Behind the crypto broker accused of enabling ransomware hackers

Oakland, California

A CRYPTOCURRENCY broker that the Biden administration considers a key cog in the recent ransomware epidemic is legally registered in the Czech Republic but doesn't appear to have an office there. It may be operating out of Moscow's tallest skyscraper despite its not being listed at the address.

It earned the distinction last month of being the first crypto exchange to be blacklisted by the US as governments try to stem further attacks. And while it denies any part in the recent spate of cyber crimes, experts say it's a prime example of a shadowy corner of the industry that has allowed hackers to thrive by giving them the means to launder millions of dollars in illicit digital proceeds through "nested" middlemen that tap larger exchanges to process transactions.

Suex OTC, a virtual currency exchange, is a transactions platform that allows cryptocurrency traders to buy and sell digital coins. It is accused by the US of mixing legitimate digital currency trades with illegal transfers from ransomware gangs, allowing them to launder profits from the kind of attacks that have crippled hospitals, businesses, school districts and even a major US fuel pipeline.

The US Treasury Department alleges that Suex has played an integral role in helping criminal hackers clean and cash out their loot, mostly Bitcoin paid by ransomware victims, before converting it to a traditional currency.

"There is an illicit underbelly that's formed in this ecosystem," said Todd Conklin, counsellor to the deputy secretary of the Treasury. "We haven't yet cleansed the entire ecosystem and we're definitely continuing to investigate other nested exchanges and mixers, like Suex."

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

Since at least 2018, Suex has converted cryptocurrency holdings into cash inside brick-and-mortar offices in Moscow, St Petersburg and possibly in the Middle East, according to Chainalysis, a blockchain forensics firm specialising in following the movement of digital currencies whose clients have included US federal agencies.

Suex is legally registered in the Czech Republic but apparently doesn't have an office there, according to Chainalysis. At the official address in a nondescript house in Prague's Old Town, there's a clothing store and antiques shops on the ground floor, and several residential units and a law firm. The law firm at the address where Suex is registered specialises in incorporation and corporate governance services. A person at the firm who answered a call from Bloomberg denied having any knowledge of Suex and hung up the phone.

The company does appear to be operating from Moscow's 97-story-high Federation Tower East building, according to Chainalysis. There's no public directory of tenants at the entrance, and the receptionist bans entry to anyone who hasn't been invited. While, per the building's management, Suex's name isn't listed at the address, a company called Art of Web - which counts Egor Petukhovsky, Suex's chief executive officer and largest shareholder - is.

Suex's Mr Petukhovsky didn't respond to requests for comment. He denied in a recent Facebook post that he or his business helped launder money for hackers and vowed to "firmly defend my name in litigation" in the US. "I believe in independent justice and hope to come back to normal life as soon as possible," he said. Other Suex officials couldn't be located for comment.

By adding Suex to the Treasury Department's list of sanctioned entities, US based companies and individuals are prohibited from conducting any transactions with them. While these sanctions will likely do little to expose Suex to legal authorities half a world away, the Biden administration is hoping it may dissuade US-based ransomware victims from quickly paying ransom to resolve their ordeal.

Brokers like Suex don't typically build their own software systems to execute cryptocurrency trades. Instead, these operators trade on third-party crypto exchanges. The Treasury Department declined to identify which exchanges it believes Suex had utilised except to say "several".

Regulators globally have called for tighter enforcement and regulations requiring exchanges to collect data to identify their clients. Suex has so far received at least US$160 million in Bitcoin from illicit and high-risk sources since 2018, according to Chainalysis. If this is correct, that's about 40 per cent of Suex's known transaction history linked to the activity of hackers, including nearly US$13 million from some of the more infamous ransomware groups - Ryuk and Conti - according to Chainalysis.

Despite Suex's denial, the Treasury Department's crackdown should, at least temporarily, narrow the illicit pipeline of digital currency transfers, according to Tom Robinson, co-founder of blockchain forensics firm Elliptic. "It means one less place for ransomware gangs to cash out their earnings, although there are still plenty of other ways they can still do that," he said. BLOOMBERG