A financial firm registered in Canada has emerged as the payment processor for dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services aimed at Russian-speaking customers, new research finds. Meanwhile, an investigation into the Vancouver street address used by this company shows it is home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which are physically located there.
Richard Sanders is a blockchain analyst and investigator who advises the law enforcement and intelligence community. Sanders spent most of 2023 in Ukraine, traveling with Ukrainian soldiers while mapping the shifting landscape of Russian crypto exchanges that are laundering money for narcotics networks operating in the region.
More recently, Sanders has focused on identifying how dozens of popular cybercrime services are getting paid by their customers, and how they are converting cryptocurrency revenues into cash. For the past several months, he’s been signing up for various cybercrime services, and then tracking where their customer funds go from there.
The 122 services targeted in Sanders’ research include some of the more prominent businesses advertising on the cybercrime forums today, such as:
-abuse-friendly or “bulletproof” hosting providers like anonvm[.]wtf, and PQHosting;
-sites selling aged email, financial, or social media accounts, such as verif[.]work and kopeechka[.]store;
-anonymity or “proxy” providers like crazyrdp[.]com and rdp[.]monster;
-anonymous SMS services, including anonsim[.]net and smsboss[.]pro.
The site Verif dot work, which processes payments through Cryptomus, sells financial accounts, including debit and credit cards.
Sanders said he first encountered some of these services while investigating Kremlin-funded disinformation efforts in Ukraine, as they are all useful in assembling large-scale, anonymous social media campaigns.
According to Sanders, all 122 of the services he tested are processing transactions through a company called Cryptomus, which says it is a cryptocurrency payments platform based in Vancouver, British Columbia. Cryptomus’ website says its parent firm — Xeltox Enterprises Ltd. (formerly certa-pay[.]com) — is registered as a money service business (MSB) with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).
Sanders said the payment data he gathered also shows that at least 56 cryptocurrency exchanges are currently using Cryptomus to process transactions, including financial entities with names like casher[.]su, grumbot[.]com, flymoney[.]biz, obama[.]ru and swop[.]is.
These platforms are built for Russian speakers, and they each advertise the ability to anonymously swap one form of cryptocurrency for another. They also allow the exchange of cryptocurrency for cash in accounts at some of Russia’s largest banks — nearly all of which are currently sanctioned by the United States and other western nations.
A machine-translated version of Flymoney, one of dozens of cryptocurrency exchanges apparently nested at Cryptomus.
An analysis of their technology infrastructure shows that all of these exchanges use Russian email providers, and most are directly hosted in Russia or by Russia-backed ISPs with infrastructure in Europe (e.g. Selectel, Netwarm UK, Beget, Timeweb and DDoS-Guard). The analysis also showed nearly all 56 exchanges used services from Cloudflare, a global content delivery network based in San Francisco.
“Purportedly, the purpose of these platforms is for companies to accept cryptocurrency payments in exchange for goods or services,” Sanders told KrebsOnSecurity. “Unfortunately, it is next to impossible to find any goods for sale with websites using Cryptomus, and the services appear to fall into one or two different categories: Facilitating transactions with sanctioned Russian banks, and platforms providing the infrastructure and means for cyber attacks.”
Cryptomus did not respond to multiple requests for comment.
PHANTOM ADDRESSES?
The Cryptomus website and its FINTRAC listing say the company’s registered address is Suite 170, 422 Richards St. in Vancouver, BC. This address was the subject of an investigation published in July by CTV National News and the Investigative Journalism Foundation (IJF), which documented dozens of cases across Canada where multiple MSBs are incorporated at the same address, often without the knowledge or consent of the location’s actual occupant.
This building at 422 Richards St. in downtown Vancouver is the registered address for 90 money services businesses, including 10 that have had their registrations revoked. Image: theijf.org/msb-cluster-investigation.
