Full Report
UK cops trace street-level crime to sanctions-busting networks tied to Moscow's war economy On Christmas Day 2024, a Russian-linked laundering network bought itself a very special present: a controlling stake in a Kyrgyzstan bank, later used to wash cybercrime profits and funnel money into Moscow's war machine, according to the UK's National Crime Agency (NCA).…
Analysis Summary
# Incident Report: Sanctions-Busting Bank Acquisition to Fund War Economy
## Executive Summary
A sophisticated, Russian-linked money laundering network, operating under the NCA's "Operation Destabilise," successfully acquired a controlling stake in the Kyrgyz bank Keremet on Christmas Day 2024. This acquisition allowed the network to integrate street-level crime profits (from drugs, firearms, and immigration offenses in the UK) into a global ecosystem used to launder illicit funds, convert them to cryptocurrency, and funnel them to Moscow's war machine via sanctioned Russian entities like Promsvyazbank. The operation was dismantled through extensive international law enforcement efforts, resulting in significant seizures of cash and cryptocurrency.
## Incident Details
- **Discovery Date:** Ongoing investigation ("Operation Destabilise"), leading to exposure in November 2025.
- **Incident Date (Acquisition):** December 25, 2024.
- **Affected Organization:** Keremet Bank (Kyrgyzstan).
- **Sector:** Financial Services, Money Laundering/Sanctions Evasion.
- **Geography:** Primary collection in UK (28+ towns/cities); Laundering hubs in Kyrgyzstan and links to Russia/Moldova.
## Timeline of Events
### Initial Access (Acquisition of Financial Instrument)
- **Date/Time:** December 25, 2024.
- **Vector:** Corporate Acquisition/Financial Maneuvering.
- **Details:** Altair Holding SA, a company linked to the TGR network (headed by alleged George Rossi), purchased a 75% controlling stake in Keremet Bank in Kyrgyzstan.
### Lateral Movement (Fund Laundering Cycle)
- **Date/Time:** Ongoing from Dec 2024 through exposure in Nov 2025.
- **Vector:** Cash Collection, Crypto Conversion, Cross-Border Payments.
- **Details:** Couriers collected physical cash from UK street crime, converted it to cryptocurrency via "cash-to-crypto" swaps, and routed these funds through Keremet Bank. The bank was then used to facilitate cross-border payments for Promsvyazbank and Russian military suppliers.
### Data Exfiltration/Impact
- **Details:** Not a traditional data breach, but the successful operationalization of a global financial pipeline. The impact was the illicit channeling of billions of pounds worth of criminal proceeds to potentially fund the Russian war effort and breach international sanctions.
### Detection & Response
- **Details:** Detection was the culmination of the NCA's long-running "Operation Destabilise." Response involved international coordination (DEA, OFAC, FBI, EU police forces) leading to sanctions, arrests, and seizures. Zhdanova (Smart network leader) was detained in France.
## Attack Methodology
*Note: Given the context, the "attack" is primarily a sophisticated financial and sanctions evasion scheme rather than a traditional IT compromise.*
- **Initial Access:** Corporate acquisition of a regulated financial entity (Keremet Bank).
- **Persistence:** Utilizing established money laundering networks (Smart and TGR) underpinned by physical cash couriers.
- **Privilege Escalation:** (Not applicable in IT terms; financial equivalent: gaining access to state-linked financial infrastructure).
- **Defense Evasion:** Use of cryptocurrency rails and routing funds through a newly acquired bank to obscure the origin of funds from Western restrictions.
- **Credential Access:** (Not specified/applicable).
- **Discovery:** (Not applicable).
- **Lateral Movement:** Utilizing global networks (28+ UK locations) to funnel physical cash into the digital crypto pipeline.
- **Collection:** Gathering cash proceeds from drugs, firearms, and immigration crime.
- **Exfiltration:** Transferring funds via cross-border payments through Keremet to sanctioned Russian entities.
- **Impact:** Operationalizing a billion-dollar sanctions-busting network feeding the Russian war economy.
## Impact Assessment
- **Financial:** Seizures exceeding £25 million ($32 million) in the UK; overseas seizures totaling over $27 million.
- **Data Breach:** None reported.
- **Operational:** Significant disruption to the specific Smart and TGR laundering pipelines in London, causing commission rates to spike.
- **Reputational:** Exposure of deep ties between street crime, organized crime, and state-sponsored sanctions evasion.
## Indicators of Compromise
*(Defanged/Focusing on behavioral/organizational indicators)*
- **Network indicators:** Financial routing patterns involving Keremet Bank and Promsvyazbank for non-sanctioned businesses.
- **File indicators:** (Not applicable).
- **Behavioral indicators:** Sudden influx of illicit cash routed through "cash-to-crypto" swaps; unusual cross-border payment activity directed by identified illicit actors (e.g., those linked to Shor, Zhdanova, Rossi).
## Response Actions
- **Containment measures:** International sanctions imposed by the US OFAC against six senior figures (Zhdanova, Magomedov, Krasnov, Rossi, Chirkinyan, Bradens).
- **Eradication steps:** Arrests and detentions (e.g., Zhdanova in France; jail sentences for multiple couriers).
- **Recovery actions:** Seizure of over £25 million in cash and cryptocurrency.
## Lessons Learned
- State actors and organized criminal groups prioritize acquiring regulated financial infrastructure (banks) to bypass sanctions, creating a direct line between cybercrime/street crime and state financing.
- The laundering ecosystem operates across all levels, from low-paid couriers to high-level corporate acquisitions.
- Cooperation with international partners (OFAC, DEA, FBI) is critical to tracing funds across complex, globalized laundering chains.
## Recommendations
- Conduct enhanced due diligence (EDD) on all corporate acquisitions, particularly by foreign entities in critical sectors like finance, looking for links to sanctioned individuals or known criminal networks (Smart/TGR).
- Increase monitoring and enforcement targeting the "cash-to-crypto" interface, as this remains a crucial step in moving illicit fiat proceeds into the digital economy.
- Continue aggressive targeting of low-level physical collection operatives (couriers) to destabilize the cash collection volume necessary to feed sophisticated laundering engines.