A young man made a phone call to the MGM Resorts IT helpdesk. He introduced himself as an employee who had lost access to his multi-factor authentication device. Standard procedure. The helpdesk representative followed protocol, verified some basic account information, and reset the credentials. Within hours, MGM Resorts' casino floors were dark. Slot machines showed error screens. Hotel guests could not check in digitally. The reservation system was down.
The eventual damage would exceed $100 million. The attacker was 19 years old. He was a member of Scattered Spider, a loosely organized group of English-speaking hackers who had discovered that the most sophisticated security infrastructure in the world could be bypassed with a convincing phone manner and access to LinkedIn.
The malware — ALPHV/BlackCat ransomware — was not theirs. They had rented it. The credentials that got them into MGM's systems had been purchased. The infrastructure they used to encrypt files had been provided by someone else entirely. The ransom, if paid, would have been laundered through a chain of cryptocurrency services, brokers, and human networks before arriving as clean money in someone's Moscow bank account.
At no point in that entire chain did any single person need to do everything. That is the point. That is why this is hard.
Modern ransomware is not a threat actor. It is a supply chain. A network of specialized criminal service markets, each contributing a component, connected by underground marketplaces, governed by reputation systems, and protected by Russian state tolerance that ranges from passive to active depending on how useful any given operator happens to be.
This primer is a map of that supply chain — its structure, its key players, its financial flows, and the specific levers that Western law enforcement and intelligence agencies can pull to degrade it. It is written for analysts who are encountering this ecosystem for the first time and need a foundation that does not obscure the complexity behind jargon.
Forget the image of the lone hacker. The ransomware ecosystem that produced the Colonial Pipeline attack, the MGM breach, the MOVEit campaign, and seven thousand four hundred and sixty publicly named victims in 2024 operates like a mature organized crime enterprise. There are bosses, middle management, specialists, and foot soldiers. There are vendors, suppliers, and service providers who may have no idea — or may not care — whose operations they are supporting.
The diagram below shows how it is organized. Think of it as a nine-story building. The foundation is the infrastructure — the physical hosting that everything else depends on. At the top is the money: the OTC brokers and exchanges and mule networks that convert crypto proceeds into real-world wealth. In the middle, on the fifth floor, is the boardroom — the RaaS groups that run the operation. Every other floor exists to either supply the boardroom or process its outputs.
The Three Disruption Phases
Western law enforcement and intelligence agencies have developed a three-phase framework for attacking this structure. The logic is sequential: attack the financial infrastructure first, because it takes longest to rebuild and degrades the economic incentive to reconstitute when operational pressure follows. Attack market infrastructure second. Attack operational infrastructure last — when the financial and market layers are already degraded.
Phase A: Cut the Money
Target the financial rails before anything else. When OTC brokers and exchanges are disrupted, criminal proceeds have nowhere to go. Reconstitution becomes economically painful, not just operationally inconvenient.
- OTC Brokers (Module 12)
- Exchanges / Launderers (Module 13)
- Bulletproof Hosting (Module 09)
Phase B: Degrade the Markets
While financial pressure applies, attack the trust and market infrastructure. When forums are infiltrated and IAB trust mechanisms are compromised, transaction costs rise for everyone in the ecosystem.
- IAB Markets (Module 05)
- Underground Forums (Module 10)
- Crypto Mixers (Module 11)
Phase C: Hit the Operations
Direct operator action — the most visible and most satisfying — is also the least durable without Phases A and B already in place. With financial and market pressure applied, brand reconstitution becomes expensive and slow rather than trivial.
- RaaS Core Teams (Module 07)
- Leak Sites (Module 08)
- Loaders / Stealers (01, 02)
Act One: Getting In
The entry point varies, but it almost always involves one of three routes: someone was tricked (a phishing email, a phone call, a malicious advertisement); a credential was already for sale (an IAB listing from a stealer-harvested log); or a vulnerability was already known and exploited (an n-day in a VPN appliance, a zero-day in a file transfer platform).
The caller or spammer is often the first human contact. Their job is deception — convincing an IT helpdesk employee that a password reset is legitimate, getting a finance employee to open an attachment, manufacturing the moment of trust that every subsequent technical step depends on. In the Scattered Spider model, this is a phone call. In the BazarCall model, it is an email that prompts the victim to call the attacker. In the AI vishing model, it is an automated system with a cloned voice that sounds like the victim's actual colleague.
The loader executes on the victim's machine and calls home. It does not carry the ransomware itself — that comes later. First, it establishes persistence. It identifies the environment. It downloads a stealer to harvest credentials. It begins the slow, methodical process of understanding the network it has just entered. This phase can last hours. In sophisticated operations, it lasts weeks.
"The time between initial access and ransomware deployment — the 'dwell time' — has dropped from an average of 16 days in 2021 to under 24 hours in some 2024 campaigns. Operators are getting faster. Defenders have less time to find them."
— Multiple incident response firm reports, 2024Act Two: The Sale
In many operations, the affiliate who eventually deploys the ransomware was not involved in any of the above. They bought access. An Initial Access Broker listed the corporate VPN credentials on a dark web forum — documented, priced, and waiting for a buyer. The affiliate purchased them, verified the access, and began planning the deployment. The broker never interacted with the victim. Never knew what the affiliate would do. Never faced meaningful legal risk.
