Category Archives: Cyber-Espionage

Russia’s Sanctions-Busting Cryptocurrency Empire: Architecture, Actors, and the Future of Financial Conflict

Fig. 1. Russia’s Sanctions-busting Cryptocurrency Empire Infographic, Jeremy Swenson via ChatGPT, 2026.


I. Origins of a Parallel Financial System:

The roots of Russia’s sanctions-busting cryptocurrency ecosystem can be traced to the intersection of geopolitical pressure and technological opportunity. While Russia experimented with cryptocurrency policy ambiguity throughout the 2010s, it was the aftermath of the 2022 invasion of Ukraine—and the subsequent exclusion from key parts of the global financial system, including SWIFT—that triggered a structural change. Lacking dollar liquidity and limited by Western banking restrictions, Russian policymakers and aligned financial actors started rapidly developing alternative methods for cross-border settlement (1).

Early efforts were fragmented, consisting of informal networks of exchanges, darknet markets, and capital flight channels. Platforms such as Garantex, founded in 2019, became foundational nodes in this system, allowing users to convert rubles into stablecoins and move funds internationally while avoiding traditional compliance mechanisms (6). Despite sanctions imposed by the U.S. Treasury in 2022, these platforms adapted rapidly, shifting wallets, rebranding, and integrating with crypto mixers to obscure transaction flows (1).

By 2024, Russia had formally embraced cryptocurrency for international trade, legalizing its use in cross-border transactions while maintaining domestic restrictions. This dual posture—restrict internally, exploit externally—laid the groundwork for a state-tolerated, if not state-enabled, shadow financial architecture that would mature rapidly in the years that followed (9).

II. The Rise of A7A5 and the Industrialization of Evasion:

The emergence of the ruble-backed stablecoin A7A5 marked a turning point from opportunistic evasion to industrial-scale financial engineering. Developed through networks linked to sanctioned Russian financial institutions and offshore intermediaries, A7A5 was designed explicitly to bypass Western oversight by enabling direct conversion from rubles into crypto assets and then into globally usable currencies (6).

Unlike decentralized cryptocurrencies such as Bitcoin, A7A5 represents a hybrid model: centralized issuance combined with decentralized transaction pathways. This design allows Russian actors to maintain monetary control while leveraging blockchain’s opacity and global reach. Within its first year, the token processed tens of billions of dollars in transactions, with some estimates approaching $100 billion in cumulative volume—evidence of rapid adoption across trade networks and sanctions-affected industries (4).

Crucially, this system extended beyond simple financial transfers. It became embedded in supply chain logistics, enabling the procurement of dual-use goods—technology with both civilian and military applications—through intermediaries in regions such as Central Asia and the Middle East. Crypto-enabled payments allowed these transactions to bypass traditional banking scrutiny, effectively creating a parallel trade infrastructure insulated from Western enforcement mechanisms (3).

III. Decentralization as Strategy, Not Ideology:

In Western culture, decentralization is often seen as a libertarian ideal—an escape from centralized power. However, in the Russian sanctions-evasion model, decentralization is not about ideology but strategy. It is used selectively to reduce visibility, make enforcement harder, and spread operational risk.

This system operates as a layered network rather than a single platform. Exchanges such as Bitpapa and others flagged by blockchain intelligence firms function alongside mixers, peer-to-peer marketplaces, and offshore entities, creating a fluid ecosystem in which assets can be rapidly converted, transferred, and obfuscated (7).

Moreover, decentralization enhances resilience. When Western authorities sanction one node—such as Garantex—activity shifts to successor platforms or newly created entities, often staffed by the same personnel. This phenomenon mirrors adaptive systems: disruption leads not to collapse but to evolution. The result is a sanctions-resistant architecture that thrives on redundancy and ambiguity.

Academic research supports this point by showing that sanctions enforcement in crypto is structurally reactive, while illicit actors are fast and adaptive. Studies find that once wallets or platforms are sanctioned, actors quickly shift funds to new addresses, exchanges, or networks—often within hours—well before regulators can complete attribution and enforcement cycles (12). Because blockchain systems allow unlimited address creation and operate across jurisdictions, enforcement actions tend to disrupt specific nodes rather than the broader network. As a result, the research consistently demonstrates that sanctions evasion persists not despite enforcement, but because the system’s design enables rapid migration and continuity.

IV. The Ransomware Nexus: Criminal Infrastructure and State Alignment

At the heart of Russia’s crypto ecosystem lies a symbiotic relationship between cybercriminal groups and financial infrastructure. Ransomware organizations such as REvil and Ryuk-linked networks have long relied on cryptocurrency to receive and launder payments, targeting Western corporations, critical infrastructure, and supply chains (2).

