Pierluigi Paganini June 25, 2021

The Clop ransomware members that were recently arrested laundered over $500M in ransomware payments for several malicious actors.

The members of the Clop ransomware gang that were recently arrested in Ukraine laundered over $500M for several cybercrime groups.

Data related to the money laundering activities were provided by the cryptocurrency exchange portal Binance, who tracked the group as FancyCat, the funds resulted from the operations of Clop and Petya ransomware.

The funds were laundered investing in multiple forms of cybercrimes.

Binance investigated the transactions associated with the threat actors with the help of blockchain analysis firms TRM Labs and Crystal (BitFury).

The experts shared their findings with the law enforcement that arrested six members of the Clop/FancyCat group.

“More recently Binance Security has been taking part in an international investigation with Ukraine Cyber Police, Cyber Bureau of Korean National Police Agency, US Law Enforcement, Spanish Civil Guard, and Swiss Federal Office of Police, among others, in apprehending a prolific cybercriminal ring. The group — also known as FANCYCAT — has been running multiple criminal activities: distributing cyber attacks; operating a high-risk exchanger; and laundering money from dark web operations and high-profile cyber attacks such as Cl0p and Petya ransomware.” reads the post published by Binance. “In all, FANCYCAT is responsible for over $500M worth of damages in connection with ransomware and millions more from other cybercrimes.”

According to Binance, the six individuals were not part of the core of the Clop ransomware gang, instead, they were only marginally involved in the financial activities of the group, for this reason, the operations are still active.

A few days after the operations conducted by the authorities, the ransomware gang made the headlines again by releasing the data stolen from new victims.

“We applied the two-pronged approach to the FANCYCAT investigation: our AML detection and analytics program detected suspicious activity on Binance.com and expanded the suspect cluster. Once we mapped out the complete suspect network, we worked with private sector chain analytics companies TRM Labs and Crystal (BitFury) to analyze on-chain activity and gain a better understanding of this group and its attribution.” concludes the report. “Based on our analysis we found that this specific group was not only associated with laundering Cl0p attack funds, but also with Petya and other illegally-sourced funds. This led to the identification and eventual arrest of FANCYCAT.”

Early this year Binance released a study on our first Bulletproof Exchanger Project that focused on anti-ransomware initiative. The project also involved the Ukraine Cyber Police and lead to the arrest of a major cybercriminal group laundering over $42M of illicit funds.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]