This is the division of labor that made ransomware scalable. Compromising a network is skilled work. Deploying ransomware across a complex enterprise is different skilled work. Laundering the proceeds is yet another specialized skill. The RaaS model fragments these specializations deliberately — each actor knows only their piece, reducing risk and allowing each function to be optimized independently.
Act Three: The Detonation
The RaaS affiliate has been inside the network for some time before they move. They escalate privileges. They identify domain controllers. They find the backup systems — and quietly delete or encrypt them first. They exfiltrate the most sensitive data available: financial records, patient files, legal documents, personnel records. Then they detonate.
On a Tuesday morning in an organization somewhere, hundreds of employees arrive at workstations showing identical ransom notes. The note has a URL, a Bitcoin address, and a countdown clock. It is professionally formatted. It includes the organization's name and a sample of stolen data to demonstrate the exfiltration is real. The negotiations are about to begin.
Act Four: The Money
If payment occurs — and in 35% of cases, it does not — the cryptocurrency moves through a well-established chain. Mixing first: the payment goes through Chipmixer, or Tornado Cash, or CoinJoin, or a cross-chain bridge. The traceability chain breaks. Then OTC brokers in Moscow convert large positions to fiat in bilateral meetings — no paperwork, no KYC, a fee of 1-5%, an understanding of what is not discussed. Then exchanges process volume. Then mule networks layer the fiat through account chains, real estate purchases, and shell company transactions, until it is indistinguishable from legitimate wealth.
TRM Labs confirmed in 2024 that more than half of mule-linked funds exit within one hour of receipt. By the time the victim has finished calling their cyber insurance carrier, the money is already in a Moscow apartment.
On a server farm somewhere east of Moscow, an automated system is processing 400,000 stolen credential packages an hour. Each package — called a 'log' — contains the usernames, passwords, banking session tokens, and cryptocurrency keys scraped from one infected computer. A forum operator is pricing them. Corporate logins go for $50. A login to a healthcare network's VPN? $3,000. It's sold before breakfast.
How It Works
Infostealer malware runs silently on infected machines, vacuuming up everything of value and shipping it home. The malware itself is rented — LummaC2, RedLine, Vidar — subscription services starting around $200/month. The output is sold on log markets (Russian Market, 2easy) that operate like commodity exchanges for stolen identity.
Why It Matters
This is the raw material layer. Every credential the ransomware affiliate uses to walk into a victim's network started here. Stealers are the agricultural sector of the criminal economy — they grow the crop that the rest of the supply chain processes.
What the Record Shows
- Microsoft DCU seized 2,300+ LummaC2 domains in May 2025 — the largest single infrastructure strike against any stealer family to date
- Genesis Market seizure (2023): FBI notified 920,000 victims. Volume shifted to Russian Market within weeks — the infrastructure was gone, the market was not
- The tactical shift of 2024: session token theft now prioritized over static passwords as enterprises adopt MFA. Operators adapt faster than defenders patch.
'QakBot is down.' In the summer of 2023, that message circulated through criminal forums within hours of the FBI seizing QakBot's command-and-control infrastructure. By the time the FBI was issuing press releases, QakBot's operators were already standing up Pikabot. When Pikabot got swept up in Operation Endgame in 2024 alongside IcedID, Bumblebee, and SmokeLoader, their successor — Latrodectus — was already in testing. This is what reconstitution looks like in real time.
How It Works
Loaders are the delivery trucks of the malware ecosystem. Their job is simple: get onto a machine and execute whatever the operator sends next. They are rented by the week or month — Loader-as-a-Service, $100-$1,000 depending on the infrastructure quality and the delivery vector. Raspberry Robin spreads through USB drives and infected IoT devices. Gootloader hijacks search engine results for legal document searches. Bumblebee pretended to be software installers.
Why It Matters
Without loaders, ransomware groups either need to handle initial access themselves (expensive, slow) or buy access from IABs. Loaders industrialize the front door of every attack.
What the Record Shows
- Operation Endgame (May 2024): Europol and FBI simultaneously seized infrastructure for IcedID, Bumblebee, SmokeLoader, and Pikabot. Called the largest loader operation on record. Latrodectus was in active deployment within three months
- Operation Duck Hunt (2023): FBI sinkholed QakBot's C2, notifying 700,000 victims. QakBot operators had Pikabot ready before the press conference was over
- The lesson from Endgame: single-family takedowns produce rapid migration. Simultaneous multi-family action forces operators to rebuild from scratch rather than pivot to a ready alternative
A researcher at a major antivirus company discovered something interesting in 2024: on the major criminal forums, three sellers were responsible for the majority of all obfuscation sales. Three people, providing the invisibility cloak for the majority of malware targeting Western organizations. None of them had ever faced a law enforcement action. None of them ever have.
How It Works
Crypter-as-a-Service provides the obfuscation layer that makes malware undetectable to antivirus scanners at delivery. FUD — Fully Undetectable — is the product. It burns fast: AV vendors detect and signature the new stubs within days, so operators repurchase constantly. The market runs through criminal forums and automated Telegram bots. Open all day, every day. Accepts crypto.
Why It Matters
Every piece of malware in the delivery chain — stealers, loaders, ransomware payloads — needs to survive endpoint detection on arrival. Crypters are the last line of offense before the defender's first line of defense.