The connection between these groups and sanctioned exchanges is well-documented. Platforms like Garantex have been identified as facilitating transactions tied to ransomware proceeds, effectively serving as financial clearinghouses for cybercrime (5). This relationship extends beyond mere tolerance. Investigations such as Operation Destabilise have uncovered networks in which cryptocurrency exchanges, money laundering operations, and state-linked actors intersect. In some cases, these networks have been used not only for financial gain but also to support espionage activities and strategic objectives aligned with Russian interests (11).

The implication is clear: ransomware is not simply criminal activity but a component of a broader hybrid warfare strategy. By targeting Western institutions and funneling proceeds through crypto networks, these groups generate revenue, disrupt adversaries, and reinforce Russia’s alternative financial ecosystem.

V. Extraction from the West: Mechanisms of Digital Theft:

The Russian crypto-sanctions ecosystem extracts value from the West through multiple channels, blending cybercrime, financial engineering, and trade manipulation. Ransomware attacks represent the most visible vector, with payments often demanded in cryptocurrency and subsequently laundered through exchanges and mixers (2).

However, a less visible but equally significant mechanism is trade-based money laundering facilitated by crypto. Russian entities purchase restricted goods through intermediaries, paying in stablecoins that are difficult to trace. These goods are then re-exported into Russia, effectively bypassing export controls (3).

Additionally, capital flight and asset concealment play a major role. Wealthy individuals and sanctioned entities move funds into crypto assets to protect them from seizure, leveraging decentralized wallets and offshore exchanges. The cumulative effect is a steady outflow of value from regulated Western systems into a shadow economy that operates beyond their reach.

By 2025, illicit cryptocurrency flows had surged dramatically, with tens of billions of dollars linked to sanctions evasion and state-aligned networks (10).

VII. Conclusion: The Future of Financial Warfare:

Russia’s sanctions-busting cryptocurrency empire represents a new phase in the evolution of financial conflict—not simply a workaround, but a scalable model for a decentralized, state-influenced financial system operating beyond traditional controls. What began as a reaction to Western sanctions has matured into a resilient ecosystem that blends state policy, criminal enterprise, and technological innovation. Its strength lies in its hybridity: centralized where control is necessary, decentralized where opacity provides advantage.

For the West, this presents a fundamental challenge. Traditional tools—sanctions, asset freezes, and banking restrictions—are increasingly limited in a world where adversaries can operate outside the formal financial system. Countering this shift requires more than incremental reform; it demands a transition from static enforcement to dynamic, intelligence-driven financial defense.

A central component of this approach is the expansion of blockchain analytics and real-time monitoring. On-chain intelligence has proven effective in tracing illicit flows and identifying high-risk actors, but its true value emerges when integrated into coordinated international enforcement frameworks. Moving beyond periodic sanctions designations toward continuously updated, intelligence-led responses will be critical to keeping pace with adaptive networks (7).

Equally important is targeting the infrastructure that enables liquidity. Cryptocurrency ecosystems depend on exchanges, stablecoin issuers, and fiat on-ramps and off-ramps to function. Coordinated regulation and enforcement against these access points—particularly across jurisdictions that facilitate intermediary flows—can significantly constrain the usability of sanctions-evading assets. While measures such as wallet blacklisting and exchange sanctions have had impact, they must evolve from reactive tools into part of a broader, proactive strategy (1).

At the same time, deterrence must be redefined. Financial penalties alone are insufficient against actors who operate in decentralized and jurisdictionally fragmented environments. Effective deterrence will require a combination of cyber operations, asset seizures, and coordinated disruption of ransomware and illicit financial infrastructure. Public-private collaboration will be essential, as much of the expertise and visibility into these networks resides within the private sector.

Beyond enforcement, the West must also compete. Developing secure, efficient, and transparent alternatives—such as regulated digital payment systems, central bank digital currencies, and compliant stablecoin frameworks—can reduce the relative attractiveness of shadow financial networks. If legitimate systems offer greater speed, cost efficiency, and accessibility, the incentive to rely on illicit alternatives diminishes.

Finally, this issue must be understood in its broader geopolitical context. Russia’s crypto ecosystem is not an isolated case but part of a wider movement toward financial fragmentation, in which states seek parallel systems to reduce dependence on Western institutions. Addressing this trend will require sustained international coordination, including strategic engagement with non-Western jurisdictions that play intermediary roles in these networks (4).

