Markets by Trading view

Russian Intelligence suffers another defeat: Covert Crypto Funding Network Exposed

Facebook
Twitter
LinkedIn

Intelligence work is carried out in the shadows, but lately, Russian intelligence has been in the spotlight for its failings. The latest setback sheds light on a covert funding network for the Kremlin’s clandestine services.

An anonymous hacker calling themselves GRU Khakir burned $300,000 in Bitcoin to publicize 986 BTC wallets allegedly controlled by the GRU, military intelligence, the SVR, foreign intelligence, and the FSB, the federal security service. 

For some reason, it flew mostly under the radar. Media outlets not focused on crypto mostly ignored the story. Perhaps, reporters don’t want to explain stuff that is hard. Perhaps editors think the audience is too dumb. 

Whatever the reason, they ignored an important story, and I’m gonna explain why. First, it’s important to understand the cloak-and-dagger game between the West and Russia and see it as one event in a long-term great power competition. Seen through this lens, the manifold shutdown of Russian intelligence capabilities comes out in stark relief. 

Spies, Hackers, and Trolls, Oh My! 

According to the Kremlin, Russian hackers are indubitably the best in the world. Russian intelligence has a history of punching above its weight against the West. Until very recently, the Russians have run circles around their U.S. counterparts in the realm of cyberwarfare. 

Russia’s top government hackers work in an office of the GRU, the military intelligence directorate, and the unit is known as “Advanced Persistent Threat” or APT 28, or “Fancy Bear.”

This notorious hacking group began weaponizing stolen data since at least 2008, targeting government, defense, aerospace, healthcare, research, media, and financial institutions. Since then, they have increasingly employed phishing, custom malware, DDOS attacks, smear campaigns, and black propaganda in cyberespionage and subversion operations. What a fun job description!

When the Kremlin realized the potential of meddling in the political and economic systems of the West, they decided to go all in. Fancy Bear has been behind various high-profile corporate cyber crimes and information dumps in the U.S., Germany, Italy, Latvia, Estonia, the Czech Republic, Poland, Norway, Holland, and Ukraine, among others. 

The new leadership of the Kremlin was forged during the heady days of the late 80s and early 90s when Russians were sifting through the wreckage of the Soviet Union, and organized crime melded with the state because of the bootstrapping state security service’s need for the kinds of things only organized crime could provide.  

Now, twenty years later, the GRU, the SVR, and the FSB have a lot of third-party patrons and criminal partners to whom they outsource off-the-shelf operations. A good example is the Internet Research Agency, the Kremlin’s troll farm, founded by Yevgeny Prigozhin, now in the headlines for his savage attacks on the Ministry of Defense. 

For too many years, Western democracies were complacent about Russian meddling, perhaps because they didn’t want to poke that ol’ prickly bear. However, due to the war in Ukraine, Europe and the U.S. have escalated their counterintelligence measures.

Jack Barsky, an author, IT specialist, and former undercover KGB agent who defected to the U.S., tells Disruption Banking that Ukraine is “an intelligence mess” for the Kremlin because “You don’t know whether you get the truth because I guarantee you there are moles in either country because it’s so easy. They have the same culture, they have a very similar language, and they had moles in each other’s governments already.

In addition, an informal “Volunteer Cyber Army” has arisen from inside Ukraine’s thriving IT community to bolster the efforts of the Ukrainian army and intelligence services to stay informed of circumstances on the battlefield, near its border with Russia, and in Moscow.

The result has been an unprecedented debasement of both Russian intelligence and counterintelligence capabilities. For those of us who have watched as the Russian spies and their proxies wrought havoc on our democratic systems with impunity, it’s beautiful to behold.

The Tide Turns

The Americans make a lot of noise about how they “disrupt” Russian networks, but for informed observers, it seems like the Russians had a very clear view into the internal deliberations of the U.S. government, European governments, and NATO for at least the past two decades.

In the U.S., the FBI disrupted surveillance malware called The Snake from the US and NATO’s computer networks, extending to various third parties in 50 countries, including defense companies, media outlets, critical infrastructure, diplomatic comms, and tech research firms. 

This most sophisticated tool of Russian intelligence, which Politico called a “Swiss army knife of digital spying,” had been active for 20 years, until 2023. Luckily, it only took the FBI ten years to study it, figure out how to penetrate it, inform affected organizations, and disable it!

Until the invasion of Ukraine, both the U.S. and most of Europe were not overly concerned with the relentless flow of undercover spies sneaking around in political circles. However, in the first year of the war in Ukraine, Europe expelled 400 Kremlin spies. 