What the Record Shows
- No major law enforcement action against any CaaS operator as of April 2026. This is the most significant gap in the enforcement record
- Market concentration creates a paradox and an opportunity: 1-3 sellers dominate volume on each major forum, meaning a single prosecution disrupts supply for hundreds of downstream operators simultaneously
- AV/EDR coordination (CISA) is the primary counter-measure available: accelerating signature deployment compresses the FUD validity window from weeks to hours
In September 2023, a teenager called the MGM Resorts IT helpdesk. He claimed to be an employee who had lost access to his account. The helpdesk representative — following standard procedure — reset his credentials. Within hours, MGM Resorts' operations were locked. The casino floors went dark. Slot machines stopped paying out. The eventual damage: $100 million, plus remediation. The teenager was 19 years old and a member of Scattered Spider.
How It Works
Social engineering operators bridge the gap between technical malware delivery and human vulnerability. The BazarCall model sends phishing emails that prompt victims to call attacker-controlled numbers; trained operators on the other end convince IT staff to install 'remote support' tools. AI vishing platforms (Vishing-as-a-Service, such as PlugValley) now provide real-time call scripts, voice modulation, and enterprise org charts to operators who may not even speak English as a first language.
Why It Matters
Social engineering attacks bypass every technical control. Firewalls, EDR, MFA — none of it matters if a trained operator can convince an IT administrator to disable it themselves.
What the Record Shows
- Scattered Spider prosecutions (2023-2024): UK and US arrested multiple members, demonstrating that English-speaking operators are identifiable and prosecutable
- Victim-side hardening: mandatory out-of-band verification for all helpdesk credential resets eliminates the BazarCall attack surface entirely — no law enforcement action required
- The AI vishing frontier: PlugValley and similar platforms let a non-English speaker run a convincing IT helpdesk impersonation in any accent. The skill floor is dropping to zero
On RAMP forum, the listing reads: 'Domain Admin access — Fortune 500 healthcare company, US, 40,000 seats. VPN access confirmed. AV identified, evasion possible. Asking $8,500.' Below it, another: 'US logistics firm, 12,000 seats, domain admin. $3,200 OBO.' The broker who listed them compromised both networks last week. He will never deploy ransomware himself. That's someone else's job.
How It Works
Initial Access Brokers are specialists who compromise networks and sell the access rather than exploiting it themselves. The division of labor that made ransomware scalable. Two tiers: bulk IABs use automated scanning tools and sell commodity access ($500-$1,000); boutique IABs target specific sectors, document privileged access, and sell curated packages to discerning buyers ($2,700-$10,000+). Rapid7 found 71.4% of observed listings include domain admin or equivalent — not just a foothold, a kingdom.
Why It Matters
IABs decoupled the compromise function from the ransomware deployment function. RaaS groups no longer need to find victims — they shop for them. This is why ransomware scaled so rapidly after 2019.
What the Record Shows
- OFAC financial designation of boutique IABs: targets trust relationships, not just infrastructure — higher durability than server seizure
- FBI Raspberry Robin C2 sinkholing: disrupts the automated pipeline that feeds bulk IABs at scale
- The market is migrating away from public forum listings toward private channels — LE visibility is declining as security culture among IABs improves post-2022
In May 2023, CL0p had a zero-day. It was a vulnerability in MOVEit, a file transfer software used by thousands of enterprises for HR and payroll data. CL0p didn't just hit one target — they hit all of them simultaneously. Over the following weeks, 2,000+ organizations across 60 countries discovered their data was already gone. The ransom demands began arriving by letter, addressed to executives by name. The exploit itself had probably cost CL0p under $1 million. The extortion proceeds are estimated at over $100 million.
How It Works
Exploit brokers occupy the highest-value, lowest-visibility position in the supply chain. They acquire software vulnerabilities — often zero-days, often in widely-used enterprise platforms — and sell exploitation capability to whoever pays. The economics are grotesque: vendors pay $50,000 for a critical vulnerability report; criminal markets pay $500,000-$2,000,000 for the same information held privately. When researchers make that choice, the math is the math.
Why It Matters
A single quality zero-day enables simultaneous mass-scale attacks against every unpatched instance globally. It is qualitatively different from any other access method — not one victim, but thousands.
What the Record Shows
- Bug bounty price parity is the structural fix: when vendor programs pay at criminal-market rates, researchers have no rational incentive to sell to criminals. No law enforcement required, no Russian cooperation required
- Rapid patch deployment (CISA coordination) compresses the exploitation window from weeks to days — not eliminating zero-day risk but significantly limiting its reach
- CL0p's MOVEit campaign is the benchmark: one exploit, 2,000+ victims, $100M+ proceeds. The calculus for investing in zero-day capability is now clearly established among top-tier criminal operators
At its peak, Conti had an org chart. There were departments: development, HR, negotiations, infrastructure, OSINT. There were performance reviews. Employees had salaries — junior developers earned around $1,500/month; senior operators earned multiples of that plus bonuses for successful deployments. There was a training program for new affiliates. When a researcher embedded in Conti's operations leaked 60,000 internal messages to journalists in 2022, the world got its first clear look at what a $180 million criminal enterprise's internal culture actually looks like. It looked like a startup.
How It Works
RaaS (Ransomware-as-a-Service) groups are the franchise headquarters of the criminal ecosystem. Core teams of 5-20 members develop and maintain the ransomware code, negotiation infrastructure, and victim-facing leak sites. Affiliates — sometimes hundreds of them — rent the tools, deploy against victims, and take 70-80% of proceeds. The core team takes 20-30% for doing none of the dangerous work. In 2025: 7,500+ victim organizations on DLS (record, up 50% YoY); $813M in confirmed payments (Chainalysis); LockBit claimed responsibility for 25% of all ransomware incidents at its peak.
