⚠ Sanctioned and Indicted Operators : Hero Module
The following individuals are named in the EDVA indictment and/or OFAC designation connected to this exchange cluster. Both remain at large in Russia; no extradition is available.
Sergey Sergeevich Ivanov
aka Sergey Omelnitskii; aka "Taleon"; aka "UAPS"
RoleMoney launderer / operator of UAPS, PinPays, PM2BTC; associated with Cryptex
DOB2 Jun 1980
NationalityRussian
Last known locationSt. Petersburg, Russia
Legal statusIndicted EDVA (Sept 2024); at large
Reward offerUp to $10M (State Dept. TOCRP)
Indicted Sanctioned (SDN) At large
Timur Kamilevich Shakhmametov
aka "JokerStash"; aka "Vega"
RoleCreator/operator of Joker's Stash carding market; co-defendant
NationalityRussian
Last known locationRussia (assessed) Credible
Legal statusIndicted EDVA (Sept 2024); at large
Reward offerUp to $10M (State Dept. TOCRP)
OFAC statusNot individually SDN-listed (as of June 2026)
Indicted At large
01

Executive Summary and Exchange Overview

Cryptex Lifetime Volume
$5.88B+
Since 2018 inception (Chainalysis)
Cryptex BTC Throughput
$1.4B
62,586 BTC, 37,500+ tx (DOJ / blockchain analytics)
Ivanov Services Throughput
$1.15B
UAPS/PinPays/PM2BTC addrs, 2013–2024 (DOJ)
Cryptex Ransomware Inflows
$51.2M+
Funds derived from ransomware (OFAC)
PM2BTC Illicit Share
~50%
Of exchange activity linked to illicit (FinCEN)
UAPS/PinPays Laundered
$500M+
2022–2024 estimate (TRM Labs)
Overall Assessment
Cryptex and PM2BTC are not independent exchanges but two nodes in a single ~20-year cybercrime money-laundering enterprise centered on Sergey Ivanov ("Taleon"/"UAPS"). The cluster (UAPS → PinPays → PM2BTC → Cryptex/CryptexPay) provided no-KYC convertible-virtual-currency-to-ruble exchange, fraud-shop payment processing, and ransomware cash-out for the Russian-speaking criminal ecosystem, including direct flows to OFAC-designated Garantex. The September 26, 2024 coordinated U.S.-Dutch action (OFAC designation, FinCEN 311/9714(a) order, EDVA indictment, domain and server seizures) disrupted the public infrastructure but did not reach the operators, who remain in Russia under safe harbor. Residual risk is operator-driven: the same individuals retain the relationships and tradecraft to reconstitute under new branding.
Cluster (primary nodes)Cryptex (exchange) + PM2BTC (exchanger) + UAPS/PinPays (payment processors)
Cryptex registered entityInternational Payment Service Provider LLC ("IPSP")
Registration jurisdiction (Cryptex)St. Vincent and the Grenadines : Business Reg. No. 1628; established 1 Dec 2021
Registration jurisdiction (PM2BTC)Not formally documented; assessed Russia-based exchanger Credible
Infrastructure hosting jurisdictionNetherlands (servers seized by Dutch police/FIOD); distributed globally
Operator location (assessed)Russia (St. Petersburg : Ivanov)
Operational period (Cryptex)2018 – September 26, 2024 (domains seized)
Operational period (PM2BTC)Since 2014 – September 26, 2024 (311 order / infrastructure seizure)
Operational period (UAPS)Since 2013 (PinPays rebrand ~2015)
OFAC designation (Cryptex + Ivanov)September 26, 2024 : E.O. 13694 (as amended by 13757) [CYBER2] and E.O. 14024
FinCEN action (PM2BTC)September 26, 2024 : "primary money laundering concern," Section 9714(a) order (2nd-ever use)
EDVA indictmentUnsealed September 26, 2024 : Ivanov and Shakhmametov
EU / UK designationNot located as of June 2026 Credible (negative evidence)
Cryptex SDN wallet addresses4 listed : BTC, ETH, LTC, TRX (see Section 05)
State nexus tierTOLERATED SAFE HARBOR
Blockchain analytics coverageChainalysis and Tether (assisted Dutch seizure); TRM Labs; Elliptic
02