The MI5 director announced that was the “most significant strategic blow” against Moscow in recent European history, adding to other setbacks such as sanctions against Russian elites and their companies, and the revelation of their crypto wallet network. 

Those in the Russian intelligence services have a strong commitment to tradecraft. And it shows. They have waged an innovative and devastating years-long campaign against their Western enemies, during which they penetrated and exploited vulnerabilities in every communication medium and level of government.

Russian intelligence and their hacker army stole data through satellites. They infiltrated the computer networks of NATO and the EU with the Sandworm virus. They hacked the email system used by the staff of the Joint Chiefs in the Pentagon, as well as the White House, via the State Department. Oh, and then, there was the time they stole 1.2 billion usernames and passwords, as well as all of the spying tools of the NSA.

The preceding paragraph represents billions of dollars of sunk costs in resources and labor wasted. Large investments in R&D, intellectual property, and intelligence products destroyed. All this was just during the last two years of the Obama administration.

Earlier in Obama’s first term, the CIA watched in horror as its entire agent network – totaling at least 30 CIA assets – was rolled up one by one and executed in China. They later realized the Chinese government had penetrated the ‘covert’ websites the CIA used to communicate with CIA collaborators abroad.

When Russian agents began severing their relationships with their CIA handlers, they realized China had shared its findings with Russia. The real origin of the exploit was an incursion by the Iranian government, but in all three countries, the U.S. saw its sources killed off or extracted at great cost.

During the Trump administration, the government held open the door to the Russian security services, who proceeded to loot the agencies and go through the pockets of the Republican Party. It could take decades just to assess the damage.

The decentralized approach of the Russian government lends them a tactical advantage, and it has been easy for the Kremlin to move money through the billionaire class and their financial intermediaries in the West who greased the wheels of their clandestine operations. Not anymore. 

That’s another reason why the crypto addresses being exposed may be a big deal. It closes off an important alternative avenue for funding their asymmetrical advantages.     

OP_RETURN 

The operation to expose the Kremlin’s crypto wallets began before the invasion of Ukraine. After the invasion, the vigilante escalated and began stealing the Russian government’s crypto resources and donating them to Ukraine.

The vigilante broadcast four lines of text, written in Russian, using the “OP_RETURN” field, which voids previous transactions. 

  • “GRU to SVR. Used for hacking!”
  • “GRU to GRU. Used for hacking!”
  • “GRU to FSB. Used for hacking!”
  • “Assist Ukraine with cash from the GRU Khakir” 

Chainalysis, which works closely with several U.S. government agencies, posted an article about the exploit, but the article disappeared from the internet, without explanation. 

The vigilante first acquired the private keys of several of these wallets. Then, they started moving funds from one Kremlin-controlled wallet to hundreds of others. 

Next, the vigilante moved funds out of the wallets and into the wallets of Ukrainian volunteers working against the Kremlin. 

It is unknown if the information is valid, but three of the addresses were mentioned in a now-deleted blog post by HYAS, a Russian cybersecurity firm. The SVR used two of the wallets to “purchase infrastructure” in the SolarWinds hack, and the third was associated with a 2016 disinformation campaign targeting the Democratic National Committee with DCLeaks.com where the GRU dumped almost 20,000 emails, under an alias Guccifer 2.0. 

Chainalysis said in a press release, “The fact that the OP_RETURN sender was both willing and able to burn hundreds of thousands of dollars’ worth of bitcoin in order to spread their message makes it more likely in our opinion that their information is accurate.” 

Who Dunnit? 

Charles Finfrock worked for the CIA in clandestine operations and counterintelligence for 18 years. Currently, he works in the cryptocurrency space focusing on anti-money laundering and fraud, and he teaches a class on the use of cryptocurrency by Russian intelligence. 

With the caveat that it’s hard to make assumptions, Finfrock doubts that this was the work of a state intelligence service, telling Disruption Banking, “An intel service wouldn’t have put the payload out there and let it sit there for a year. They’d leave bigger breadcrumbs and point somebody in that direction. We’ve seen the Russians do that.” 

If it was an insider, it’s one thing to put it out there and but it’s another thing to shine a light on it. That’s a huge risk. If I were in charge of tracking down those responsible, I would look at the third-party support contractors, whoever the intelligence service hires to move money for them. Some blockchain forensics would be a good starting point.”    

When asked to speculate about why the vigilante didn’t take any of the funds, Finfrock said, “You can burn their crypto and send it to their enemies, but if you steal from them, you risk leaving a trail. This is someone who is cautious and conservative. Their motive wasn’t money.” 

It’s hard to imagine a lone-wolf hacktivist doing something like this. Even if hundreds of fairly well-funded non-state entities wanted to, the scale of the information and the resources this must have required would put this beyond the capabilities of most.   