Why It Matters
RaaS groups are the revenue engine that the entire ecosystem exists to serve. Every other module — stealers, IABs, BPH, mixers, OTC brokers — either feeds them inputs or processes their outputs.
What the Record Shows
- Operation Cronos (Feb 2024): LockBit infrastructure seized; 34 servers taken; 1,000+ decryption keys recovered; affiliates exposed by name. RansomHub absorbed LockBit's affiliates within 60-90 days
- FBI Hive infiltration (2022-2023): 7-month covert access; $130M in avoided victim payments; 300+ victims received decryption keys before seizure. Hive never reconstituted — the only documented case
- 72% victim non-payment rate in 2025 (record; 28% paid): the compound result of financial-layer enforcement, improved IR, and growing non-payment advocacy. Attack volume rose 50% but total payments held at ~$813M — the ecosystem is running harder for the same revenue
In December 2024, 621 organizations found their names on ransomware data leak sites in a single month — a record. Each listing was accompanied by a sample of stolen data, a countdown clock, and a message: pay, or the rest goes public. The targets included hospitals, utilities, law firms, and school districts. Some paid. Most did not. The data went up regardless.
How It Works
Data Leak Sites are the extortion infrastructure of double-extortion ransomware. When victims refuse to pay, operators publish stolen data — triggering regulatory investigations, notifying customers, and permanently damaging reputations. The DLS ecosystem has evolved: multi-tenant platforms now host multiple ransomware brands on shared infrastructure, meaning single-brand takedowns no longer take down the platform. They just remove one tenant.
Why It Matters
The DLS model permanently transformed ransomware. Even organizations with perfect backup practices now face a separate, independent extortion vector that has nothing to do with their ability to restore their systems.
What the Record Shows
- FBI Hive covert infiltration: 7 months of covert DLS access; $130M in avoided payments; 300+ victims received decryption keys BEFORE seizure. The key finding: covert access that helps victims is worth more than seizure that just removes the platform
- Operation Cronos LockBit DLS seizure: FBI reversed the countdown timers to taunt operators — maximum psychological impact; tactical brilliance
- Multi-tenant platforms are the evolution: RansomHub DLS hosts multiple groups. One seizure, multiple tenants disrupted simultaneously — but also one platform survives the disruption of any individual brand
On February 11, 2024, the US Treasury designated Zservers and Media Land LLC. The press release was unusually specific: Zservers' CEO had publicly stated that Russian state agencies were aware of his operations. He was not making a complaint. He was making a guarantee. The designation froze Western financial access. His servers kept running.
How It Works
Bulletproof Hosting providers are the criminal landlords — they rent server space with an explicit, advertised guarantee: no cooperation with law enforcement, no logs provided, no response to abuse complaints. They charge a premium for this guarantee. Zservers, Aeza, BEARHOST, Media Land — these companies operate with the full knowledge of Russian authorities and the full protection that entails. A Sophos investigation in 2025 identified a single virtual machine template image underlying over 7,000 active ransomware-linked servers.
Why It Matters
BPH is the physical foundation of the entire ecosystem. Every leak site, every C2 server, every loader delivery platform, every forum runs on BPH somewhere in its infrastructure. Disrupting BPH is the only single action that simultaneously degrades all dependent modules.
What the Record Shows
- Upstream ISP depeering (McColo model, 2008): Hurricane Electric cut McColo's internet access; global spam dropped 75% within hours. McColo never recovered. This is the gold standard and it requires only carrier cooperation — not Russian state cooperation
- Zservers/Media Land joint designation (2024): most significant BPH enforcement action in history. Aeza and BEARHOST absorbed the displaced clients within months — the market did not contract, it redistributed
- Sophos VM template fingerprint: 7,000+ ransomware-linked servers sharing a single underlying image. A detection opportunity that has not yet been exploited at scale
When Conti's internal messages leaked in 2022, the most damaging thing wasn't what they revealed about Conti. It was what they revealed about the forum identities linked to Conti operators. On the forums where criminal transactions happen, reputation is everything. Those handles — built over years, verified through thousands of transactions — were burned overnight. The intelligence operation that produced the leak caused more sustained damage to the ecosystem's trust infrastructure than any server seizure in the period.
How It Works
Underground forums are the governance layer of the criminal economy. They are not just marketplaces — they are the institution that makes criminal commerce possible: reputation systems where operators build years of verified transaction history; escrow services where funds are held during deals; dispute resolution where trusted forum moderators adjudicate contract violations; recruitment boards where RaaS groups post affiliate job listings. Exploit.in and XSS.is have operated continuously since approximately 2010-2012 with no law enforcement action.
Why It Matters
Without forums, criminal transactions cannot be trusted. IAB sales require escrow. Affiliate recruitment requires reputation. Service procurement requires verified seller histories. Destroy the trust infrastructure and you raise transaction costs for every actor in the ecosystem simultaneously.