Lineage and Organizational Heritage

UAPS → PinPays → PM2BTC → Cryptex : One Operator Chain

Key Finding
The defining lineage feature here is not a successor exchange but a single continuous operator. On-chain analysis from Chainalysis, TRM Labs, and Elliptic shows shared wallet infrastructure linking UAPS, PinPays, PM2BTC, and Cryptex/CryptexPay. The cluster evolves by adding new front-end brands while preserving the same back-end laundering rails and the same controller (Ivanov). This is a rebrand-and-layer pattern, comparable in logic to Garantex/Grinex but driven by an individual launderer rather than a corporate exchange shell.
2013
UAPS (Universal Anonymous Payment System) launched on a dark web forum as an invite-only, API-integrable underground payment processor for fraud shops. Confirmed [Chainalysis]
2014
PM2BTC begins operating as a no-KYC exchange (Btc2pm.me), sharing wallet infrastructure with UAPS. Confirmed [Chainalysis]
2015
Many fraud shops migrate from UAPS to PinPays, an overt rebrand of UAPS sharing the same wallet infrastructure and customers. Confirmed [Chainalysis]
2018
Cryptex launches as a Russian-language instant exchange and trading platform. Lifetime throughput would exceed $5.88B. Confirmed [Chainalysis]
Dec 1, 2021
International Payment Service Provider LLC (the Cryptex registrant) established in St. Vincent and the Grenadines (Reg. No. 1628). Confirmed [OFAC SDN]
Jan 2022
CryptexPay launched to provide BTC/LTC payment processing for "high-risk" online businesses, explicitly advertising its lack of AML/KYC. Confirmed [Chainalysis]
Sept 26, 2024
Coordinated takedown: OFAC designations, FinCEN 9714(a) order on PM2BTC, EDVA indictment of Ivanov and Shakhmametov, domain and server seizures, €7M crypto seized. Confirmed [Treasury, DOJ, FIOD]

Evidentiary Pillars

Confirmed Shared wallet infrastructure. Chainalysis states PinPays shared wallet infrastructure with UAPS and that UAPS shared wallet infrastructure with PM2BTC; in 2024 alone UAPS sent more than $97M to intermediary addresses that then moved to Cryptex addresses, with over $92M reaching four Cryptex addresses. [Chainalysis]

Confirmed Common controller. OFAC lists "UAPS" as an alias of Ivanov himself; DOJ alleges Ivanov created and/or operated UAPS, PinPays, and PM2BTC, and that he is "currently associated with Cryptex." [OFAC, DOJ]

Credible Cryptex corporate control. Ivanov is described by OFAC as "associated with" rather than the registered owner of Cryptex. The named registrant is International Payment Service Provider LLC. The precise ownership/control relationship between Ivanov and the St. Vincent shell is not publicly documented. [OFAC]

Operator Profiles

AttributeSergey Sergeevich IvanovTimur Kamilevich Shakhmametov
AliasesSergey Omelnitskii (Cyrillic: Омельницкий); "Taleon"; "UAPS""JokerStash"; "Vega"
DOB / identifiers2 Jun 1980; POB Russia; Russian passport 4015431802Not publicly disclosed
NationalityRussianRussian
Assessed locationSt. Petersburg, RussiaRussia (assessed) Credible
Role~20-year professional cyber money launderer; operator of UAPS/PinPays/PM2BTC; associated with Cryptex; payment processor for Genesis Market, BriansClub, Faceless, RescatorCreator/operator of Joker's Stash carding marketplace
Charges (EDVA)Conspiracy to commit/aid bank fraud (Rescator); conspiracy to commit money laundering (Joker's Stash proceeds)Conspiracy to commit/aid bank fraud; conspiracy to commit access device fraud; conspiracy to commit money laundering
SanctionsOFAC SDN, 26 Sep 2024 [RUSSIA-EO14024]Not individually SDN-listed as of June 2026
RewardUp to $10M (State Dept. TOCRP)Up to $10M (State Dept. TOCRP)
Legal statusAt large in Russia; no extraditionAt large in Russia; no extradition

