Two years ago, the US government fined an international cybercriminal and his fraudulent bitcoin exchange over $100m. Now, it’s going after them for the money.
Attorneys for the US government filed a complaint in court last week against BTC-e and its operator Alexander Vinnik to recover civil penalties originally levied in 2017.
Authorities arrested Vinnik in July 2017 while in Greece on holiday with his family. At the same time, the US indicted him for laundering money through the site, and FinCEN levied civil penalties. It fined BTC-e $110m for facilitating ransomware and dark web drug sales, and fined Vinnik $12m for his role in the crimes. It was the first action that the regulator had taken against a foreign money services business operating in the US.
Opening in 2011, BTC-e served 700,000 users worldwide and was a popular money laundering tool for cybercriminals, according to the most recent indictment. They would use the exchange to convert money from cryptocurrency to fiat, including US dollars, euros, and rubles.
Legitimate cryptocurrency exchanges normally have to follow know-your-client rules by requesting official identification documents from clients. They also have to register with local regulators (in the US, that’s FinCEN). BTC-e wasn’t registered, and it also lacked even basic measures to identify its users, says the complaint:
To create an account, a user did not need to provide even the most basic identifying information, such as name, date of birth, address, or other identifiers. All BTC-e required to create a user account was a self-created username, password, and an email address.
Even though users created accounts under suspicious or suggestive usernames like “ISIS”, “CocaineCowboys”, “blackhathackers”, “dzkillerhacker”, and “hacker4hire”, the exchange failed to investigate them.
BTC-e used a selection of front companies to facilitate deposits and withdrawals from clients. This helped it avoid collecting information about users that would leave a central financial paper trail, the indictment alleges. It also helped it to cover up the fact that it did business with clients in the US.
Furthermore, when transferring cryptocurrencies between users, it used online mixing services, which aggregate currencies from many users and then redistribute them. This hides the ownership and history of otherwise-traceable bitcoin on the blockchain, like wiping a serial number.
All this activity enabled the company to profit from unfavourable exchange rates compared to FinCEN-registered exchanges, according to court documents.
BTC-e processed over 300,000 in funds stolen from Mt Gox, one of the first and most successful exchanges, which collapsed after a massive bitcoin theft in 2014. It also processed at least $3m in transactions from the Cryptolocker and Locky malware, according to FinCEN.
The latest indictment is now asking for the original $12m from Vinnik, but only $88,596,314 from BTC-e.
Vinnik is incarcerated in Greece, where the US, France, and Russia have been attempting to extradite him.