What the Record Shows
- Trust manipulation > seizure: the Conti leak simultaneously burned handles, destroyed verified transaction histories, and collapsed trust in Conti-linked forum identities. No server seizure achieves that
- BreachForums was seized three times (v1 2023, v2 2024) and reconstituted within weeks each time — forum URLs are not the target; administrator identification and trust destruction are
- Forum infiltration and manipulation: implanting false reputation data, operating as a trusted escrow service, or exposing transaction records destroys what took operators years to build
When the FBI seized Chipmixer's servers in March 2023, they found 7 servers and $46 million in cryptocurrency. What they did not find was the $3 billion that had already passed through. Chipmixer had processed ransomware proceeds, darknet market funds, and North Korean state-sanctioned crypto theft for years. It charged between 1-3% for its services and ran entirely without KYC. The operators were known pseudonymously to the criminal community. Their service was essential. When it went down, the ecosystem shifted to Sinbad.io within weeks. Sinbad was seized nine months later. The ecosystem shifted again.
How It Works
Cryptocurrency mixing services pool funds from multiple criminal and (sometimes unwitting) legitimate sources and return equivalent amounts, breaking the blockchain traceability chain. Custodial mixers take physical possession of funds. Decentralized mixers (Tornado Cash, CoinJoin protocols) use smart contracts with no central operator — harder to seize, harder to prosecute, harder to disrupt.
Why It Matters
Without mixing, every ransom payment is a public blockchain transaction traceable from the victim's wallet to the criminal's wallet. Mixing is the technical mechanism that makes crypto criminally useful.
What the Record Shows
- Tornado Cash designation (Aug 2022): first-ever OFAC designation of a smart contract. Partial operational impact — the protocol kept running, but fiat on/off ramps for US-nexus actors were severed
- Chipmixer seizure (Mar 2023): $3B+ in criminal proceeds traced. 7 servers. Largest single mixer enforcement. Ecosystem shifted to decentralized alternatives within weeks
- 72% non-payment rate in 2025 (28% paid, record low) correlates with sustained financial-layer enforcement. Attacks up 50% YoY; payments held flat at ~$813M. Strongest available evidence that financial-layer disruption changes the ecosystem's economics
Garantex operated out of a Moscow office tower. After the US Treasury designated it in April 2022, it kept operating out of the same office tower. For three years, it processed hundreds of millions of dollars in criminal cryptocurrency proceeds from that building, under that designation, with full knowledge of Russian authorities. It took until March 2025 — 1,064 days after designation — for Europol and the US DOJ to coordinate the physical seizure of its servers and the arrest of its administrators. Three years. The designation was not the disruption. The arrest was the disruption.
How It Works
OTC brokers provide bilateral, personalized cryptocurrency-to-fiat conversion for large holdings — no KYC, no reporting, no questions. High-volume criminal OTC is concentrated in Russia, particularly Moscow and St. Petersburg, where brokers operate with physical offices and in-person settlement. Fees run 1-5%. SUEX, Chatex, Garantex, and Cryptex represent the documented enforcement sequence from 2021-2024.
Why It Matters
OTC brokers are the primary mechanism for converting large ransomware payments into spendable fiat currency. Without them, the money exists only as cryptocurrency that cannot safely enter the legitimate economy.
What the Record Shows
- SUEX designation (Sep 2021): first cryptocurrency exchange designation; processed hundreds of millions in ransomware proceeds; established the OTC enforcement playbook
- Garantex lesson: designated April 2022, seized March 2025. Three years of continued operation under designation. The gap between designation and physical enforcement is the primary vulnerability of the designation model
- Tether T3 real-time USDT freeze: Tether has demonstrated willingness to freeze USDT at specific addresses. Using this at wallet identification — not post-enforcement — is the underused lever that no one has fully exploited yet
BTC-e processed four billion dollars in criminal proceeds. Its operator, Alexander Vinnik, was a Russian national who made the mistake of vacationing in Greece in 2017. US and Greek authorities arrested him on the beach. He subsequently spent years fighting extradition to multiple countries simultaneously — France, Greece, the US, Russia — in a jurisdictional battle that itself illustrates how difficult it is to pursue even identified, arrested criminal operators in this ecosystem. He was eventually extradited to the United States in 2022.
How It Works
Non-compliant exchanges process criminal cryptocurrency at volume, converting it to fiat through automated systems rather than bilateral personal relationships. They are the industrial-scale version of OTC brokers — less personalized, higher throughput. BTC-e ($4B seized 2017), Bitzlato ($700M seized 2023), and Garantex (designated 2022, seized 2025) are the documented examples. Tether (USDT) has become the dominant currency at this layer — replacing Bitcoin as the preferred ransomware payment vehicle because of its price stability.
Why It Matters
Exchanges are the scaling mechanism for criminal cash-out. OTC handles large single transactions; exchanges handle volume. Both layers are required for the full proceeds to reach the real economy.
What the Record Shows
- Coordinated OTC-plus-exchange action in the same enforcement window: this has not been done at scale. Each time one is designated, proceeds migrate to the other. Simultaneous action prevents displacement
- Tether T3 real-time freeze: USDT freeze upon wallet identification, not post-enforcement, would eliminate the gap between when funds move and when enforcement catches up
- The Bitzlato prosecution was the first use of FinCEN's 'special measures' authority against a virtual currency exchange — a new enforcement tool whose potential has not been fully exploited
The mule recruiter posted on LinkedIn. The job description mentioned 'financial transaction processing' and 'remote work.' The pay was $3,000 a month. Thousands of people applied. The recruiter selected carefully: people with clean banking histories, no criminal record, plausible professional backgrounds. Their job was to receive wire transfers, withdraw cash, and send it somewhere else. Most of them had no idea they were moving ransomware proceeds. TRM Labs confirmed in 2024 that more than half of the funds entering mule accounts exit within one hour of arrival.