A further State Department reward of up to $1M is offered for information identifying other leaders of Joker's Stash (besides Shakhmametov) and other key leaders of the UAPS, PM2BTC, and PinPays criminal groups (besides Ivanov). [State Dept., Elliptic]

Disputed / Unresolved Assessments

Chainalysis issued an October 7, 2024 correction clarifying that only Ivanov, not the UAPS service as a standalone entity, was the named OFAC target. "UAPS" appears in the SDN entry as an alias of Ivanov. Analysts should treat UAPS as operator-controlled infrastructure, not a separately designated entity.
The corporate ownership chain behind Cryptex (International Payment Service Provider LLC, St. Vincent) and its precise legal link to Ivanov is not established in public sources.
03

Service Model and Business Operations

Exchange Mechanics

Cryptex operated a Russian-language instant exchange plus a trading platform, and from January 2022 a payment-processing arm, CryptexPay, supporting BTC and LTC settlement for online businesses explicitly classified as "high-risk." Confirmed [Chainalysis]

PM2BTC operated since 2014 as a no-KYC exchanger specializing in direct convertible-virtual-currency-to-ruble conversion, routed through U.S.-sanctioned Russian financial institutions. Confirmed [FinCEN, Treasury]

UAPS / PinPays functioned as invite-only, API-integrable payment processors for fraud shops rather than retail exchanges; in recent years UAPS's exchange function was minimal and on-chain behavior shows it acting primarily as a fraud-related payment processor and aggregator that pooled and redistributed deposits before forwarding to Cryptex. Confirmed [Chainalysis, TRM Labs]

KYC / AML Posture : Stated vs Observed

NodeStated policyObserved behavior (LE / regulator sourced)
Cryptex / CryptexPay Marketed absence of AML/KYC as a feature; CryptexPay "explicitly advertised its lack of adherence to AML/KYC requirements." DOJ: Cryptex "offers complete anonymity to Cryptex users by allowing them to register for accounts without providing know-your-customer compliance requirements" and "advertised itself directly to cybercriminals." Confirmed
PM2BTC No credible public AML/KYC program; positioned as a no-KYC exchange. FinCEN: "failed to maintain a credible and effective anti-money laundering and know your customer (KYC) program"; nearly half of exchange activity linked to illicit activity. Confirmed
UAPS / PinPays Invite-only / admin-approval merchant onboarding (a closed criminal access model, not compliance). Onboarding gate functioned to screen in trusted criminal merchants, not to screen out illicit actors. Analyst Inference
Primary Analytical Finding : KYC Gap
Unlike most high-risk exchanges where stated policy and observed behavior diverge, here the stated policy was the absence of compliance. The cluster did not merely tolerate illicit use through weak controls; it marketed anonymity and no-KYC processing as the core product. Per the schema's KYC rule, observed behavior is sourced from DOJ charging documents and the FinCEN order, not from the services' own claims.

Fiat Rail Analysis

Confirmed PM2BTC provided "direct CVC-to-ruble exchange services using U.S.-sanctioned financial institutions." This is the cluster's clearest documented fiat rail: ruble settlement intermediated through already-sanctioned Russian banks. The specific institutions are not named in the public FinCEN/OFAC text. [Treasury, FinCEN]

Confirmed On the carding side, Ivanov provided payment-processing support (via UAPS and PinPays) for purchases made on the Rescator site using bitcoin, bridging stolen-card fraud proceeds into crypto rails. [DOJ]

Credible (negative) No specific correspondent bank, card processor, or named payment-institution relationship beyond the general "U.S.-sanctioned Russian financial institutions" language is documented in open sources. Granular fiat-rail mapping is an intelligence gap (Section 10).