In this evolving landscape, success will not be measured by the elimination of illicit systems, but by the ability to constrain, outpace, and adapt to them. The future of financial warfare will belong to those who can align technological capability with strategic coherence—building financial architectures that are not only secure, but resilient against continuous disruption.

Bibliography:

  1. U.S. Department of the Treasury. “Treasury Sanctions Cryptocurrency Exchange and Network.” https://home.treasury.gov/news/press-releases/sb0225
  2. Chainalysis. Crypto Crime Report 2026. https://www.chainalysis.com
  3. Royal United Services Institute (RUSI). “The Shadow Crypto Economy Feeding Russia’s War Machine.” https://www.rusi.org
  4. Center for European Policy Analysis (CEPA). “A Crypto River Runs Through Russia.” https://cepa.org
  5. BankInfoSecurity. “U.S. Sanctions Crypto Exchange Tied to Russian Ransomware.” https://www.bankinfosecurity.com
  6. TRM Labs. “Garantex, Grinex, and the A7A5 Token.” https://www.trmlabs.com
  7. Elliptic. “Russia-Linked Crypto Platforms’ Ongoing Sanctions Evasion.” https://www.elliptic.co
  8. Reuters. “Sanctioned Russian Crypto Exchange Suspends Services.” https://www.reuters.com
  9. Business Insider. “Russia’s Crypto Shadow Economy.” https://www.businessinsider.com
  10. Financial Times. “Illicit Crypto Flows Surge to Record Levels.” https://www.ft.com
  11. National Crime Agency. “Operation Destabilise.” https://www.nationalcrimeagency.gov.uk
  12. Zola, Francesco et al. “Assessing the Impact of Sanctions in the Crypto Ecosystem.” https://arxiv.org/abs/2409.10031

Chinese Hackers Stole About 614GB of Data from Unnamed U.S. Navy Contractor

A series of cyber attacks backed by Chinese government hackers earlier this year infiltrated the computers of a U.S. Navy contractor, allowing a large amount of highly-sensitive data on undersea warfare to reportedly be stolen. Likely by A People’s Liberation Army unit, known as Unit 61398, which is filled with skilled Chinese hackers who pilfered corporate trade secrets to benefit Chinese state-owned industry. The breaches, which took place in January and February 2018, including secret plans to develop a supersonic anti-ship missile for use on US submarines by 2020, according to American officials.

This data was of a highly sensitive nature despite it being housed on the contractor’s unclassified network – putting it here was mistake and exacerbated vulnerabilities. A contractor who works for the Naval Undersea Warfare Center in Newport, R.I. — a research and development center for submarines and underwater weaponry — was the target of the hackers, the Post reported. While the unnamed officials did not identify the contractor, they told the newspaper that a total of 614 gigabytes of material was taken. Included in that data was information about a secret project known as Sea Dragon, in addition to signals and sensor data and the Navy submarine development unit’s electronic warfare library. The Washington Post said it agreed to withhold some details of what was stolen at the request of the U.S. Navy over fears it could compromise national security.

A Navy spokesperson told Fox News in a statement the service branch will not comment on specific incidents, but cyber threats are “serious matters” officials are working to “continuously” bolster awareness of. There are measures in place that require companies to notify the government when a cyber incident has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” Cmdr. Bill Speaks said. “It would be inappropriate to discuss further details at this time.”Military experts fear that China has developed capabilities that could complicate the Navy’s ability to defend US allies in Asia in the event of a conflict with China. The Chinese are investing in a range of platforms, including quieter submarines armed with increasingly sophisticated weapons and new sensors, Admiral Philip Davidson said during his April nomination hearing to lead US Indo-Pacific Command. And what they cannot develop on their own, they steal – often through cyberspace, he said. “One of the main concerns that we have,” he told the Senate Armed Services Committee, “is cyber and penetration of the dot-com networks, exploiting technology from our defense contractors, in some instances.”

Chinese government hackers have previously targeted information on the U.S. military, including designs for the F-35 joint strike fighter which they copied. Last year, South Korean firms involved in the deployment of the U.S. Army’s Terminal High-Altitude Area Defense, or THAAD, missile defense system, the Wall Street Journal reported at the time. No matter how fast the government moves to shore up its cyber defenses, and those of the defense industrial base, the cyber attackers move faster.

Compiled from Jennifer Griffin at Fox News, The Post, The Wall Street Journal, Independent News, and Huff Post. Edited and curated by Jeremy Swenson of Abstract Forward Consulting.

