Policy & Regulation

Cryptocurrency Brings Millions in Aid to Ukraine, But Could It Also Be Used For Russian Sanctions Evasion?

As Russia’s invasion of Ukraine continues, cryptocurrency is taking on an important role in the conflict. On the positive side, users around the world have donated over $56 million in cryptocurrency to addresses provided by the Ukrainian government, showcasing not just the crypto community’s generosity but also virtual assets’ unique utility for cross-border payments. 

However, law enforcement, regulators, and compliance teams alike are also wondering if and how cryptocurrency may allow for sanctions evasion. The United States and many of its allies in the EU and elsewhere have taken unprecedented actions against Russia, including:

  • The addition of Russian oligarchs, their family members, and their businesses, as well as all major state-owned banks and many energy exporters, to OFAC’s SDN list
  • The removal of select Russian banks from the SWIFT system, essentially cutting them off from the global financial system
  • The sanctioning of Russia’s central bank, preventing it from using its $650 billion in reserves to mitigate the impact of the above sanctions

While sanctions monitoring and enforcement are well understood concepts in traditional finance, many are now wondering how Russia’s business and political elites could use cryptocurrency to evade sanctions. While there’s no direct evidence this is happening, It’s a reasonable concern — Russia accounts for a disproportionate share of several categories of cryptocurrency-based crime globally, and is home to many cryptocurrency services that have been implicated in money laundering activity.

However, as Chainalysis co-founder Jonathan Levin explained while testifying before the U.S. Senate, the inherent transparency of the most popular, liquid blockchains would make it difficult for sanctioned Russian entities to systematically launder large amounts of cryptocurrency. “By mapping a single cryptocurrency wallet address to an illicit actor, whether that be a ransomware attacker or sanctions evader, law enforcement can unlock immediate insight into the entire network of services that facilitate the actor,” Levin said. That means that if cryptocurrency-based sanctions evasion is happening, it would probably look more like typical money laundering activity, in which relatively small amounts of cryptocurrency are moved gradually to disparate cashout points, rather than all at once in huge transactions. 

What could cryptocurrency-based Russian sanctions evasion look like?

There are a few different possible sanctions evasion mechanisms whose on-chain indicators suggest that Russian actors may be moving funds, at least in isolated instances. We’ll walk you through those below.

Russian whales moving funds

First, we’re monitoring for transactions involving whales we believe or know to be users based in Russia. As a reminder, we define “whale” as any private wallet holding $1 million or more worth of cryptocurrency. 

Between the start of the invasion and March 21, we’ve tracked just over $62 million worth of cryptocurrency sent from Russia-based whales to other addresses, many of which are associated with OTC desks and exchanges, some of them high-risk. While spikes in this activity are common, Russian whale sending hit its highest levels in roughly eight months during the week of February 28 soon after the invasion, reaching $26.5 million. On-chain activity alone can’t tell us if these transfers constitute sanctions evasion, as we don’t know if the whale wallets are controlled by sanctioned individuals and entities. However, we will continue to monitor these transactions and provide updates as possible.

Sbercoin

Sberbank is the biggest bank in Russia and was one of the first Russian businesses sanctioned following the Ukraine invasion, along with its subsidiaries. On March 17, 2022, Russia’s central bank announced that it had issued Sberbank a license to engage in digital assets, which appears to have led to its issuance of Sbercoin, a new cryptocurrency Sberbank had previously announced in late 2020. It’s also possible that Sbercoin was launched by scammers, as Sberbank officials have denied issuing the coin. 

Regardless of who actually launched the coin, CoinMarketCap data shows that Sbercoin has seen roughly $4.5 million in total transaction volume, all on one popular decentralized exchange. Sbercoin’s price has dropped over 90% since its launch, and currently sits at $0.00003329 as of March 28, 2022, with a market cap of $113,089.

Credit: CoinMarketCap

While Sbercoin’s performance and transaction volumes remain quite low right now, any trading of the coin by users in the United States and other countries that have sanctioned Sberbank could create exposure to sanctions risk. We’ll continue to monitor Sbercoin’s activity and provide updates on any significant activity as possible.

Other on-chain indicators to watch

We’re also paying attention to a few other cryptocurrency services and usage typologies that could indicate sanctions evasion by Russian entities. So far, on-chain indicators for these don’t show much out of the ordinary, but they warrant further monitoring. We outline those below. 

High-risk services popular in Russia

Russia has a large ecosystem of high-risk services — meaning those that tend to have lax compliance requirements — enabling money laundering, such as the now-sanctioned OTC desk Suex, and it’s reasonable to expect that sanctioned Russian entities may try to use those services to hide or move their wealth. The graph below shows the estimated value received by the five most popular high-risk services in Russia from Russia-based users since the beginning of 2022. 

