UK disrupts Russian money laundering networks used by ransomware
A law enforcement operation led by the United Kingdom's National Crime Agency (NCA) has disrupted two Russian money laundering networks working with criminals worldwide, including ransomware gangs.
Dubbed "Operation Destabilise," this international investigation has led to the arrest of 84 Russian-speaking suspects linked to the Smart and TGR criminal organizations, controlled by Russian Ekaterina Zhdanova and Ukrainian George Rossi.
"The networks also support Russian cyber criminals to launder their illicit profits. In 2021, Zhdanova laundered over $2.3million of suspected ransoms paid in crypto by victims to the Ryuk ransomware group," the NCA said today.
"The NCA assesses that the group, members of which were sanctioned by the UK in 2023, was responsible for extorting at least £27m from 149 UK victims, including hospitals, schools, businesses and local authorities. However, their true impact is likely to be much higher."
Ryuk is a former ransomware-as-a-service (RaaS) operation active between 2018 and 2020 when the Wizard Spider cybercrime gang behind it switched to Conti ransomware. Conti also shut down operations two years later, in May 2022, when it split into multiple smaller units that either infiltrated existing ransomware gangs or launched their own new operations.
As part of this Operation Destabilise, U.K. law enforcement has collaborated with many international partners, including the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), the FBI, the Drug Enforcement Agency, the French Direction Centrale de la Police Judiciaire, and Ireland's national police and security service, An Garda Síochána (AGS).
To disrupt the criminal rings' money laundering activities, the NCA has also worked closely with authorities in the United Arab Emirates (UAE).
"Operation Destabilise has exposed billion-dollar money laundering networks operating in a way previously unknown to international law enforcement or regulators," said Rob Jones, NCA's Director General of Operations.
"For the first time, we have been able to map out a link between Russian elites, crypto-rich cyber criminals, and drugs gangs on the streets of the UK. The thread that tied them together – the combined force of Smart and TGR – was invisible until now."
OFAC sanctioned Zhdanova in November 2023 for laundering millions of cryptocurrency for various individuals, including ransomware actors.
The list of other suspects linked to the two laundering networks exposed and disrupted today includes Elena Chirkinyan and Andrejs Bradens, who were sanctioned on Wednesday by OFAC together with Rossi.
Among other "services," Smart and TGR helped Russian elites and designated individuals and entities bypass sanctions and other financial restrictions to invest in Western economies.
Chirkinyan of the TGR Group also helped conceal fund transfers from Russia, likely to support a Russian-language media organization in the U.K. These funds are believed to have originated from Russia Today (RT), currently sanctioned in the U.K.
Additionally, the two money laundering networks' cryptocurrency addresses have been linked to transactions with Garantex, a cryptocurrency exchange sanctioned by the U.S. and the U.K. two years ago.
The cryptocurrency exchange has been associated with illegal transactions with the Hydra Market dark web platform and payments for components involved in Russian weapons used in Ukraine.
FBI shares tips on how to tackle AI-powered fraud schemes
New DroidBot Android malware targets 77 banking, crypto apps
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
InformationalSec-Fetch-Mode Header is Missing
InformationalPossible Username Enumeration
MediumFile Upload
MediumParameter Tampering
Free online web security scanner