The Internal Revenue Service's Criminal Investigation unit is helping Ukraine's Cyber Police Department uncover efforts by Russia to fund the war through cryptocurrency as a way to evade international sanctions.
As part of its partnership with the law enforcement authorities in Ukraine, IRS-CI donated licenses for the cryptocurrency investigations program Chainalysis Reactor to up to 15 users. Approximately 50 Ukrainian law enforcement officers participated in a virtual training in April, and a more advanced, in-person training is taking place May 11-16 with nearly 20 Ukrainian investigators in Frankfurt, Germany.
The training provides hands-on instruction in blockchain and cryptocurrency tracing, along with instructions on developing operational leads. The Cyber Police Department of the National Police of Ukraine, the Economic Security Bureau of Ukraine, the Department of Cyber and Information Security of the Security Service of Ukraine and the Prosecutor General's Office of Ukraine are all participating in the sessions.
"This is the latest step in our work with our Ukrainian allies," said IRS-CI chief Jim Lee during a press conference Thursday. "We're continuing to work on Russian sanction cases as part of the Crypto Capture Task Force. I remember about a year ago speaking at a conference in London when I first heard the news that the war in Ukraine had started. Now here we are, a year later, and I find myself being able to stand with my Ukrainian partner shoulder to shoulder in an incredibly important partnership. It's a scary place today. Let's not pretend any of us on the line understand what our Ukrainian friends are going through. They've lived in a country of war for more than a year, yet they're here to sharpen their skills in this cyber arena. They're called to service like many of us are here this week, but they've left their family and friends behind in uncertain situations back home, while they traveled here to Frankfurt today for this training event."
Police in Ukraine are seeing ransomware attacks and other cyberattacks coming from Russia, as well as fundraising through crypto as a way to circumvent international sanctions.
"Today, the Cyber Police counteracts not only the usual facts of crime, but also provides resistance to Russian forces on the internet," said Yurii Vykhodets, police colonel of the Cyber Police Department of the National Police of Ukraine, in a statement. "One key area is the identification and elimination of centers of support for occupation forces that raise funds for the purchase of things necessary for the war. We often see fundraising campaigns conducted with the use of cryptocurrency, as Russia believes in the possibility of circumventing sanctions by using virtual assets. The training is timely and provides a strong impetus for more effective work by the Cyber Police in this area. We are grateful for this initiative, as well as other projects aimed at developing our employees."
IRS Criminal Investigation and tax authorities in the five countries collectively known as the J5 — the U.S., the U.K., Canada, Australia and the Netherlands — have been partnering with Chainalysis in recent years to detect cybercriminals and fraudsters who use crypto in the hopes of evading law enforcement (
"From facilitating donations to support Ukraine, to payments to Russian ransomware actors and attempts at sanctions evasion, we see that cryptocurrencies are playing an unprecedented role in Ukraine today," said Chainalysis CEO Michael Gronager during the press conference. "It happens in both good and bad ways."
Pro-Russian groups were initially soliciting crypto donations to support the war, but that activity has declined more recently.
"We've seen over the course of the last year that around 100 different groups have been identified, and around $5 million of donations have been received," said Gronager. "However, those donations have waned over the course of the year. We've also seen the potential for Russian sanctions evasion."
Crypto is too illiquid to support massive flouting of sanctions against Russia, but it's happening on a relatively small scale. Ransomware has been a greater threat.
"On the bad side, we still see ransomware being very real," said Gronager. "We have identified in our crypto crime report close to half a billion in ransomware payments in 2022. The majority of that has been attributed to Russian actors. That goes all over the world, and it's a problem everywhere."
The analytical software is helping Ukrainian authorities ferret out other sources of financing for the war.
"It is important for us to identify all Russian assets on the territory of Ukraine," said Eduard Fedorov, acting director of the Economic Security Bureau of Ukraine, in a statement. "We resist the aggressor state not only on the battlefield, but also on the economic front. The international experience of conducting investigations using digital data and the study of algorithms for combating financial networks contributes to increasing the professionalism of our employees."
Crypto is also being used in ransomware attacks by Russian cybercriminals as a form of payment.
"If you look at what has happened over the many years, there has been nation state-sanctioned cybercrime happening from Russia," said Gronager. "That's typically ransomware operators in Russia attacking anything from infrastructure to individuals globally. By nation state sanctioned, I mean that if you are operating within Russia and having a ransomware campaign directed toward the U.K., Germany, the U.S. or any other place in the globe, you're basically safe in Russia. You're not going to be extradited or prosecuted, and you basically get to keep the loot. When I talk about the roughly half a billion over the last year that's been collected that way, that should be seen in a slightly different way. That's not money that necessarily goes to support the war. It might be money that goes to support criminal organizations within Russia, giving them opportunities to have a happy life. But it will at the same time cause harm for everyone that's on the other side of these ransomware campaigns, and that's why it's a big concern."
The activity can involve money laundering as well.
"Most of our outward-facing cases that most are well aware of have been in the money-laundering realm, associated with bad actors," said Lee, pointing to high-profile cases in the U.S. and other parts of the world involving Hydra, Bitfinex, Silk Row and Welcome to Video. "We don't shy away from tax investigations as well, especially if there's a filing requirement of somebody in the States. I have hundreds of cases in inventory, and three years ago a very high percentage involved money laundering. Now, three years later, half of those involve a tax charge where somebody has a U.S. filing requirement. It's not just money laundering. Oftentimes, those cases boil down to a charging strategy at the Department of Justice, and how long they actually want this case to go on before a charge comes."
On the other hand, crypto has been playing a positive role, as supporters of Ukraine have been making donations via crypto to aid Ukraine with the war relief effort.
"That's everything from helping the war directly to helping with humanitarian aid and other things in Ukraine," said Gronager. "So far, we've seen around $70 million in donations going toward Ukraine."
Crypto has also been helping Ukraine by allowing ordinary people to transact business.
"In a country at war, there's an economical system that's under pressure, and crypto here is actually another way that you can enable the country to transact and have a functioning economic system," said Gronager. "We've monitored different countries worldwide where they rank in terms of crypto adoption, and Ukraine is right now No. 3 in the world in terms of crypto adoption when you measure it throughout 2022. In addition to helping the war effort, cryptocurrency donations are likely to encourage and increase adoption and strengthen the economy that is hampered by the war."