Full Report
The NCA on Friday confirmed that a money laundering network under investigation was used to purchase Keremet Bank in Kyrgyzstan, which was sanctioned earlier this year.
Analysis Summary
# Incident Report: Illicit Finance Network Funneling Drug Money to Sanctioned Russian Entities
## Executive Summary
The UK's National Crime Agency (NCA) uncovered a large, complex money laundering network, linked to both street-level drug trade and state-linked actors, including Russian intelligence services (GRU/FSB). The network's activity culminated in the obfuscated purchase of Keremet Bank in Kyrgyzstan, which was previously sanctioned for aiding Russia's military-industrial complex's sanctions evasion efforts. The investigation, "Operation Destabilise," successfully disrupted the criminal ecosystem, leading to numerous arrests.
## Incident Details
- Discovery Date: Unraveling began last year following a ransomware investigation, with confirmation of the Keremet Bank purchase announced on Friday (Date of article publication/confirmation: November 21st, 2025).
- Incident Date: Ongoing operations spanning from activity tied to street-level drug sales to the completion of the bank purchase earlier this year.
- Affected Organization: Keremet Bank (Kyrgyzstan); various drug trafficking organizations; individuals linked to Russian intelligence rings.
- Sector: Financial Services, Organized Crime, National Security/Intelligence, Drug Trafficking.
- Geography: United Kingdom (source of drug cash), Kyrgyzstan (bank acquisition), Russia (ultimate beneficiaries/handlers).
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly stated for the initial access to *drug networks*, but the overall investigation was triggered by uncovering **ransomware extortion funds** last year.
- Vector: Street-level drug sales generating cash, and exploitation of the ongoing war in Ukraine (to sell vehicles for crypto).
- Details: Cash generated from street-level cocaine sales was collected by couriers across the UK.
### Lateral Movement
- Date/Time: Ongoing within the financial chain.
- Vector: Rapid conversion of physical cash into cryptocurrency (often USD Tether) followed by international distribution into secure financial systems.
- Details: Criminal profits were laundered, including UK vans/trucks bought and sold in Ukraine, with profits converted to crypto.
### Data Exfiltration/Impact
- Date/Time: Ongoing criminal financial transfers.
- Vector: Financial acquisition and sanctions evasion.
- Details: The network successfully routed funds to purchase Keremet Bank (sanctioned in 2025 by US/UK) to provide a covert vehicle for Russia's state-owned PSB Bank to evade export controls supporting the war in Ukraine. Additionally, funds were funneled to concierge services for Russian elites in the West.
### Detection & Response
- Date/Time: Arrests of 45 suspected launderers occurred since December (prior to Nov 21, 2025). Bulgarian spies mentioned sentenced in May 2025. Confirmed scope expansion on Friday (Nov 21, 2025).
- Vector: NCA "Operation Destabilise," initiated by tracing ransomware extortion funds.
- Details: Targeting couriers, issuing unique deterrent measures (posters in Russian in motorway service stations), and dismantling linked entities like the SMART and TGR laundering networks.
## Attack Methodology
*Note: This incident primarily involves financial crime and money laundering structured to support state objectives, rather than a traditional cyber attack kill chain. Methodologies are adapted to reflect the financial/operational techniques described.*
- Initial Access: Physical collection of illicit cash (drug sales) and movement of illicit goods (vehicles).
- Persistence: Continuous operation of the SMART and TGR laundering networks.
- Privilege Escalation: Bypassing international sanctions (enabling PSB Bank access).
- Defense Evasion: Rapid conversion to cryptocurrency (USD Tether) for international distribution and use of shell entities (like Keremet Bank).
- Credential Access: Not explicitly cyber-related; likely standard criminal network management.
- Discovery: Financial tracking and analysis linked to ransomware extortion funds.
- Lateral Movement: Cash transported by couriers, converted to crypto internationally, and fed into legitimate systems or used to purchase assets (Keremet Bank).
- Collection: Gathering physical cash and tracing financial flows linked to organized crime.
- Exfiltration: Moving value/funds across borders and converting cash into controlled digital assets or assets (banks, vehicles).
- Impact: Direct financing of organizations sanctioned for supporting Russia's war effort; enabling espionage networks.
## Impact Assessment
- Financial: Millions of Pounds (£6 million laundered by two sentenced individuals alone); massive illicit flow linking street crime to state military funding.
- Data Breach: Not a data breach incident; focus is on financial asset transfer and sanction evasion.
- Operational: Significant disruption to multiple criminal/espionage networks via 45+ arrests since December.
- Reputational: Exposure of deep ties between UK street crime, internationally sanctioned Russian military entities, and espionage rings.
## Indicators of Compromise
- Network Indicators: Specific IP/URL information was not provided in the context. Related entities include PSB Bank (sanctioned) and Keremet Bank (sanctioned).
- File Indicators: None relevant to a traditional cyber scope.
- Behavioral Indicators: Use of couriers for transporting cash; rapid conversion of cash to USD Tether for international movement; exploitation of sanctions loophole via Keremet Bank.
## Response Actions
- Containment measures: Targeting and arresting cash couriers; disrupting the SMART and TGR networks.
- Eradication steps: Arrest and sentencing actions taken against 45 suspected money launderers since December.
- Recovery actions: NCA publicly confirming the scope to deter future activity (e.g., Russian language posters in service stations).
## Lessons Learned
- The clear thread linking street-level organized crime (drug sales) directly to major geopolitical events and state-sponsored sanctions evasion is evident.
- Financial tracing, even starting from seemingly low-level cyber extortion, can successfully unravel complex, multi-billion dollar global illicit finance networks.
- Utilizing unconventional outreach (e.g., physical posters in Russian for couriers) can be an effective deterrent tactic against low-level operatives in large financial crime schemes.
## Recommendations
- Enhance cross-jurisdictional financial intelligence sharing focused on cryptocurrency conversion points targeting drug/extortion proceeds.
- Increase surveillance and disruption efforts targeting third-party financial institutions (like Keremet Bank) used specifically to bypass existing sanctions targeting primary state actors (like PSB Bank).
- Continue creative public outreach targeting vulnerable individuals recruited for physical cash transport.