Moscow’s Federation Tower is not particularly famous outside Russia, yet thousands of ransomware victims across the world might have an unwelcome connection to some of the companies operating from within its shimmering glass walls.
Designed by a German-based architect, the tower is in fact two skyscrapers of different heights, named simply Vostok (East) and Zapad (West), the former of which is said on its Wikipedia page to be the 55th tallest building in the world.
It’s the sort of brash modernity few associate with Russia, a country still colored by memories of Soviet-era dreariness. This image might be out of date. At some point in the last 20 years, Russia’s capital city upped its architectural ambitions and decided to start looking the part.
Illicit Exchange
One business sector that’s really taken a shine to using the buildings as a base are cryptocurrency exchanges, a sector flush enough to afford sky-high rents.
The snag is that a growing list of these outfits are now being accused of facilitating criminal money laundering, including for ransomware gangs.
Ransomware.org first reported on this when covering the February Chainalysis report which identified the Federation Tower as a hotspot for criminals looking to cash in their ill-acquired cryptocurrency, no questions asked.
Hail Hydra?
More evidence of this has now emerged as part of the recent takedown by German police of the vast Hydra darknet market, which disappeared after its secret hosting provider was uncovered.
Darknet markets are the hubs that bind together the whole cybercrime underworld. Along with things like drug sales, it is here that stolen data is traded. These markets are like department stores for criminals. If an organization has a card or other valuable data stolen during ransomware extortion, these markets are where it will likely end up at some point.
Hydra’s business empire was huge, said by police to have had 17 million customers and an annual turnover of $1.35 billion in 2021, up from $10 million in 2016.
But according to U.S. authorities, one of the exchanges that allegedly made Hydra possible was Federation Tower occupant Garantex. This follows similar recent sanctions aimed at other exchanges in the same building.
Police have realised that just disrupting markets isn’t enough on its own—the money laundering exchanges must also be targeted at the same time. By compromising the market, it becomes possible to track and trace its customers and enablers.
For anyone whose job it is to stop ransomware, the Hydra’s downing is good news. According to the U.S. Treasury, 86% of the illicit Bitcoins received by currency exchanges came from Hydra, including:
“Approximately $8 million in ransomware proceeds that transited Hydra’s virtual currency accounts, including from the Ryuk, Sodinokibi, and Conti ransomware variants.”
It’s one less market on which to trade data and, if the exchanges are affected, a more difficult path to laundering extorted funds.
Criminals, Hiding In Plain Sight
The Federation Tower is doubtless home to many perfectly innocent organizations. It’s also remotely possible that some of the exchanges are also unaware of the origins of the transactions or chose to turn a blind eye.
However, in the words of Chainalysis, others are clearly “making a concerted effort to serve a cybercriminal clientele.”
The fact that this all goes on in plain sight in a prestigious location in Russia’s capital city suggests something deeper has gone wrong. Criminality is a universal problem but when it is this brazen questions need to be asked.