Three Points on Artificial Intelligence and Cyber-Security for 2017

icit-new-logo-for-website5
Although I have been known for longer posts, I would like to offer only three things to watch out for related to artificial intelligence and cyber-security for 2017, followed by sharing two videos.

1) Cyber attackers have long used machine learning and automation techniques to streamline their operations and may soon use full-blown artificial intelligence to do it. Botnets will become self-healing and will be able to detect when they are being discovered and can re-route in response. The botnet and cyber crime business will grow and become more organized. Showdan, the world’s first search engine for internet connected devices, will be used to target companies and individuals negatively. Yet it can also be used for safety and compliance monitoring, most likely when its feed into another analytical tool.

How to Hack with Showdan (For Educational Purposes Only):

2) It won’t be long until A.I. learns the patterns of mutating viruses and then has the ability to predict and/or stop them in their tracks. This is dependent on the most up to date virus definitions, and corresponding algorithms. How a Zero Day is made is heavily a math problem applied to a certain context and operating system. There should be a math formula to predict the next most likely Zero Day exploit – A.I. could provide this. It’s a matter of calculating all possible code various and code add on variations. It’s a lot more advanced than a Rubix Cube.
975f495fafd8c494591892412ecf87e33) A.I. has the potential to close the gap between the lesser developed world and the developed world. The technology behind A.I. is not limited to big companies like IBM or Microsoft for the long term. We may be surprised with tech start-ups out of the lesser developed world who are very creative. Lack of fiber optic cable connectivity has forced many lesser developed nations to rely heavily on cell tower smartphone based internet communications. This has inspired a mobile app growth wave in parts of Africa as described here; “the use of smartphones and tablets within the country has led to a mobile revolution in Nigeria. Essentially, people now tend to seek mobile solutions more often and thus, enhance the growth of the mobile app development industry” (Top 4 Mobile App development companies in Nigeria, IT News Africa, 2015). A.I. will likely close the gap between these two sectors though not drastically change it. If lesser developed countries can build their own mobile apps and outsource things to A.I.; they could become more independent from the economic constraints of the developed world.

The below video highlights some of the complications around these points. It is from a conference hosted by the ICIT on April 25, 2016, and I did not attend this. In the video, Donna Dodson (Associate Director, Chief Cybersecurity Advisor and Director, NIST), Mark Kneidinger (Director, Federal Network Resiliency, DHS), Malcolm Harkins (ICIT Fellow – Cylance) and Stan Wisseman (ICIT Fellow – HPE) discuss related concepts and share realistic examples of how these technologies are reshaping the cyber-security landscape.

ICIT Forum 2016: Artificial Intelligence Enabling Next-Generation Cybersecurity

If you want to contact me to discuss these concepts click here.

Demystifying 9 Common Types of Cyber Risk

1)       Crimeware
This is designed to fraudulently obtain financial gain from either the affected user or third parties by emptying bank accounts, or trading confidential data, etc. Crimeware most often starts with advanced social engineering which results in disclosed info that leads to the crimeware being installed via programs that run on botnets which are zombie computers in distant places used to hide the fraudsters I.P (internet protocol) trail. Usually the victim does not know they have crimeware on their computer until they start to see weird bank charges or the like, or an I.T. professional points it out to them. Often times it masquerades as fake but real looking antivirus software demanding your credit card info in an effort to then commit fraud with that info.

2)       Cyber-Espionage
The term generally refers to the deployment of viruses that clandestinely observe or destroy data in the computer systems of government agencies and large enterprises – unauthorized spying by computer, tablet, or phone. Antivirus maker Symantec described one noteworthy example where the U.S. Gov’t made a worm to disable Iran’s nuclear reactors arguably in the name of international security (Fig. 1).

“Stuxnet is a computer worm that targets industrial control systems that are used to monitor and control large scale industrial facilities like power plants, dams, waste processing systems and similar operations. It allows the attackers to take control of these systems without the operators knowing. This is the first attack we’ve seen that allows hackers to manipulate real-world equipment, which makes it very dangerous. It’s like nothing we’ve seen before – both in what it does, and how it came to exist. It is the first computer virus to be able to wreak havoc in the physical world. It is sophisticated, well-funded, and there are not many groups that could pull this kind of threat off. It is also the first cyberattack we’ve seen specifically targeting industrial control systems” (Accessed 03/20/16, Norton Stuxnet Review).

Richard Clarke is the former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States and he commentated on Stuxnet and cyber war generally in this Economist Interview from 2013.

Fig.1.