How It Works
Mule networks are the human chain that converts criminal fiat into real-world untraceable assets. Three tiers operate simultaneously. Professional herder operators manage networks of mule accounts and understand exactly what they are doing. Semi-witting recruits — hired through fake job ads — move money believing it is legitimate employment. The integration layer converts the proceeds into real estate, luxury goods, shell company capitalization, and financial instruments.
Why It Matters
Without mule networks, criminal proceeds remain traceable to cryptocurrency wallets or bank accounts subject to seizure. Mule networks complete the conversion to real-world wealth that cannot be easily recovered.
What the Record Shows
- Herder-tier prosecution disrupts ransomware, fraud, and business email compromise simultaneously — the same networks serve multiple crime types. A single herder takedown has cross-ecosystem value
- Integration-stage enforcement operates entirely within Western jurisdiction: real estate registries, beneficial ownership disclosure requirements, luxury goods AML. No Russian cooperation required
- 50%+ of funds exit within 1 hour: the implication is that post-receipt recovery requires real-time bank-to-bank freeze capability, pre-negotiated and ready to activate. It is not a future capability problem — it is a process problem
The incident response firm got the call at 2am. The hospital's systems were down. Patient records inaccessible. The ransom note, found on every workstation, demanded $4.5 million in Bitcoin within 72 hours. The IR firm's lead negotiator began typing. She had been in this exact situation hundreds of times. She knew the group's negotiation patterns — how fast they move, where they flex, what they will accept. She also knew that 70% of the time, she would find a way through this without the hospital paying a dollar. She was right.
How It Works
The negotiation module has two sides that operate simultaneously. Criminal side: RaaS core teams field dedicated internal negotiation teams who manage victim communications, apply DLS pressure, process payments. Some rogue recovery firms deceptively accept victim fees while secretly paying ransoms, claiming to have 'decrypted' data through proprietary means. Defender side: legitimate IR firms (Coveware, GuidePoint, CyberSecOp) negotiate professionally, achieving 70%+ non-payment rates for professionally managed incidents versus an estimated 30-40% without support.
Why It Matters
The payment decision occurs at this node. Everything else in the ecosystem is prologue to this moment. Scaling professional access to this node is the single highest-ROI disruption action that requires no Russian cooperation, no law enforcement action, and no technical capability.
What the Record Shows
- Every percentage point of non-payment rate growth at ecosystem scale represents hundreds of millions in avoided payments. 72% ecosystem-wide in 2025 (record; 28% paid). 80%+ for professionally managed incidents. The gap has narrowed but the absolute dollar value of each percentage point remains enormous
- Rogue recovery operator enforcement (FTC, SEC): firms that secretly pay ransoms while claiming to decrypt data commit fraud on victims AND provide economic support to criminal operators. Both problems are addressable in Western jurisdiction
- Scaling professional IR access to SMBs and critical infrastructure sectors is a policy lever, not a technical one — it requires CISA/NCSC coordination and potentially subsidized access programs for under-resourced sectors
Every ransomware payment begins as cryptocurrency and ends as real-world wealth. Between those two points, it passes through a series of criminal service providers who each take a cut, add a layer of obfuscation, and hand it to the next person in the chain. The chain is fast — in some cases, funds reach the real economy within hours of the victim paying. Here is how it moves.
Cryptocurrency (increasingly USDT rather than Bitcoin, for price stability) sent to attacker-controlled wallets. Average payment: approximately $2.7M for large enterprise victims in 2024. 72% of victims declined to pay in 2025 — record high non-payment rate (28% paid). Each declined payment is a dollar the ecosystem does not receive, regardless of brand.
Within minutes, the RaaS core team splits the payment: 70-80% to the affiliate who deployed the ransomware; 20-30% retained by the core team who built and maintained the tools. The affiliate takes the operational risk. The core team takes the safe money. This is the franchise model that makes RaaS economically rational for all parties.
Funds enter mixing services to break the blockchain traceability chain. Chipmixer processed over $3 billion before its seizure in 2023. Its successors — Sinbad.io, and then decentralized alternatives like CoinJoin and cross-chain bridges — handle the next generation of proceeds. Custodial mixers can be seized. Decentralized protocols cannot. The ecosystem has noticed.
Large positions converted through OTC brokers in physical offices in Moscow and St. Petersburg. No KYC. No paper trail. A fee of 1-5% and an understanding that certain questions are not asked. SUEX (2021), Chatex (2021), Garantex (2022-2025), and Cryptex (2024) represent the documented enforcement sequence. The Garantex lesson: designated in April 2022, continued operating from the same Moscow address until March 2025. Designation is not seizure.
Volume conversion through non-compliant exchanges. BTC-e ($4 billion, seized 2017). Bitzlato ($700 million, seized 2023). Garantex again, at this layer too. Tether's T3 unit can freeze USDT in real time at specific wallet addresses — but this capability is used post-enforcement rather than at wallet identification, a gap that significantly reduces its impact.
Fiat layered through mule account chains. Professional herder operators manage networks of recruited mules who move funds through bank accounts, believing they are doing legitimate financial processing work. Over 50% of mule-linked funds exit within one hour of receipt. Recovery at this stage requires real-time bank-to-bank freeze capability that is pre-negotiated and ready to activate — not a future capability problem, a current process problem.
