sandbox.
- Why sneak when you can walk through the front door - A Love letter to Password Spraying against M365 in Red Team Engagements - Great advice on performing a responsible password spray. The internal phish post-access is especially deadly.
- Manual LDAP Querying: Part 2 - Be careful with these (and Sharphound) as mature defenders will detect strange queries (like the SPN query).
- Code Injection to RCE with .NET - A real-life write up on a web app .NET injection and how it was turned into RCE.
- Sleeping Safely in Thread Pools - A new-to-red-teams (seen in the wild) technique to protect sleeping treads with thread pools.
- It's Morphin' Time: Self-Modifying Code Sections with WriteProcessMemory for EDR Evasion - This post introduces a novel self-injection technique for EDR evasion.
- Identifying Cross References with Capstone Disassembler and PEFile - Learn how to programmatically identify cross-references in malware code using Capstone Disassembler and PEFile in Python.
- Leash the Hounds: How to Stop LDAP Recon Attacks - Strategies to mitigate LDAP reconnaissance attacks using the LDAP Firewall for enhanced security and efficient auditing. ldapfw is the tool.
- DLS 2024 - RedTeam Fails - "Oops my bad I ruined the operation" - Examples of basic OPSEC mistakes during red team assessments.
- CFG in Windows 11 24H2 - Explore how Windows 11's 24H2 update integrates Control Flow Guard with hotpatching to enhance system security and efficiency.
- Tale of Code Integrity & Driver Loads - The article discusses how the Core Isolation user setting in Windows affects the process of driver loading, particularly focusing on Virtualization-based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI).
- Send()-ing Myself Belated Christmas Gifts - GitHub.com's Environment Variables & GHES Shell - 2MB of env variables from production Github.com and RCE. What a bug!
- Virtualizing iOS on Apple Silicon - Some impressive low level hacking.
Tools and Exploits
- okta-terrify - Okta Verify and Okta FastPass Abuse Tool.
- cognito-scanner - A simple script which implements different Cognito attacks such as Account Oracle or Privilege Escalation.
- KExecDD - Admin to Kernel code execution using the KSecDD driver.
- Python-Beacon - Python files to aide with shellcode execution.
- PPPwn - PPPwn - PlayStation 4 PPPoE RCE.
- SharpGraphView - Microsoft Graph API post-exploitation toolkit.
- symbolizer-rs - A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Hypervisor-Detection - Detects virtual machines and malware analysis environments.
- wstunnel - Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available.
- puter - 🌐 The Internet OS! Free, Open-Source, and Self-Hostable.
- Installomator - Installation script to deploy standard software on Macs.
- blint - BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
- (The) Postman Carries Lots of Secrets Don't sleep on Postman secrets!
- QCSuper - QCSuper is a tool communicating with Qualcomm-based phones and modems, allowing to capture raw 2G/3G/4G radio frames, among other things.
- proxybroker2 - The New (auto rotate) Proxy [Finder | Checker | Server]. HTTP(S) & SOCKS 🎭.
- JS-Tap - JavaScript payload and supporting software to be used as XSS payload or post exploitation implant to monitor users as they use the targeted application. Also includes a C2 for executing custom JavaScript payloads in clients.
- git-rotate - Leveraging GitHub Actions to rotate IP addresses during password spraying attacks to bypass IP-Based blocking.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.