1. Event Background

On November 3, the U.S. Treasury and its Office of Foreign Assets Control (OFAC) sanctioned Russian businesswoman Ekaterina Zhdanova for alleged assistance in money laundering and fund transfers for Russian elites. She was involved in massive cross-border transactions, including moving over $100 million to the United Arab Emirates for a Russian oligarch. Zhdanova is also implicated in laundering $2.3 million for a Ryuk ransomware group affiliate, which is believed to be from ransomware victims' payments. As a result, three Bitcoin addresses were sanctioned:

1Ljk8RNNabkZ9bfDYQBn98XfFozJhTjqcZ

3685sEusmTwZBiKJ4cgV73EAhpVD1nbgbe

39p8qWp1bkBNhi4vPpFTetKPtH7goqNDZf

The analysis with the Trustformer system focuses on the sanctioned addresses as examples to examine the pathways of fund transfers and clarify the ultimate destinations of the funds.

2. Event Analysis

2.1 Sanctioned Address: 1Ljk8RNNabkZ9bfDYQBn98XfFozJhTjqcZ

The Trustformer Risk Detector revealed that the address has a TCR score of 98, indicating severe risk and classifying it as a direct risk address. The risk type is identified as USA political blacklist. By clicking on the label, more information about associated individuals and nationalities linked to the address can be accessed.

A review of the address's historical transactions reveals the most recent one on February 6, 2022. Trustformer's Trackr product aids in analyzing the fund movements from this address.

Analyzing transactions from January to February 2022, the address 1Ljk8RNNabkZ9bfDYQBn98XfFozJhTjqcZ initiated 13 fund transfers within this period. The analysis revealed financial transactions among the three sanctioned addresses during this time, indicating their role as collective wallets for the sanctioned individuals. Notably, they transferred 29.1BTC to another sanctioned address, 3685sEusmTwZBiKJ4cgV73EAhpVD1nbgbe, and 1.1BTC to 39p8qWp1bkBNhi4vPpFTetKPtH7goqNDZf.

2.2 Sanctioned Address: 3685sEusmTwZBiKJ4cgV73EAhpVD1nbgbe

This address also showed a TCR score of 98, indicating severe risk and classifying it as a direct risk address. The risk type is identified as USA political blacklist. The most recent transaction for this address occurred on April 3, 2022. Trustformer's Trackr product assists in analyzing the fund movements from this address between February and April 2022.

The address 3685sEusmTwZBiKJ4cgV73EAhpVD1nbgbe initiated four fund transfers between February and April 2022. It moved 33BTC to the same address, bc1qwxqxd25yk2dtw2ml04vxj9atq3huv4rdytf6vt, which is identified as a risk address related to a coin mixer.

After thorough tracking, it was discovered that the address transferred 72BTC to the Huobi exchange.

2.3 Sanctioned Address: 39p8qWp1bkBNhi4vPpFTetKPtH7goqNDZf

This address had a TCR score of 26, indicating severe risk and classifying it as a direct risk address. The risk type is identified as USA political blacklist. The most recent transaction for this address occurred on February 25, 2022. Trustformer's Trackr product assists in analyzing the fund movements from this address between January and February 2022. The latest transaction was on February 25, 2022. 

Analysis for January to February 2022 revealed six fund transfers, including a large transaction of 60BTC to 1AynRWwpCcVpm6Ye8xJ8mXRAJ3Qpx3yQuw, and 133BTC flows into Binance.

3. Event Summary

Investigations with Trustformer KYT system's Trackr and Risk Detector conclude:

-Address 1Ljk8RNNabkZ9bfDYQBn98XfFozJhTjqcZ transferred 29.1BTC to 3685sEusmTwZBiKJ4cgV73EAhpVD1nbgbe and 1.1BTC to 39p8qWp1bkBNhi4vPpFTetKPtH7goqNDZf in the most active recent months.

-Address 3685sEusmTwZBiKJ4cgV73EAhpVD1nbgbe moved 72BTC into Huobi and engaged with coin mixer-related intermediary addresses.

-Address 39p8qWp1bkBNhi4vPpFTetKPtH7goqNDZf sent 60BTC to 1AynRWwpCcVpm6Ye8xJ8mXRAJ3Qpx3yQuw, with 133BTC entering Binance.

Recommendations:

-Bitcoin transactions inherently feature mixing characteristics, making it challenging to investigate and gather evidence on sanctioned addresses that often disperse funds in small amounts. Close monitoring of these addresses' transactions is recommended, especially focusing on transfers between other sanctioned addresses.

-Records show funds moving to centralized exchanges like Huobi and Binance during these transfers. Enhanced monitoring of involved exchanges is advised to detect suspicious activities promptly.

Start your complimentary 31-days trial in KYT experience to elevate your on-chain transaction security.

• Instructions for the use of related products in the event analysis:

• Risk Detector User Guide: https://help.trustformer.ai/

• Trackr User Guide: https://help.trustformer.ai/trackr-user-guide

About Trustformer

• Trustformer is a leading large-scale model for applying compliance technology, combining blockchain data for real-time risk monitoring and early warning, and realizing real-time identification and early warning of risks such as risk entities, wallets, and transactions. Combined with the FATF Travel Rule, according to global multinational financial supervision and crypto asset supervision policies, combined with localized finance and crypto financial licenses and policies of jurisdictions, real-time risk identification, transaction analysis, and early warning are carried out. Through graphical node reasoning, the security analysis of transaction addresses and capital chains is realized, and risk compliance investigation and capital security audit services are provided.

• Find us

• Website: www.trustformer.ai

• Telegram: t.me/Trustformerai

• Twitter: https://twitter.com/trustformerai

• Email: kyt(@)trustformerai.com