Proceeds enter the legitimate economy: real estate purchases, luxury goods, shell company capitalization, financial instruments. Conti's internal messages, leaked in 2022, documented Wizard Spider's property portfolio and shell company network in specific detail. Integration-stage action operates entirely within Western jurisdiction — no Russian cooperation required. Beneficial ownership registries, real estate AML requirements, and luxury goods reporting are the tools.
Coordinated OTC-plus-exchange designation in the same enforcement window — simultaneous, not sequential — has not been done at scale. Each time one layer is designated, proceeds migrate to the other. Both layers depend on Russian jurisdiction for their physical operations. Both can be designated simultaneously. The Garantex lesson applies to both: physical enforcement must follow designation within 12-18 months, or the gap allows continued operation. The Tether T3 real-time freeze, applied at wallet identification rather than post-enforcement, is the single most underused lever available today.
The Russian word for it is krysha — roof. In organized crime, it means protection provided by a more powerful party. In the ransomware context, it describes the relationship between RaaS operators and the Russian state apparatus: FSB officers are aware of ransomware operations targeting Western victims, do not enforce against them, and in some cases benefit from them through intelligence access or plausible deniability cover for state-directed operations.
This is not the same as the Russian state directing ransomware attacks. Most ransomware operations are financially motivated criminal enterprises that happen to operate in a jurisdiction that protects them from Western law enforcement. The FSB's interest is primarily intelligence collection and the strategic advantage of deniable capability that criminal ransomware operators provide. The operators' interest is a quiet life in a country that will not extradite them.
"The CEO of Zservers — one of the most significant bulletproof hosting providers supporting ransomware infrastructure — publicly stated that Russian state agencies were aware of his operations. He was not making a complaint. He was offering a guarantee to prospective clients."
— OFAC Designation Documentation, February 2024What the Protection Actually Provides
The Krysha model offers operators four concrete things:
- A domestic non-prosecution guarantee. No Russian court will pursue a ransomware operator for crimes against Western victims. This has held without exception across the entire documented history of the ecosystem.
- An extradition shield. Russia's constitution prohibits the extradition of Russian citizens. Every Russian-national ransomware operator who remains inside Russia is unreachable by Western prosecution, regardless of the quality of the evidence.
- Physical infrastructure protection. BPH providers, OTC brokers, and exchanges that operate physically within Russia can continue operating even after Western financial designation. Garantex proved this for 1,064 days.
- Reconstitution freedom. When a brand is disrupted, core team members can regroup, relaunch, and recruit new affiliates without fear of domestic interference. Conti dissolved into six successor groups in 90 days. All operated from Russia. All continued operating.
What the Protection Does Not Provide
The protection is not absolute, and its limits are important:
- FSB arrests are possible when politically motivated. REvil was briefly arrested in January 2022 after US diplomatic pressure following Colonial Pipeline and Kaseya. The arrests lasted months. The charges were subsequently dropped. This was not law enforcement — it was political signaling, and both sides understood it as such.
- Operators arrested outside Russia face prosecution. Alexander Vinnik (BTC-e) was arrested in Greece. Mikhail Vasinskyi (REvil/Kaseya) was arrested in Poland. The protection only covers the geography. Operators who travel to non-cooperative third countries become vulnerable.
- Western-nexus financial assets are seizable. OFAC designations, Tether freezes, and exchange seizures work on assets with Western financial connections regardless of where the operators physically are.
What Works Without Russian Cooperation
A substantial proportion of the most effective disruption tools available require zero Russian cooperation. This is underappreciated in the policy conversation:
- Upstream ISP depeering of BPH providers. Requires only Tier-1 carrier cooperation — which is entirely within Western jurisdiction. McColo depeering (2008) remains the gold standard: 75% global spam reduction within hours.
- OFAC designation and Tether T3 freeze. Severs Western financial access and freezes USDT at specific wallet addresses. Works regardless of operator location.
- Non-payment advocacy and professional IR scaling. Operates entirely on the victim side. 70% non-payment rate for professionally managed incidents versus 35% ecosystem-wide. Scaling access to under-resourced organizations is a policy lever, not a technical one.
- Integration-stage AML enforcement. Real estate registries, beneficial ownership requirements, luxury goods reporting — all entirely within Western jurisdiction.
- Forum infiltration and trust manipulation. Intelligence operations. The Conti leak burned the Conti ecosystem more effectively than any technical action in the period — and it required human intelligence penetration, not law enforcement cooperation.
The Hive Model — The Gold Standard
In the summer of 2022, the FBI quietly obtained access to Hive ransomware's infrastructure. For seven months, they watched. They collected decryption keys. They identified victims. And when victims contacted Hive to negotiate ransom payments, the FBI quietly provided them with decryption keys — before anyone paid. By the time the FBI publicly seized Hive's servers in January 2023, the operation had provided decryption keys to more than 300 victims and avoided an estimated $130 million in ransom payments.
Hive never reconstituted. It is the only major RaaS brand in the historical record that was disrupted and did not come back. The reason is not the server seizure — server seizures produce 30-90 day disruptions, reliably. The reason is that the FBI had seven months to identify and warn operators and victims in ways that permanently disrupted the trust relationships that made Hive functional. The operational intelligence collected during those seven months informed subsequent operations against affiliated actors.
