How the FBI's BTC-e database and sloppy opsec ensnared a Russian rapper and alleged crypto-launderer

The March arrest of alleged Russian money launderer and aspiring rapper Maksim “Gangass” Boiko last month by agents from the Federal Bureau of Investigation highlights the evolving ingenuity of organized cybercrime and the enduring preference for bitcoin among professional cybercriminals.

But the 29-year-old Russian’s flashy social-media footprint and his use of Apple’s iCloud are also illustrative of poor operational security, or “opsec.” What’s more, Boiko frequently traveled to the U.S., which has been hunting suspected Russian cybercriminals with a vengeance since the 2016 election hack that was allegedly orchestrated by Kremlin-linked operatives.

The FBI has probable cause to believe that Boiko is connected to the leadership of the transnational cybercrime group, QQAAZZ, which laundered stolen funds for “numerous nefarious cybercriminal malware organizations,” according to the affidavit filed on March 27 by FBI agent Samantha Shelnick.

This affidavit, “submitted in support of an application for a criminal complaint and arrest warrant” for Boiko, alleges that the suspect “did knowingly and intentionally conspire and agree with other persons known and unknown, to commit money laundering” in the Western District of Pennsylvania and elsewhere since 2015. The FBI estimates that Boiko and QQAAZZ laundered “tens of millions of dollars” stolen from victims in the U.S. and throughout the world.

Investigators’ discovery of Boiko’s personal email account within a seized database of users from the rogue Russian crypto-exchange, BTC-e, helped the FBI build its case against the rapper, according to the affidavit. The bureau either obtained the database from their seizure of BTC-e’s servers, stored at an Equinix data center in New Jersey, or from Greek police following their concurrent arrest of accused exchange operator and money-launderer Alexander Vinnik in July 2017. The FBI declined to clarify.

Alleged by U.S. prosecutors to have been an “international money laundering scheme” that catered to cybercriminals, and which processed between $4 billion and $9 billion in bitcoin alone, over the six years it operated, BTC-e may be the biggest laundromat in crypto history.

“The data from BTC-e showed that Boiko’s account had received $387,964 worth of deposits and had withdrawn approximately 136 Bitcoin,” reads Agent Shelnick’s affidavit. The prominence of BTC-e in the Boiko case is thus indicative of how the FBI is wielding intelligence sourced from the seized exchange database of high-risk users to build cases against cybercriminal suspects.

In this sense, BTC-e’s database can be considered as crypto’s analog to the leaked Mossack Fonseca emails and legal-entity-formation files obtained by the International Consortium of Investigative Journalists in 2016. Dubbed the ‘Panama Papers’ by the press, this data leak is beginning to drive significant money-laundering and tax-evasion prosecutions globally.

Arrest in Miami

In January, Boiko was detained and interviewed by U.S. Customs and Border Protection in Miami International Airport after landing in the U.S. with his wife, according to the affidavit. The FBI said that Boiko’s declaration of $20,000 in U.S. currency upon arriving in Miami initially aroused the CBP’s suspicion.

But given that the FBI had intercepted incriminating communications between Boiko and members of the QQAAZZ cyber-laundering gang, who were indicted by the Western District of Pennsylvania in January, it’s likely he was on law enforcement’s radar before his cash declaration tripped alarm wires.

Boiko’s Miami-based defense attorney, Chad Piotrowski, said his client wasn’t arrested until the last weekend of March. The Pittsburgh Post-Gazette reports that he was apprehended at a Miami condo on March 28.

“Tomorrow, I will drop a fresh freestyle,” reads Boiko’s last tweet, posting under his rap stage-name “Plinofficial,” and dated March 27.

Boiko’s arrest follows the unsealing of federal money-laundering charges against five reputed QQAAZZ members and Latvian nationals in January. According to the QQAAZZ indictment, the gang “provided money laundering services to significant cybercriminal organizations that stole, and attempted to steal, money from unwitting U.S. and foreign victims” via bank account takeover (ATO) fraud.

Specifically, QQAAZZ clients fraudulently obtained the login credentials for victim bank accounts and wired stolen funds to drop accounts controlled by the laundering gang. Boiko and the other five QQAZZ suspects are all facing “conspiracy to commit money laundering” charges, which carry a maximum sentence of 20 years apiece.

For now, Boiko remains incarcerated, awaiting his eventual transfer to Pittsburgh, while the COVID-19 outbreak sparks panic throughout Miami jails.