High-risk exchanges like Garantex and Bitzlato are prominent here, as well as Tornado, an Ethereum mixer that’s received funds from several criminal sources.  Thus far none of these high-risk services have shown spikes in inflows or outflows, or any other unusual activity since the new sanctions were imposed.

Hydra

Another service worth watching is Hydra Market. Hydra is the world’s largest darknet market by far, despite the fact that it only operates in Russian-speaking countries. However, to say Hydra is just a darknet market is misleading — Hydra also offers sophisticated cash-out services that are designed to let users move large volumes of illicit cryptocurrency covertly, and as such could also function as a money laundering service for sanctioned Russian entities. We are continuing to monitor Hydra, but so far, its transaction volume shows nothing out of the ordinary, and in fact has fallen in the time following the Ukraine invasion. For more information on Hydra, download our report in collaboration with Flashpoint. 

Mining activity

Some sanctioned countries have turned to mining to gain access to capital and make up for sanctions-related deficits in international trade. Iran in particular has pursued this strategy in recent years, as we covered in our 2022 Crypto Crime Report

It’s possible that Russia could do the same. As of August 2021, Russia ranked third worldwide in share of global hashrate for Bitcoin, according to the Cambridge Bitcoin Electricity Consumption Index. In fact, since the beginning of 2022, Russian services have received substantially more cryptocurrency from mining pools than Iranian services have.

Though there were reports that electricity consumption by cryptocurrency miners in some parts of Russia increased soon after the invasion, it’s impossible to tell now whether any of that can be attributed to a sanctioned entity. It would also be unlikely for a sanctioned entity to have set up a significant mining operation in the weeks that have passed since new sanctions were handed down. However, given the embrace of cryptocurrency mining by other sanctioned countries like Iran, and Russia’s pre-invasion status as a mining power, we may see sanctioned entities like Russian energy companies turn to mining to mitigate impact to their finances. If that happens, we expect to see more cryptocurrency flow from mining pools to Russian services, as well as a rise in Russia’s share of global hashrate. 

Ruble-denominated trading activity

We’re also watching for changes in trade volume for trading pairs that include the Russian ruble. We can do this using exchange order book data provided by Kaiko.

Daily ruble trade volume shot up immediately following the invasion, growing over 900% to over $70 million between February 19 and 24, the highest it’s been since May 2021. Since then, ruble trading volumes have continued to fall and spike periodically, though they’ve yet to break $70 million again. As we’ve previously stated, we believe this activity is unlikely to reflect large-scale sanctions evasion. Our current hypothesis is that the chief drivers of Ruble pair volumes are volatility and non-sanctioned Russian cryptocurrency users attempting to protect their savings as the ruble’s value plummets — keep in mind that even before this crisis, Russia ranked high worldwide for grassroots cryptocurrency adoption. 

Russian cybercriminal gangs and ransomware operators 

Finally, we’re also monitoring for activity carried out by Russian cybercriminal gangs, in particular those engaging in ransomware attacks. While these attacks wouldn’t necessarily constitute sanctions evasion, they can still be relevant to both Russia’s invasion of Ukraine, as well as the response of the international community. For example, Conti, the most active ransomware group of 2021, declared its loyalty to the Russian government shortly after the invasion began, promising to launch cyberattacks against anyone who moves against Russia. 

Source: Dmitry Smilyanets on Twitter

Soon after, an unknown party retaliated by leaking sensitive information on Conti, including the group’s internal chat logs, source code, and more. The U.S. and its allies must stay on high alert for possible retaliatory cyberattacks from Russian cybercriminal groups like Conti, as President Joe Biden recently warned.

Donations show cryptocurrency’s positive role in this story

While most of our focus is on monitoring for potential sanctions violations involving cryptocurrency, we’d be remiss if we didn’t mention the positive role cryptocurrency is playing in the Ukrainian crisis. Soon after the invasion, the Ukrainian government began soliciting cryptocurrency donations, posting addresses on its social media channels. Other organizations, such as the TRON foundation and the exchange Kuna, have followed suit, asking for cryptocurrency donations to get Ukrainians on the ground the supplies they need. 

As of March 28, 2022, crypto enthusiasts around the world have donated over $56 million worth of cryptocurrency to addresses provided by the Ukrainian government, not to mention hundreds of NFTs and donations to other charitable organizations accepting cryptocurrency. Those donations stand not just as an example of the community’s generosity, but also of cryptocurrency’s utility as a cross-border value transfer mechanism in a time of emergency. 

Chainalysis will continue to work with our partners in the private and public sectors to monitor for signs of sanctions evasion involving cryptocurrency. We’ll post more analysis related to the topics covered above on our blog over the coming weeks. Sign up for our newsletter at the bottom of this page or follow us on Twitter to stay tuned.

This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein. 

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.