Lieutenant Colonel Doxxed

The alleged mastermind of Fancy Bear is Sergey Alexandrovich Morgachev, a Lieutenant Colonel in the GRU. Morgachev is wanted by the FBI and has the distinction of being charged in the Mueller probe in 2018. 

However, Morgachev got a taste of his own medicine in early April 2023 when his email was hacked and dumped online, including an extensive bevy of private identifying documents. The culprits, a pro-Ukrainian hacker group called Cyber Resistance, were thorough in their attempted “moral humiliation” of Morgachev. 

The hackers used Morgachev’s own Twitter account to post images of his passport, his driver’s license, his home address, the title and license number of his car as well as his house, work, and medical documents, including his CV and pay stubs. 

They didn’t stop there, posting pictures of his wife and co-opting his AliExpress account. Then, they proceeded to order an assortment of gag gifts, including FBI memorabilia, sex toys, and gay pride gear to be delivered to his door. 

Cyber Resistance also shared all the documents and all of Morgachev’s private communications with InformNapalm, which posted all of them on their website, leaving him extremely vulnerable to identity theft.

All the people in his business know that getting blown is an occupational hazard, and according to Barsky, Morgachev’s boss in the GRU may decide to transfer him to another office because he is “ineffective.” “If [your case officers have their identities exposed] on a massive scale, your entire operation goes down the drain.”

For sure Morgachev won’t be able to cross the border of any U.S. allies under his own name, which really throws a wrench into that family vacation planning.   

Implications 

This series of humiliating defeats shatter the myth of the inviolability of Russian intelligence at a time when they are getting their asses kicked on every front. 

Russian intelligence assets across the globe have been degraded, so the future collection of signals intelligence, human intelligence, and counterintelligence will be more difficult. 

The Kremlin has redoubled its espionage efforts, sending spies already kicked out of one European country right back to another one. Sleeper cells of “illegals” awaken. Expats from friendly countries become moles. Sabotage operations on major infrastructure are in the offing.

Jack Barsky told Disruption Banking, “We call the the world of espionage the wilderness of mirrors. I think the the World Wide Web is going exactly there. And, you know, and with AI making this even easier. Pretty soon, we’re going to have three dimensional avatars… The offense always has an advantage, and this advantage is going to get even worse. This world is heading for a situation where it will be fundamentally impossible to know what’s true and what’s false.”

This has been Russia’s goal with Dezinformatsiya since the heyday of the KGB four decades ago, and Putin is an old-school KGB lieutenant colonel who sticks to his guns. However, there’s no denying that Russian intelligence will be rebuilding for years to achieve the type of asymmetric collection capabilities they enjoyed until the invasion. 

In the U.S., in a similar situation, the government would throw more billions into the black budget. Russia is not able to do the same. The armed forces of Russia are already stretched to the limit.

According to Jack Barsky, “Russian intelligence today is relatively weak compared to the KGB because they just don’t have the means and funding and the manpower.”

Paradoxically, the interregnum while Russian intelligence is rebuilding may be the most dangerous period because the Kremlin will be on edge, not knowing what its enemies are thinking, which heightens the risk of “accidental warfare.”

Jack Barsky stated, “If you have this kind of mutual knowledge of what the other side is doing, that sort of prevents accidental warfare. That is what we had during the Cold War when there were three situations when we got really close to a nuclear exchange.” Barsky referred to the example of Oleg Gordievsky, a KGB double agent in England who dispelled Russian fears of an immanent attack by NATO and thereby changed history.

Undercover agents, Moles, malware, and “Active Measures” campaigns by Russian spies are as sure in the 21st century as death and taxes. Unfortunately, it may be preferable to a paranoid Putin without his trusted intelligence apparatus, always suspecting a foreign plot. 

Author: Tim Tolka, writer, journalist, and BI researcher

The editorial team at #DisruptionBanking has taken all precautions to ensure that no persons or organizations have been adversely affected or offered any sort of financial advice in this article. This article is most definitely not financial advice.

2 Responses

  1. If only he had read the spy novel Beyond Enkription in TheBurlingtonFiles series earlier things might have turned out differently! The fact based thriller is about Pemberton’s People in MI6. It’s a must read for espionage cognoscenti – see the brief news article dated 31 October 2022 in TheBurlingtonFiles website for more intriguing details at https://theburlingtonfiles.org/news_2022.10.31.php. The news was released several years after Beyond Enkription was published.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Trending

Write your email to verify subscription

Loading...

Sign up for our free newsletter and receive the latest banking and fintech stories, straight to your inbox - every week