3)       Denial of Service (DoS) Attacks
A DoS attack attempts to deny legitimate users access to a particular resource by exploiting bugs in a specific operating system or vulnerabilities in the TCP/IP implementation (internet protocols) via a botnet of zombie computers in remote areas (Fig. 2). This allows one host (usually a server or router) to send a flood of network traffic to another host (Fig. 3.). By flooding the network connection, the target machine is unable to process legitimate requests for data. Thus the targeted computers may crash or disconnect from the internet from resource exhaustion – consuming all bandwidth or disk space, etc (Fig. 3.). In some cases they are not very harmful, because once you restart the crashed computer everything is on track again; in other cases they can be disasters, especially when you run a corporate network or ISP (internet service provider).
Fig. 2.                                                                Fig. 3.Botnet and TCP image
4)      Insider and Privilege Misuse
Server administrators, network engineers, outsourced cloud workers, developers, I.T. security workers, and database administrators  are given privileges to access many or all aspects of a company’s IT infrastructure. Companies need these privileged users because they understand source code, technical architecture, file systems and other assets that allow them to upgrade and maintain the systems; yet this presents a potential security risk.

With the ability to easily get around controls that restrict other non-privileged users they sometimes abuse what should be temporary access privileges to perform tasks. This can put customer data, corporate trade secrets, and unreleased product info at risk. Savvy companies implement multi-layered approvals, advanced usage monitoring,  2 or 3 step authentication, and a strict need to know policy with an intelligible oversight process.

5)       Miscellaneous Errors
This is basically an employee or customer doing something stupid and unintentional that results in a partial or full security breach of an information asset. This does not include lost devices as that is grouped with theft – this is a smaller category. The 2014 Verizon Enterprise Data Breach Investigation Report gives an example of this category as follows:

“Misdelivery (sending paper documents or emails to the wrong recipient) is the most frequently seen error resulting in data disclosure. One of the more common examples is a mass mailing where the documents and envelopes are out of sync (off-by-one) and sensitive documents are sent to the wrong recipient” (Accessed 02/21/16, Page 29).

6)       Payment Card Skimmers
This is a method where thieves steal your credit card information at the card terminals, often at bars, restaurants, gas stations, sometimes at bank ATMs, and especially where there is low light, no cameras, or anything to discourage the criminal from tampering with the card terminal.

Corrupt employees can have a skimmer stashed out of sight or crooks can install hidden skimmers on a gas pump. Skimmers are small devices that can scan and save credit card data from the magnetic stripe (Fig. 4.). After the card slides through the skimmer, the data is saved, and the crooks usually then sell the information through the internet or if they really want to be secure the Darknet which is a secure non-mainstream internet that requires a special browser or plug-in to access. After this counterfeit cards are made, then bogus charges show up, and the bank eats the costs which unfortunately drives up the cost of banking for everyone else. Also, some skimmers have mini cameras which record the pin numbers typed at ATM machines for a more aggressive type of fraud (Fig. 5.).  Here are two images of skimmer technologies:

Fig 4.                                                                       Fig 5.
Card Skimmer and Camera

7)       Physical Theft and Loss
This includes armed robbery, theft by accident, and/or any type of device or data lost.  Although some of the stolen or lost items may never end up breached or used for fraud sometime they are depending on what device and/or what data is on that device and/or if it was encrypted or not, or if it the data could be deleted remotely, etc.

8)       Point of Sale Intrusions
See my 2014 post on the Target Data Breach here for a good example.

9)       Web App Attacks
These incidents were carried out primarily via manipulation of vulnerabilities in input validation and authentication affecting common content management systems like Joomla, Magento, SiteCore, WordPress, and Drupal.

According to the 2015 Verizon Data Breach Investigation Report these types of attacks are not only a reliable method for hackers, but also fast with 60% of the compromises taking a few minutes or less(Accessed 02/21/16). With web applications commonly serving as an organization’s public face to the Internet, the ease of exploiting web-based vulnerabilities is alarming (Accessed 02/21/16, 2015 Verizon Data Breach Investigation Report). According to The Open Web Application Security Project these are two common types Web App weaknesses (Accessed 02/21/16, 2013, OWASP 10 Most Critical Web Application Security Risks):

“i) Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

ii) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping (Fig. 6.). XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites access unauthorized pages”.

Fig. 6.
RXSS
Jeremy Swenson, MBA is a seasoned, Intel certified, retail technology marketing and training representatives on assignment at Best Buy for clients including Intel, Trend Micro, Adobe, and others. He also doubles as a Sr. business analyst and project management consultant. Tweet to him @jer_Swenson.