Probable cause

In his interview with the CBP, Boiko said he derived his income from bitcoin investments and rental properties in Russia. But according to Agent Shelnick’s affidavit, the FBI believes that Boiko is actually a “significant cybercriminal who launders money for other cybercriminals.”

The affidavit alleges that Boiko supports himself by providing other cybercriminals with access to QQAAZZ-controlled bank accounts for the purpose of receiving and laundering stolen funds. At times, funds stolen from victim bank accounts were converted by Boiko into bitcoin, authorities allege.

In fact, the affidavit cites screenshots and emails retrieved from the FBI search warrant that suggest Boiko processed at least $35,000 in illicit-origin bitcoin he had deposited on Binance, in furtherance of QQAAZZ’s laundering scheme.

Also informing the FBI’s probable cause determination, wrote Agent Shelnick, is evidence of unexplained wealth, including photos scraped from Boiko’s Instagram and iCloud accounts that show him posing with “substantial sums of U.S. and foreign currencies dating back as far as 2015.”

As for the foreign currencies Boiko allegedly handled, another 2015 picture retrieved from the Russian’s Instagram account shows a large stack of Chinese yuan on a table, along with a sign that says “Maksim,” accompanied by the date.

The discovery of Chinese currency in the FBI search warrant is key to this case, as the affidavit alleges that the QQAAZZ gang laundered some of the stolen funds through Chinese bank accounts in Hong Kong. In fact, the FBI cites email search-warrant evidence indicating that Boiko controlled one Bank of China account in Hong Kong that received stolen funds.

According to Andrei Barysevich, a cyber-threat intelligence researcher and the founder of anti-fraud consultancy Gemini Advisory, groups that offer bank drops in China, as QQAAZZ does, are representative of the most elite tranche of cyber-laundering organizations. These professional cyber-laundering groups will typically “only agree to receive the funds when they deal with at least a million dollars,” said Barysevich.

Beyond photos of Boiko’s extravagant lifestyle, the FBI obtained other incriminating evidence from screenshots of messages and bank-account information exchanged between Boiko, his QQAAZZ associates, and their cybercriminal clients, via the secure messaging service WhatsApp.

“While the WhatsApp chats were encrypted,” said the FBI, media sent from QQAAZZ co-conspirator Aleksejs Trofimovics’s WhatsApp number to Boiko, and “other WhatsApp numbers, such as videos, pictures, documents, etc., were not encrypted and were stored in the [email protected] iCloud account.” This GMail account is linked to Trofimovics, according to the FBI.

Also not cited in the affidavit: Boiko’s glorification of cybercrime in his music. A 2017 music video for his Russian rap banger “Night High” depicts a hooded man using a laptop to hack into and steal a BMW in a parking garage.

The future of money laundering

The ingenuity of the QQAAZZ conspiracy is their solicitation of “a global complicit bank drops service” to the cybercriminal underworld. The gang frequently advertised their “cash-out and money laundering services on elite, Russian-speaking online cybercriminal forums, such as Mazafaka and Verified,” according to the QQAAZZ indictment.

In the hierarchy of Russian cybercriminal forums, journalist Brian Krebs writes that Mazafaka is among the most “difficult to join - admitting only native Russian speakers and requiring each applicant to furnish a non-refundable cash deposit and “vouches” or guarantees from at least three existing members.”

The QQAAZZ scheme begins like this: gang members register shell companies and open bank accounts, sometimes in their real names and, other times, using fake, or ‘synthetic,’ identification documents, according to Agent Shelnick’s affidavit.

Not mentioned by the FBI, but integral to these heists, is that QQAAZZ, after establishing a business banking relationship, had to “age the account,” according to Barysevich.

“You can’t just go into a bank and open the account and then launder two-million dollars through it the next week. You would have to maintain the visibility of a real business. This means you have to open a business credit card, use some legitimate looking transactions, you have to make some withdrawals, clear some checks, and receive some transfers.”

“It means you spend six months, maybe even twelve months, pumping up the account, getting ready for that one deal coming down the line,” added Barysevich. As such, QQAAZZ is also repurposing the mechanics of synthetic identity fraud (SIF) to mimic legitimate business activity.