"We hacked the hackers." — FBI Director Christopher Wray, January 2023
— Department of Justice Press Release, January 26, 2023The Cronos Model — Effective But Not Durable
Operation Cronos (February 2024) took down LockBit. Thirty-four servers seized. One thousand decryption keys recovered. Affiliates exposed by name on the seized leak site. The countdown timers on LockBit's victim listings were reversed to count down to the revelation of LockBit's administrator's identity — a piece of psychological warfare that deserves recognition.
Within sixty to ninety days, LockBit's affiliates had largely migrated to RansomHub. LockBit itself attempted a relaunch with diminished capacity. The brand was severely damaged. The ecosystem absorbed the disruption. This is the pattern for brand-level takedowns without Phase A/B financial pressure: significant short-term impact, limited long-term durability.
The Garantex Lesson — Designation Is Not Enough
On April 5, 2022, OFAC designated Garantex. On March 6, 2025, Europol and the DOJ finally seized Garantex's servers and arrested its administrators. In between: 1,064 days of continued operation from the same Moscow office building, processing hundreds of millions of dollars in criminal proceeds, under active sanctions, with the full knowledge of Russian authorities.
The lesson is structural, not specific to Garantex: financial designation without physical enforcement within 12-18 months does not stop operations. It inconveniences them. Every currently-designated entity that remains physically operational is an open gap in the enforcement record.
The Numbers That Matter
The 72% victim non-payment rate in 2025 (28% paid, record low) is the most important data point in the recent history of ransomware disruption. It correlates with sustained financial-layer enforcement — mixer and exchange actions, OTC designation — and growing non-payment advocacy and professional IR access. Attack volume rose 50% in 2025 while total payments held flat at ~$813M: the ecosystem is running harder for the same revenue. Causation is not proven, but the direction and magnitude are consistent with financial-layer enforcement producing ecosystem-level behavioral change, not just brand-level disruption that reconstitutes in 90 days.
The Five Actions That Matter Most
- Scale professional IR access to under-resourced organizations. 70%+ non-payment rate for professionally managed incidents. 35% ecosystem-wide. That gap is the opportunity. CISA/NCSC coordination. Subsidized access programs for healthcare, education, and critical infrastructure sectors. No Russian cooperation required.
- Pursue simultaneous OTC-plus-exchange enforcement. When one is designated, proceeds migrate to the other. Both require physical enforcement within 12-18 months of designation, not years later.
- Deploy the Tether T3 freeze proactively. USDT freeze at wallet identification, not post-enforcement. The tool exists. The cooperation exists. The protocol for proactive use has not been fully developed.
- Exploit the Sophos VM template fingerprint. A single image underlying 7,000+ ransomware-linked servers. Proactive detection at scale. The infrastructure identification is done. The enforcement action is not.
- Pursue covert access before seizure. The Hive model. Seven months of victim support is worth more than a press release. Every decryption key distributed before seizure is a payment avoided, an operator's leverage destroyed, and a victim who does not contribute to the ecosystem's revenue.
The Numbers
Operations That Defined the Period
| Operation | Target | Year | The Real Outcome |
|---|---|---|---|
| FBI Hive Infiltration | Hive RaaS | 2022-23 | 7-month covert access. $130M in avoided payments. Hive did not reconstitute — the only documented case. The model to replicate. |
| Operation Cronos | LockBit | 2024 | 34 servers. 1,000+ keys. Affiliates exposed. RansomHub absorbed them in 60-90 days. Effective disruption, not durable disruption. |
| Operation Endgame | IcedID, Bumblebee, SmokeLoader, Pikabot | 2024 | Largest loader takedown on record. Latrodectus was deployed within months. Demonstrated the value of simultaneous multi-family action. |
| Garantex Seizure | Garantex OTC/Exchange | 2025 | Seized 1,064 days after designation. Defines the gap problem. Designation without enforcement is inconvenience, not disruption. |
| Chipmixer Seizure | Chipmixer | 2023 | $3B+ in criminal proceeds. 7 servers. Largest mixer action. Ecosystem shifted to decentralized alternatives within weeks. |
| Zservers Designation | Zservers BPH | 2024 | Most significant BPH designation in history. Physical servers still in Russia. The designation is not the seizure. |
| LummaC2 Domain Seizure | LummaC2 stealer | 2025 | 2,300+ domains. Microsoft DCU civil action. Largest stealer infrastructure action. Operations disrupted, reconstituting. |
Five Things to Know Before Any Briefing
- Non-payment is the most powerful lever available. 70% non-payment for professionally managed incidents. 35% ecosystem-wide. Scaling access to professional IR is a policy decision, not a technical one, and it requires no Russian cooperation.
- Brand disruptions produce 30-90 day gaps, not permanent disruptions. The brand is a label. The affiliates, the infrastructure, the criminal relationships — those persist. Durable disruption requires financial and market layer pressure before and during operational actions.
- Designation without physical enforcement within 12-18 months does not stop operations. Garantex. Three years. Every currently-designated entity that remains physically operational is an open gap.
- The financial layer correlates with the record-low 72% non-payment rate in 2025 (28% paid). The strongest signal available that financial disruption changes ecosystem economics. Coordinated OTC-plus-exchange enforcement in the same window, with proactive Tether freezes, is the untested high-value action.
- The target is the ecosystem, not the brand. Attributing an attack to LockBit or RansomHub is less analytically useful than identifying which infrastructure nodes enabled it and which are actionable. Brands change. The nodes persist.