Licensing and Regulatory Standing

Cryptex's registrant, International Payment Service Provider LLC, holds a St. Vincent and the Grenadines business registration (No. 1628). St. Vincent and the Grenadines does not license or supervise virtual asset service providers, making the registration a jurisdictional-of-convenience shell rather than evidence of regulatory compliance. Analyst Inference PM2BTC has no documented licensing in any jurisdiction. Credible

04

Technical Infrastructure and Platform Footprint

Domains

DomainNodeStatusSource
cryptex.netCryptex (primary)Listed on SDN entry; seizedOFAC SDN
cryptex.oneCryptex (admin/operations)Seized (District of Maryland order)DOJ
btc2pm.mePM2BTCAssociated; infrastructure seizedChainalysis / USSS
UAPS / PM2BTC web domainsUAPS, PM2BTCUSSS court-authorized seizureDOJ

Hosting and Resilience After Disruption

Confirmed Both Cryptex and PM2BTC had server infrastructure based in the Netherlands. On September 26, 2024 the Dutch FIOD and National High Tech Crime Unit, coordinating with the U.S. Secret Service, took those servers offline at various locations worldwide and seized cryptocurrency worth €7M (~$7M+). [FIOD, DOJ, TRM Labs]

Confirmed Chainalysis and Tether assisted the Dutch seizure of the €7M in funds. [Chainalysis]

Disambiguation : Do Not Conflate
A separate, unrelated entity also called "Cryptex" (an alleged crypto investment/Ponzi scheme using cryptex.to) rebranded to "Bytnex" in October 2025 after registrar abuse takedowns. This is not the Ivanov-linked Cryptex.net money-laundering exchange and should not be cited as reconstitution of the sanctioned service. Confirmed distinct entity.

Apps, Nodes, and Channels

No public reporting documents dedicated mobile apps, blockchain node operations, or named Telegram channels for the Cryptex/PM2BTC cluster. Open-source coverage centers on web domains and server infrastructure. This is an intelligence gap.
05

Financial Intelligence and On-Chain Analysis

Transaction Volume : By Source and Methodology

Per the volume sourcing rule, figures from different vendors and authorities are presented separately with methodology, not averaged or collapsed.

FigureScope / methodologySource
$5.88B+Cryptex lifetime transaction value since 2018 inceptionChainalysis
$1.4B (62,586 BTC, 37,500+ tx)Bitcoin addresses associated with Cryptex; value at time of transactionsDOJ (citing a blockchain analytics firm)
$1.15BCrypto addresses tied to Ivanov's UAPS/PinPays/PM2BTC services, 12 Jul 2013 – 10 Aug 2024DOJ
$1B+PM2BTC lifetime processed valueFinCEN / Chainalysis
$500M+Laundered through UAPS/PinPays, 2022–2024TRM Labs

Three-Phase On-Chain Flow

Receipt → Layering → Extraction
Receipt: Criminal proceeds enter at the fraud-shop / ransomware edge. UAPS/PinPays aggregate deposits from multiple cybercrime services (carding shops, Genesis Market, Rescator, ransomware actors).
Layering: PinPays/UAPS apply a "mixer" technique, pooling and redistributing funds through interconnected wallets to obscure origin; CryptexPay generates a new wallet address per transaction and mixes deposits. This is the "unusual obfuscation that inhibits attribution" cited by FinCEN.
Extraction: Funds consolidate to Cryptex addresses (in 2024, $92M+ of $97M+ UAPS outflow reached four Cryptex addresses) and exit via CVC-to-ruble conversion (PM2BTC) or onward transfer to other cash-out venues including Garantex. [Chainalysis, TRM Labs, FinCEN]

Illicit-Exposure Breakdown

MetricValueSource
Cryptex BTC inflow from criminal addresses~31% ($441M): $297M fraud + $115M+ ransomwareDOJ
Cryptex BTC inflow from cybercriminal-used services9% ($162M)DOJ
Cryptex BTC outflow to U.S.-sanctioned entities / darknet markets28% of all BTC sentDOJ
Cryptex ransomware-derived inflows$51.2M+OFAC
Cryptex transactions to fraud shops, mixers, no-KYC exchanges, Garantex$720M+OFAC
Ivanov addresses from criminal sources~32%: $158M+ fraud, $8.8M+ ransomware, $4.7M darknet drug marketsDOJ
PM2BTC activity linked to illicit sourcesNearly 50%; worse than 99% of VASPsFinCEN

