Full Report
A financial firm registered in Canada has emerged as the payment processor for dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services aimed at Russian-speaking customers, new research finds. Meanwhile, an investigation into the Vancouver street address used by this company shows it is home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges -- none of which are physically located there.
Analysis Summary
# Threat Actor: Cryptomus Ecosystem (Financial Facilitator)
## Attribution & Identity
The primary focus is on the infrastructure facilitating illicit financial activity, centered around the payment processor **Cryptomus**.
* **Primary Entity:** **Cryptomus** (a cryptocurrency payments platform based in Vancouver, British Columbia).
* **Parent/Associated Firm:** **Xeltox Enterprises Ltd.** (formerly certa-pay\[.\]com), which is registered as a Money Service Business (MSB) with FINTRAC.
* **Key Individual (Investigator Focus):** **Richard Sanders** (Blockchain analyst who exposed this network).
* **Related Entities/Individuals (Identified through domain adjacency/ownership links):** **Vera Krychka**, associated with entities like Globopay UAB Ltd, WS Management and Advisory Corporation Ltd. (which oversees licenses for Western Sahara's central authority), and Czech firms Icon Tech SRO/Mezhundarondnaya IBU SRO.
## Activity Summary
This ecosystem facilitates the financial operations of dozens of cybercrime services and Russian cryptocurrency exchanges.
* **Core Function:** Cryptomus acts as the payment processor, enabling cybercrime entities to accept cryptocurrency payments and convert them to cash, often into accounts at sanctioned Russian banks.
* **Involvement in Cybercrime:** The services tracked (122 in total) are prominently advertised on cybercrime forums.
* **Investigative Trigger:** Identified by blockchain analyst Richard Sanders while tracking payments for Russian crypto launderers and subsequently analyzing how prominent cybercrime services receive payment.
## Tactics, Techniques & Procedures
The TTPs described relate to the **financial infrastructure** supporting cybercrime, rather than direct intrusion techniques:
* **Financial Obfuscation:** Using a seemingly legitimate Canadian MSB registration (Cryptomus) to process illicit funds.
* **Infrastructure Hosting:** Associated cybercrime exchanges heavily rely on Russian or Russia-backed Internet Service Providers (ISPs) such as Selectel, Netwarm UK, Beget, Timeweb, and DDoS-Guard for hosting.
* **Domain Registration/Utilization:** Use of specific Russian email providers and Cloudflare services for content distribution.
* **Shell Registration:** The primary address in Vancouver (Suite 170, 422 Richards St.) is a known cluster address for shell financial businesses registered in Canada (a tactic observed by IJF/CTV News).
* **Disputed Territory Connection:** Links found between associated financial entities (via domains like rasd-state\[.\]ws) and the Central Reserve Authority of the disputed territory of Western Sahara.
## Targeting
* **Sectors:** Cybercrime services (e.g., bulletproof hosting, account sales, proxy providers), and Financial Services (specifically cryptocurrency exchanges dealing with sanctioned Russian banks).
* **Geography:** Operations primarily target **Russian-speaking customers**. Hosting infrastructure points toward Russia and Russia-backed European locations. The financial nexus is registered in **Canada** (Vancouver).
* **Victims:** End-users of cybercrime services, and by extension, the targets of sanctioned Russian banks conducting illicit transactions.
## Tools & Infrastructure
* **Cybercrime Service Categories utilizing Cryptomus:**
* Abuse-friendly hosting (e.g., anonvm\[.\]wtf, PQHosting).
* Account sales (e.g., verif\[.\]work, kopeechka\[.\]store).
* Anonymity/Proxy providers (e.g., crazyrdp\[.\]com, rdp\[.\]monster).
* Anonymous SMS services (e.g., anonsim\[.\]net, smsboss\[.\]pro).
* **Cryptocurrency Exchanges (Examples):** casher\[.\]su, grumbot\[.\]com, flymoney\[.\]biz, obama\[.\]ru, swop\[.\]is.
* **Infrastructure Providers:** Selectel, Netwarm UK, Beget, Timeweb, DDoS-Guard (Hosting/ISPs); Cloudflare (CDN).
* **Associated Domains (Defanged):** anonvm\[.\]wtf, verif\[.\]work, kopeechka\[.\]store, crazyrdp\[.\]com, rdp\[.\]monster, anonsim\[.\]net, smsboss\[.\]pro, casher\[.\]su, grumbot\[.\]com, flymoney\[.\]biz, obama\[.\]ru, swop\[.\]is, certa\[.\]website, rasd-state\[.\]ws, crasadr\[.\]com.
## Implications
This ecosystem highlights the critical role of seemingly legitimate Canadian financial registration and registration clustering (shell incorporation at shared addresses) in providing cover for high-volume cybercrime revenue processing and the circumvention of sanctions against Russian financial institutions. This presents a significant money laundering vector.
## Mitigations
* Enhanced due diligence (EDD) for Money Service Businesses (MSBs) registered in high-cluster addresses in Canada.
* Continuous monitoring by organizations like FINTRAC regarding the ultimate beneficiaries and transactional behavior of registered MSBs like Cryptomus/Xeltox Enterprises Ltd.
* Tracking the conversion of cryptocurrency at exchanges that specifically allow off-ramping into accounts at sanctioned Russian banks.