In traditional synthetic fraud scams, individuals use fake identities - instead of stolen ones - to open personal bank accounts. They build credit histories until they are eligible for a large loan or credit card limit and then “bust-out,” absconding with money that they never intend to pay back to the bank. The FBI has called synthetic ID scams the “fastest growing financial crime in the United States.”

QQAAZZ employs SIF to operate its cyber-laundering network. Therefore, the gang represents the evolution of synthetic ID, from a fraud typology, into one that underpins more lucrative money-laundering scores.

After aging accounts sufficiently to bypass fraud alerts for large transfers, QQAAZZ communicates with cybercriminal clientele via the encrypted chat service Jabber to exchange bank details, according to the affidavit. QQAAZZ clients are generally botnet operators who obtain victims’ bank login information via phishing emails, embedded with user credential-stealing malware, and then take over their accounts.

In the U.S., QQAAZZ’s cybercriminal clients seemed to aggressively target businesses, as the FBI affidavit cites three such victims. Unlike consumer accounts, which have insurance for fraud losses under Regulation E of the Electronic Funds Transfer Act, banks do not extend the same coverage to business accounts, which makes ATO fraud that much more devastating for victims.

Once in possession of the wire instructions, cybercriminals initiate a fund transfer to a QQAAZZ-controlled bank account. After this first hop in the laundering chain, QQAAZZ wires funds to other bank accounts under their control or to “illicit “tumbling” services where the funds were converted to cryptocurrency,” according to the affidavit.

The gang either transfers funds back to their clients as crypto or wires money back to accounts that their clients control. Poor information-sharing between banks, particularly in cross-border transactions, makes it difficult for institutions to detect fraud or anti-money-laundering breaches beyond the first hop of the illicit transaction chain.

Ultimately, the FBI affidavit says the fee QQAAZZ levies on cybercriminals to clean their money runs between 40% and 50%, which is exponentially more than the standard 3%-to-8% rate that cash launderers charge their underworld clients, according to a Homeland Security Investigations agent, who requested anonymity.

The reason QQAAZZ’s service is so expensive is that the initial bank accounts used to receive stolen funds – which QQAAZZ established in the name of shell companies in countries like the UK, Portugal, Spain, Germany, Belgium, Turkey and the Netherlands – can only be used once.

As the first hop in fraudulent transfers, all of these business accounts will inevitably be shut down by internal bank compliance after the sending institution reports the unauthorized wire to the recipient bank. Thus, the sky-high laundering fees charged by QQAAZZ and similar organizations are directly correlated to the enhanced risk they are absorbing to clean the proceeds of bank fraud.

The BTC-e nexus

The FBI linked Boiko to BTC-e via his email address [email protected], a nod to his rap persona. “The registrant using this email provided the name “Maksim Boiko” and the username “gangass,” reads the affidavit.

Investigators also retrieved a screenshot of text-message exchanges between Boiko’s phone and a phone used by one of Boiko’s cybercriminal clients. This screengrab shows a login to a website with the username “gangass,” the same username Boiko used on BTC-e.

Agent Shelnick’s affidavit cites BTC-e again in relation to a bitcoin transaction conducted by an exchange account linked via the email address used by QQAAZZ associate Trofimovics. The BTC-e account, “Atrofi95,” was registered to “Trofimovics in London with the corresponding email address [email protected],” according to the affidavit.

Authorities allege that Trofimovics’s Atrofi95 bitcoin wallet, registered on BTC-e, was used by QQAAZZ to transfer laundered funds back to cybercriminal clients.

Also, one of the WhatsApp screenshots the FBI obtained from Boiko’s iCloud reveals October 2017 chats between two unknown parties, discussing the Atrofi95 BTC-e wallet in connection to a missing or delayed wire transfer.

“Bro, if it isn’t too much of a bother, please ask about this login – Atrofi95. A wire was sent to BTC-e on July 22nd for 45k,” writes one respondent. The date of the wire is significant as Vinnik was arrested on the beaches of Greece just three days later.

The other party in the screen-shotted chat responded: “[g]otta contact Moneypolo,” in reference to one of the Mayzus Financial Services remittance subsidiaries that enabled fiat transfers into the crypto exchange.

Reputationally destroyed by the BTC-e scandal, Mayzus Financial Services has ceased operations, but its former majority owner, ex-Russian politician Sergey Mayzus told The Block:

“Not one of the companies mentioned by the FBI was ever our client. Furthermore, I was not able to find the transaction mentioned in the affidavit.”