Sanctioned Wallet Addresses (OFAC SDN, Cryptex)

AssetAddress
BTC (XBT)13JtX4h7G5ZuNK5mFudKGq9DHLvvMFuNuz
ETH0x0931cA4D13BB4ba75D9B7132AB690265D749a5E7
LTCM8yFL6SFC6TreATegTyuSYkDfDRbisdpT3
TRXTTUDyVhhpCC1xJoPmWzdjLAzeoPwbSABdr

OFAC listed four addresses; Elliptic notes it is aware of thousands of additional addresses connected to Cryptex, PM2BTC, Joker's Stash, and PinPays beyond the SDN list. [OFAC, Elliptic]

Sanctions and Risk Ratings

Cryptex and Ivanov are OFAC SDN-listed (blocked; secondary sanctions risk flagged). PM2BTC is subject to a FinCEN Section 9714(a) order prohibiting covered U.S. financial institutions from certain transmittals of funds involving it. Confirmed [OFAC, FinCEN]

06

Client Profile and Criminal Use

Crimeware Verticals by Evidence Tier

VerticalSpecific actorsEvidence tierSource
Fraud shops / cardingGenesis Market, Rescator, Joker's Stash, BriansClub/Brian Dumps, FacelessConfirmedOFAC, DOJ, Chainalysis
RansomwareConti and Trickbot named for PM2BTC; ransomware proceeds broadlyConfirmed (cluster) / Credible (named families)TRM Labs, OFAC, DOJ
Darknet drug marketsUnnamed DNMs ($4.7M into Ivanov addresses)ConfirmedDOJ
Initial access brokersUnnamed; cited categorically by OFACCredibleOFAC
Sanctions evasionFlows to OFAC-designated Garantex; CVC-to-ruble via sanctioned banksConfirmedOFAC, Elliptic

High-Profile Criminal Flows

Confirmed Genesis Market. Ivanov (via UAPS) served as a payment processor for the OFAC-designated fraud shop Genesis Market, whose website was taken down by law enforcement in 2023. [OFAC, Chainalysis]

Confirmed Rescator and Joker's Stash. Ivanov provided bitcoin payment-processing support for Rescator and laundered proceeds from Joker's Stash. Rescator advertised data from up to 40 million payment cards and PII of ~70 million people stolen from a major U.S. retailer in 2013, costing that victim at least $202M. Joker's Stash sold ~40M cards annually (hundreds of millions overall); profit estimates range $280M to $1B+. [DOJ]

Credible Ekaterina Zhdanova. Chainalysis identifies a Cryptex connection to the OFAC-sanctioned Russian money launderer Ekaterina Zhdanova, who laundered for Russian elites and ransomware groups. Single Source [Chainalysis]

Geographic Patterns

Client base is overwhelmingly the Russian-speaking cybercrime ecosystem: Cryptex advertised in Russian, marketed on exclusive Russian-language criminal forums, and settled into rubles. Victim base (carding) is concentrated in the United States. Confirmed [Treasury, DOJ]

07

State Nexus Assessment

Assessed Tier : TOLERATED SAFE HARBOR
The assessed nexus is TOLERATED SAFE HARBOR: the Russian state is aware that such actors operate in its jurisdiction and refrains from enforcement, but there is no public evidence of state tasking, coordination, or direct control of the Cryptex/PM2BTC cluster. Treasury's own framing supports this tier: it states the action "further illustrates that Russia continues to offer safe harbor to such actors" and that the U.S. has "pressed the Russian government to take concrete steps to prevent cyber criminals from freely operating in its jurisdiction."