Their inquiry found 422 Richards St. was listed as the registered address for at least 76 foreign currency dealers, eight MSBs, and six cryptocurrency exchanges. At that address is a three-story building that used to be a bank and now houses a massage therapy clinic and a co-working space. But they found none of the MSBs or currency dealers were paying for services at that co-working space.
The reporters found another collection of 97 MSBs clustered at an address for a commercial office suite in Ontario, even though there was no evidence these companies had ever arranged for any business services at that address.
Peter German, a former deputy commissioner for the Royal Canadian Mounted Police who authored two reports on money laundering in British Columbia, told the publications it goes against the spirit of Canada’s registration requirements for such businesses, which are considered high-risk for money laundering and terrorist financing.
“If you’re able to have 70 in one building, that’s just an abuse of the whole system,” German said.
Ten MSBs registered to 422 Richard St. had their registrations revoked. One company at 422 Richards St. whose registration was revoked this year had a director with a listed address in Russia, the publications reported. “Others appear to be directed by people who are also directors of companies in Cyprus and other high-risk jurisdictions for money laundering,” they wrote.
A review of FINTRAC’s registry (.CSV) shows many of the MSBs at 422 Richards St. are international money transfer or remittance services to countries like Malaysia, India and Nigeria. Some act as currency exchanges, while others appear to sell merchant accounts and online payment services. Still, KrebsOnSecurity could find no obvious connections between the 56 Russian cryptocurrency exchanges identified by Sanders and the dozens of payment companies that FINTRAC says share an address with the Cryptomus parent firm Xeltox Enterprises.
SANCTIONS EVASION
In August 2023, Binance and some of the largest cryptocurrency exchanges responded to sanctions against Russia by cutting off many Russian banks and restricting Russian customers to transactions in Rubles only. Sanders said prior to that change, most of the exchanges currently served by Cryptomus were handling customer funds with their own self-custodial cryptocurrency wallets.
By September 2023, Sanders said he found the exchanges he was tracking had all nested themselves like Matryoshka dolls at Cryptomus, which adds a layer of obfuscation to all transactions by generating a new cryptocurrency wallet for each order.
“They all simply moved to Cryptomus,” he said. “Cryptomus generates new wallets for each order, rendering ongoing attribution to require transactions with high fees each time.”
“Exchanges like Binance and OKX removing Sberbank and other sanctioned banks and offboarding Russian users did not remove the ability of Russians to transact in and out of cryptocurrency easily,” he continued. “In fact, it’s become easier, because the instant-swap exchanges do not even have Know Your Customer rules. The U.S. sanctions resulted in the majority of Russian instant exchanges switching from their self-custodial wallets to platforms, especially Cryptomus.”
Russian President Vladimir Putin in August signed a new law legalizing cryptocurrency mining and allowing the use of cryptocurrency for international payments. The Russian government’s embrace of cryptocurrency was a remarkable pivot: Bloomberg notes that as recently as January 2022, just weeks before Russia’s full-scale invasion of Ukraine, the central bank proposed a blanket ban on the use and creation of cryptocurrencies.
In a report on Russia’s cryptocurrency ambitions published in September, blockchain analysis firm Chainalysis said Russia’s move to integrate crypto into its financial system may improve its ability to bypass the U.S.-led financial system and to engage in non-dollar denominated trade.
“Although it can be hard to quantify the true impact of certain sanctions actions, the fact that Russian officials have singled out the effect of sanctions on Moscow’s ability to process cross-border trade suggests that the impact felt is great enough to incite urgency to legitimize and invest in alternative payment channels it once decried,” Chainalysis assessed.
Asked about its view of activity on Cryptomus, Chainanlysis said Cryptomus has been used by criminals of all stripes for laundering money and/or the purchase of goods and services.
“We see threat actors engaged in ransomware, narcotics, darknet markets, fraud, cybercrime, sanctioned entities and jurisdictions, and hacktivism making deposits to Cryptomus for purchases but also laundering the services using Cryptomos payment API,” the company said in a statement.