Three-Jurisdiction Separation

Jurisdiction typeFindingConfidence
Entity registrationCryptex: St. Vincent and the Grenadines (IPSP LLC, Reg. 1628). PM2BTC: not formally documented (assessed Russia-based)Confirmed / Credible
Infrastructure hostingNetherlands (seized servers); distributed globallyConfirmed
Assessed operator locationRussia (St. Petersburg : Ivanov)Confirmed

Negative Evidence

If a higher nexus tier (probable cooperation or direct control) applied, one would expect indicators such as: documented FSB/Rosfinmonitoring tasking, state protection from Russian prosecution paired with selective targeting of state adversaries, or integration into state sanctions-evasion programs. None of these is present in open sources for this cluster. What is documented is the absence of Russian enforcement against Ivanov despite a U.S. indictment and a $10M reward, which is consistent with passive safe harbor rather than active direction. Analyst Inference

No explicit Russian state direction, tasking, or protection of the Cryptex/PM2BTC cluster is documented. The safe-harbor assessment rests on the absence of enforcement and Treasury's general framing, not on direct evidence of coordination.
08

Law Enforcement and Regulatory Response

September 26, 2024 Coordinated Action

InstrumentAuthority / agencyEffect
OFAC designationE.O. 13694 (as amended by 13757) [CYBER2] + E.O. 14024Cryptex and Ivanov added to SDN List; property blocked; 4 wallet addresses listed
FinCEN orderSection 9714(a), Combating Russian Money Laundering ActPM2BTC named "primary money laundering concern"; covered FIs prohibited from certain transmittals (2nd-ever 9714(a) use, after Bitzlato)
EDVA indictmentUSAO-EDVA + USSS Cyber Investigative SectionIvanov and Shakhmametov charged (bank fraud, access device fraud, money laundering)
Domain seizuresUSSS; District of Maryland seizure ordercryptex.net, cryptex.one, plus UAPS/PM2BTC domains seized
Server seizuresNetherlands Police / FIOD / NHTCUServers taken offline worldwide; €7M crypto seized (with Chainalysis + Tether)
RewardsState Dept. TOCRPUp to $10M each for Ivanov and Shakhmametov; up to $1M for other named-group leaders
Operation frameworkOperation Endgame (multinational)Coordinated with Latvia, Europol, German BKA, UK NCA, NCFTA

Indictment Detail

Confirmed Ivanov: one count conspiracy to commit and aid/abet bank fraud (Rescator payment processing) and one count conspiracy to commit money laundering (Joker's Stash proceeds). Shakhmametov: bank fraud, access device fraud, and money laundering conspiracies tied to operating Joker's Stash. Prosecuted by AUSA Zoe Bedell (EDVA) and CCIPS; Cryptex investigation handled with the District of Maryland (AUSA Thomas Sullivan). [DOJ]

Post-Disruption / Post-Sanction Reconstitution

Reconstitution Assessment
Public infrastructure: no confirmed reconstitution as of June 2026. The seized cryptex.net/cryptex.one domains and the PM2BTC/UAPS infrastructure have not been shown to have re-launched under a new brand in any credible reporting. The October 2025 "Cryptex → Bytnex" rebrand circulating in open sources refers to an unrelated investment-scheme entity (cryptex.to) and must not be counted as reconstitution of the sanctioned service. Confirmed distinct.

Operator capacity: intact. Ivanov and Shakhmametov remain at large in Russia. The enforcement action removed domains, servers, and ~$7M, but did not reach the operators, their relationships, or their tradecraft. The structural risk is operator-led reconstitution under new branding, consistent with the cluster's documented rebrand-and-layer history (UAPS → PinPays → PM2BTC → Cryptex). Analyst Inference
09

Connected Entities and Ecosystem Relationships

Two-tier model applied to all entries. Tier 1 : Transaction confidence: how confident are we that funds transited this cluster from/to the entity? Tier 2 : Facilitation assessment: characterization of the cluster's role (Active facilitation / Structural enablement / Incidental processing). These are independent assessments and must not be collapsed.