SHELL GAMES
It is unclear if Cryptomus and/or Xeltox Enterprises have any presence in Canada at all. A search in the United Kingdom’s Companies House registry for Xeltox’s former name — Certa Payments Ltd. — shows an entity by that name incorporated at a mail drop in London in December 2023.
The sole shareholder and director of that company is listed as a 25-year-old Ukrainian woman in the Czech Republic named Vira Krychka. Ms. Krychka was recently appointed the director of several other new U.K. firms, including an entity created in February 2024 called Globopay UAB Ltd, and another called WS Management and Advisory Corporation Ltd. Ms. Krychka did not respond to a request for comment.
WS Management and Advisory Corporation bills itself as the regulatory body that exclusively oversees licenses of cryptocurrencies in the jurisdiction of Western Sahara, a disputed territory in northwest Africa. Its website says the company assists applicants with bank setup and formation, online gaming licenses, and the creation and licensing of foreign exchange brokers. One of Certa Payments’ former websites — certa[.]website — also shared a server with 12 other domains, including rasd-state[.]ws, a website for the Central Reserve Authority of the Western Sahara.
The website crasadr dot com, the official website of the Central Reserve Authority of Western Sahara.
This business registry from the Czech Republic indicates Ms. Krychka works as a director at an advertising and marketing firm called Icon Tech SRO, which was previously named Blaven Technologies (Blaven’s website says it is an online payment service provider).
In August 2024, Icon Tech changed its name again to Mezhundarondnaya IBU SRO, which describes itself as an “experienced company in IT consulting” that is based in Armenia. The same registry says Ms. Krychka is somehow also a director at a Turkish investment venture. So much business acumen at such a young age!
For now, Canada remains an attractive location for cryptocurrency businesses to set up shop, at least on paper. The IJF and CTV News found that as of February 2024, there were just over 3,000 actively registered MSBs in Canada, 1,247 of which were located at the same building as at least one other MSB.
“That analysis does not include the roughly 2,700 MSBs whose registrations have lapsed, been revoked or otherwise stopped,” they observed. “If they are included, then a staggering 2,061 out of 5,705 total MSBs share a building with at least one other MSB.”
Nothing to see here, just Canada’s version of 1209 North Orange Street in Delaware :^)
“Nothing to see here” – Barbara Streissand shouted at the top of her lungs for effect. Sure Vlad.
Really not understanding the point of this post. The only thing that I got from this 2 page long word salad is “a crypto payment processor is using shell companies and virtual offices.”
Cryptomus doesn’t provide crypto to fiat exchanges, so I’m not really sure how it differs from NowPayments, Coinpayments, Coingate, or any of the other crypto processors that don’t provide fiat services.
You don’t see how a shady web of shell companies and fake addresses / people is different from other unrelated quasi-comparably legit services doing similar business? Thanks for reading the entire article so carefully though.
“Unfortunately, it is next to impossible to find any goods for sale with websites using Cryptomus, and the services appear to fall into one or two different categories: Facilitating transactions with sanctioned Russian banks, and platforms providing the infrastructure and means for cyber attacks.”
“I don’t see any difference!” ¯\_(ツ)_/¯
Globopay UAB Ltd?
UAB would suggest a Lithuanian business – like this one: https://globopay.eu/contacts.html. Which advertises the ability to buy cryptocurrency with your bank card…
Why are you even writing this idle talk? Is it even interesting to anyone? this is not true. Better write something interesting.
IT’S BETTER THROUGH forums to find payment systems, Russian financial technologies do not work for fagots yellow and blue, and fagots with segmented stars
Find a roof already Vlad and spread your wings.
I laughed way harder at this comment than I should have. Lol.
Why is Communist propaganda from morons fouling up this site? BK must have hit a remaining neuron…
More fun reading “Pidor” with the Russian accent of cartoon character Boris Badenov.
Honestly i have no idea what the point of this post is. Cryptomus is a merchant services provider to many legitimate services. The author took some “shady” ones and tried to make them look like the main business of cryptomus.