Entity Relationship type Tier 1: Transaction confidence Tier 2: Facilitation assessment Corroborating vendors Notes
Garantex OFAC-designated peer exchange; downstream cash-out CONFIRMED
OFAC: Cryptex associated with $720M+ in transactions to services including Garantex. Elliptic: Cryptex transferred millions to Garantex.
Structural enablement
Cluster routed value to another no/low-KYC venue rather than coordinating a joint scheme.
OFAC, Elliptic Two-vendor corroboration. Garantex separately sanctioned April 2022.
Genesis Market OFAC-designated fraud shop; payment-processing client CONFIRMED
OFAC and DOJ: Ivanov/UAPS served as payment processor for Genesis Market (taken down 2023).
Active facilitation
UAPS knowingly processed payments for the fraud shop as a service it integrated.
OFAC, DOJ, Chainalysis Multiple authorities. Direct service relationship, not incidental flow.
Joker's Stash Carding marketplace; Shakhmametov-operated; Ivanov laundered proceeds CONFIRMED
DOJ indictment: Ivanov laundered Joker's Stash proceeds; co-charged with operator Shakhmametov.
Active facilitation
Laundering of proceeds is a charged, deliberate service.
DOJ, State Dept., Elliptic Co-defendant relationship binds the two operators.
Rescator Carding website; UAPS/PinPays payment-processing client CONFIRMED
DOJ: Ivanov provided bitcoin payment-processing support for Rescator via UAPS and PinPays.
Active facilitation
Charged as conspiracy to commit/aid bank fraud.
DOJ Single-authority but it is the charging document. Single Source for processing detail.
BriansClub / Brian Dumps, Faceless Fraud shops; UAPS payment-processing clients CREDIBLE
Chainalysis names these as UAPS fraud-shop clients; not individually quantified.
Active facilitation
Same integrated payment-processor model as Genesis/Rescator.
Chainalysis Single Source. TRM/Elliptic have not published entity-specific figures.
Conti / Trickbot Ransomware groups; PM2BTC cash-out CREDIBLE
TRM: PM2BTC a "preferred platform" for Conti and Trickbot via direct CVC-to-ruble conversion. Not wallet-level attributed in public text.
Structural enablement
No-KYC ruble cash-out predictably served these actors at scale.
TRM Labs Single Source for the named-family attribution.
Ekaterina Zhdanova OFAC-sanctioned money launderer; on-chain link to Cryptex CREDIBLE
Chainalysis Reactor shows a Cryptex connection to Zhdanova.
Incidental processing / Structural enablement
Nature of the link (direct dealing vs shared counterparties) not specified publicly.
Chainalysis Single Source. Relationship depth unresolved.
U.S.-sanctioned Russian financial institutions Fiat ruble settlement rails for PM2BTC CONFIRMED
FinCEN: PM2BTC provides direct CVC-to-ruble exchange using U.S.-sanctioned financial institutions. Institutions not named.
Structural enablement
Sanctioned banks provided the off-ramp; no evidence of bespoke coordination.
FinCEN, Treasury Specific banks unnamed in public text. Fiat-rail gap.
Tether (USDT) Stablecoin issuer; froze/assisted seizure (counter-party, not facilitator) CONFIRMED
Tether assisted the Dutch €7M seizure alongside Chainalysis.
Incidental processing
Listed for completeness as a remediating counterparty, not an enabler.
Chainalysis, FIOD Included to document the asset-freeze relationship.
10

Trajectory Assessment

Market Position and Volume Trends

Confirmed Pre-disruption, the cluster was a significant Russian-speaking-ecosystem launderer: Cryptex was one of OFAC's largest-ever service-level crypto designations by lifetime throughput ($5.88B+), and PM2BTC carried an illicit ratio worse than 99% of VASPs. It was a specialist fraud-and-ransomware cash-out rail, not a mass-market exchange like Garantex. [Chainalysis, FinCEN]

Disruption Impact

Structural Assessment
The September 2024 action was a clean infrastructure takedown: domains seized, Netherlands-hosted servers taken offline, ~$7M recovered, and the FinCEN 9714(a) order severing PM2BTC from the U.S. financial system. Because the operators sit in Russia under safe harbor, the action degraded the cluster's public-facing capacity without neutralizing its human capital. Net effect: meaningful short-term disruption of throughput and trust, but the controlling individuals and their criminal relationships persist.