The usage of virtual addresses for office purposes is nothing special.
The author is trying to make “Russian” connection, while at the end of the article it turns out Ukrainian is behind it.
There are more interesting topics such as PerfectMoney recently closing user accounts.
Hey Tobias, do me a favor and go ahead and find legitimate businesses (not ones facilitating transactions with sanctioned banks and not infrastructure services advertised on illicit forums) and report back to us.
We’ll wait.
Okay Mr “Richard Sanders” “analyst”, here is very simple business. Didsoft. They sell proxy checking software and they accept cryptomus. Is this illegal, shady or illicit? I bought software from them.
If you guys actually explored anything, besides the underground forum maybe you’d start becoming less biased and providing useful data to your clients.
I could give more examples.
As another tip, I recommend doing a simple keyword search for “we accept cryptomus”.
Especially check lowendtalk forums. This is a forum for legitimate hosting companies, within 5 minutes of a simple Google search I found around 20-30 companies that accept cryptomus for their hosting services. Are they also all connected to Russians or ilegall?
Do you seriously offer cryptocurrency analytics services?
“Russia” and “Ukraine” share a “border” actually, and cyber actors routinely operate between the two. It’s not uncommon at all whatsoever, you may be surprised to learn if but for the purposes of informing your future disinformation FUD. Shell companies operating out of the same physical location seems totes legit to you too, jamest222 oh sorry I mean Tobias? Yeah, nothing to see there obviously. The author “must have” invented all of this because Russophobia, da comrade.
“Nothing to see here” takes many forms, but why not right about PerfectMoney YOURSELF instead of trying to change BK’s subject multiple times with multiple handles, Vlad? It’s not going to work. Surrender to reality anytime.
You are not going to make people less interested by flailing your arms, inflatable Russian tube man. Give it up.
“right” is not the right way to spell “write”. Hopefully this can help you write right.
Nobody cares, AI.
You know what’s not a secret? That half of the Russia-based threat actors are now pretending to be Ukrainian or getting people in Ukraine to front their businesses so they don’t appear Russian.
Earlier this year, I wrote a story about the consumer data broker Radaris, which threatened to sue me for defamation unless I retracted the story. They claimed that I’d gotten it all wrong, and at the most basic level: They claimed that the founders were actually Ukrainian by birth and nationality, not Russian. But the true founder’s Facebook page said otherwise, that he was born in Moscow. It was all part of their plan to make the company appear to have Ukrainian origins, when all signs pointed to RU instead.
https://krebsonsecurity.com/2024/06/krebsonsecurity-threatened-with-defamation-lawsuit-over-fake-radaris-ceo/
There seems to be an awful lot of smoke here, presumably concealing a fire of illegal dealing by Putin and his cronies. The half-literate critiques of this article, so far, sound like Putin’s admirers at work.
I thought it was a good article, very well researched and informative. Sheds light for me how cybercriminals have adapted to sanctions and also how Russian service providers to hackers have organized their systems to take advantage of the legal requirements in Canada. Well done!
Seeing a lot of russian trolls in this comment section…
Has anyone legit manage to get their hands on the Finastra data leak? It would be very interesting to identify the SWIFT activity related to Cryptomus.
Dear Brian, do you actually have a copy of Sanders’ research? It is not linked in your article, and, moreover, does not seem to exist on the CipherBlade website. A web search just reveals other websites that have copied your article verbatim. I would be most interested in reading it if you have a link to the PDF. Many thanks. Bobby
The Musk/Trump/Putin connection ties into this as well. Trump has been suspected of laundering money for Putin and Russia since the early 90s. Musk also has ties to Putin and the trump admin want to make crypto much more prevalent.
Reminds me of the book: “Secret Money: The World of International Financial Secrecy” by Ingo Walter. A great deal of information about the Black and Grey Markets.
That this is now being done via cryptocurrency is an interesting evolution over time.