Reconstitution Status

Cryptex brand: No confirmed reconstitution. Seized domains; SDN-listed. Confirmed

PM2BTC / UAPS: No confirmed reconstitution under a new brand in credible reporting as of June 2026. Credible

Operator network: Intact. Ivanov and Shakhmametov at large in Russia; no extradition path. Confirmed

Intelligence Gaps

Specific U.S.-sanctioned Russian banks used by PM2BTC for ruble settlement are not named in public sources. Correspondent/fiat-rail mapping unknown.
Corporate ownership chain behind Cryptex (International Payment Service Provider LLC, St. Vincent) and its legal link to Ivanov is undocumented.
PM2BTC's formal registration jurisdiction (if any) is not established; "Russia-based" is an assessment.
Named ransomware families beyond Conti/Trickbot, and wallet-level ransomware attribution, are largely proprietary to analytics vendors.
EU and UK sanctions status not located as of June 2026; whether either has mirrored the U.S. action is unconfirmed.
Whether the operators have begun standing up a successor brand post-September 2024 is not documented in open sources.
Mobile apps, node operations, and Telegram channels for the cluster are not documented.

Recent Reporting

[Oct 7, 2024] Chainalysis issues a correction clarifying that only Ivanov, not the UAPS service as a standalone entity, was the named OFAC target; "UAPS" appears as an alias of Ivanov in the SDN entry. [Chainalysis]

[Sept 26, 2024] Coordinated U.S.-Dutch action: OFAC designates Cryptex and Ivanov; FinCEN names PM2BTC a primary money laundering concern (2nd-ever 9714(a) use after Bitzlato); EDVA unseals indictment of Ivanov and Shakhmametov; USSS and Dutch FIOD seize domains/servers and €7M. [Treasury, DOJ, FIOD, TRM Labs, Elliptic]

[Oct 2025] Open-source confusion: an unrelated "Cryptex" investment scheme (cryptex.to) rebrands to "Bytnex." Flagged here only to prevent misattribution; not the sanctioned Cryptex.net. [behindMLM, Decripto]

Sources

  1. U.S. Treasury: Treasury Takes Coordinated Actions Against Illicit Russian Virtual Currency Exchanges and Cybercrime Facilitator (JY2616) : September 26, 2024
  2. OFAC: Russia-related Designations; Cyber-related Designation (SDN entries, Cryptex + Ivanov, 4 wallet addresses) : September 26, 2024
  3. FinCEN: Section 9714(a) Order Imposing Special Measure Prohibiting Transmittals Involving PM2BTC
  4. DOJ EDVA: Two Russian Nationals Charged; Justice Department Seizes Web Domains for Multiple Illicit Crypto Exchanges : September 26, 2024
  5. Chainalysis: OFAC Designates Russian Exchange Cryptex, FinCEN names PM2BTC (updated Oct 7, 2024)
  6. Elliptic: OFAC and FinCEN target major Russian money laundering services including Cryptex and PM2BTC
  7. TRM Labs: US Treasury Takes Coordinated Actions Against Illicit Russian VC Exchanges and Cybercrime Facilitators PM2BTC and Cryptex
  8. U.S. Department of State: TOCRP Reward Offers for Ivanov and Shakhmametov : September 26, 2024
  9. U.S. Secret Service: Most Wanted : Sergey Sergeevich Ivanov
  10. U.S. Secret Service: Most Wanted : Timur Kamilevich Shakhmametov
  11. Dutch FIOD: Seizure of €7M of cryptocurrency and 2 crypto exchanges taken offline
  12. The Record (Recorded Future News): US-led operation disrupts crypto exchanges linked to Russian cybercrime
  13. CyberScoop: Two Russian nationals indicted for servicing millions of dollars in cybercrime funds
  14. FinCEN: Bitzlato 9714(a) action (first use precedent) : January 2023
  15. behindMLM: Cryptex reboots as Bytnex (UNRELATED investment-scheme entity : disambiguation only)

Profile produced using open-source intelligence. Confidence labels applied per schema: CONFIRMED (multiple independent sources), CREDIBLE (single strong source or multiple weaker sources), ANALYST INFERENCE (logical extrapolation from confirmed facts). All volume figures cited with source and methodology; figures from different vendors are not averaged. Two-tier connected entity model applied throughout Section 09. Designation date is September 26, 2024.