Executive Summary and Exchange Overview
| Cluster (primary nodes) | Cryptex (exchange) + PM2BTC (exchanger) + UAPS/PinPays (payment processors) |
| Cryptex registered entity | International Payment Service Provider LLC ("IPSP") |
| Registration jurisdiction (Cryptex) | St. Vincent and the Grenadines : Business Reg. No. 1628; established 1 Dec 2021 |
| Registration jurisdiction (PM2BTC) | Not formally documented; assessed Russia-based exchanger Credible |
| Infrastructure hosting jurisdiction | Netherlands (servers seized by Dutch police/FIOD); distributed globally |
| Operator location (assessed) | Russia (St. Petersburg : Ivanov) |
| Operational period (Cryptex) | 2018 – September 26, 2024 (domains seized) |
| Operational period (PM2BTC) | Since 2014 – September 26, 2024 (311 order / infrastructure seizure) |
| Operational period (UAPS) | Since 2013 (PinPays rebrand ~2015) |
| OFAC designation (Cryptex + Ivanov) | September 26, 2024 : E.O. 13694 (as amended by 13757) [CYBER2] and E.O. 14024 |
| FinCEN action (PM2BTC) | September 26, 2024 : "primary money laundering concern," Section 9714(a) order (2nd-ever use) |
| EDVA indictment | Unsealed September 26, 2024 : Ivanov and Shakhmametov |
| EU / UK designation | Not located as of June 2026 Credible (negative evidence) |
| Cryptex SDN wallet addresses | 4 listed : BTC, ETH, LTC, TRX (see Section 05) |
| State nexus tier | TOLERATED SAFE HARBOR |
| Blockchain analytics coverage | Chainalysis and Tether (assisted Dutch seizure); TRM Labs; Elliptic |
Lineage and Organizational Heritage
UAPS → PinPays → PM2BTC → Cryptex : One Operator Chain
Evidentiary Pillars
Confirmed Shared wallet infrastructure. Chainalysis states PinPays shared wallet infrastructure with UAPS and that UAPS shared wallet infrastructure with PM2BTC; in 2024 alone UAPS sent more than $97M to intermediary addresses that then moved to Cryptex addresses, with over $92M reaching four Cryptex addresses. [Chainalysis]
Confirmed Common controller. OFAC lists "UAPS" as an alias of Ivanov himself; DOJ alleges Ivanov created and/or operated UAPS, PinPays, and PM2BTC, and that he is "currently associated with Cryptex." [OFAC, DOJ]
Credible Cryptex corporate control. Ivanov is described by OFAC as "associated with" rather than the registered owner of Cryptex. The named registrant is International Payment Service Provider LLC. The precise ownership/control relationship between Ivanov and the St. Vincent shell is not publicly documented. [OFAC]
Operator Profiles
| Attribute | Sergey Sergeevich Ivanov | Timur Kamilevich Shakhmametov |
|---|---|---|
| Aliases | Sergey Omelnitskii (Cyrillic: Омельницкий); "Taleon"; "UAPS" | "JokerStash"; "Vega" |
| DOB / identifiers | 2 Jun 1980; POB Russia; Russian passport 4015431802 | Not publicly disclosed |
| Nationality | Russian | Russian |
| Assessed location | St. Petersburg, Russia | Russia (assessed) Credible |
| Role | ~20-year professional cyber money launderer; operator of UAPS/PinPays/PM2BTC; associated with Cryptex; payment processor for Genesis Market, BriansClub, Faceless, Rescator | Creator/operator of Joker's Stash carding marketplace |
| Charges (EDVA) | Conspiracy to commit/aid bank fraud (Rescator); conspiracy to commit money laundering (Joker's Stash proceeds) | Conspiracy to commit/aid bank fraud; conspiracy to commit access device fraud; conspiracy to commit money laundering |
| Sanctions | OFAC SDN, 26 Sep 2024 [RUSSIA-EO14024] | Not individually SDN-listed as of June 2026 |
| Reward | Up to $10M (State Dept. TOCRP) | Up to $10M (State Dept. TOCRP) |
| Legal status | At large in Russia; no extradition | At large in Russia; no extradition |
A further State Department reward of up to $1M is offered for information identifying other leaders of Joker's Stash (besides Shakhmametov) and other key leaders of the UAPS, PM2BTC, and PinPays criminal groups (besides Ivanov). [State Dept., Elliptic]
Disputed / Unresolved Assessments
Service Model and Business Operations
Exchange Mechanics
Cryptex operated a Russian-language instant exchange plus a trading platform, and from January 2022 a payment-processing arm, CryptexPay, supporting BTC and LTC settlement for online businesses explicitly classified as "high-risk." Confirmed [Chainalysis]
PM2BTC operated since 2014 as a no-KYC exchanger specializing in direct convertible-virtual-currency-to-ruble conversion, routed through U.S.-sanctioned Russian financial institutions. Confirmed [FinCEN, Treasury]
UAPS / PinPays functioned as invite-only, API-integrable payment processors for fraud shops rather than retail exchanges; in recent years UAPS's exchange function was minimal and on-chain behavior shows it acting primarily as a fraud-related payment processor and aggregator that pooled and redistributed deposits before forwarding to Cryptex. Confirmed [Chainalysis, TRM Labs]
KYC / AML Posture : Stated vs Observed
| Node | Stated policy | Observed behavior (LE / regulator sourced) |
|---|---|---|
| Cryptex / CryptexPay | Marketed absence of AML/KYC as a feature; CryptexPay "explicitly advertised its lack of adherence to AML/KYC requirements." | DOJ: Cryptex "offers complete anonymity to Cryptex users by allowing them to register for accounts without providing know-your-customer compliance requirements" and "advertised itself directly to cybercriminals." Confirmed |
| PM2BTC | No credible public AML/KYC program; positioned as a no-KYC exchange. | FinCEN: "failed to maintain a credible and effective anti-money laundering and know your customer (KYC) program"; nearly half of exchange activity linked to illicit activity. Confirmed |
| UAPS / PinPays | Invite-only / admin-approval merchant onboarding (a closed criminal access model, not compliance). | Onboarding gate functioned to screen in trusted criminal merchants, not to screen out illicit actors. Analyst Inference |
Fiat Rail Analysis
Confirmed PM2BTC provided "direct CVC-to-ruble exchange services using U.S.-sanctioned financial institutions." This is the cluster's clearest documented fiat rail: ruble settlement intermediated through already-sanctioned Russian banks. The specific institutions are not named in the public FinCEN/OFAC text. [Treasury, FinCEN]
Confirmed On the carding side, Ivanov provided payment-processing support (via UAPS and PinPays) for purchases made on the Rescator site using bitcoin, bridging stolen-card fraud proceeds into crypto rails. [DOJ]
Credible (negative) No specific correspondent bank, card processor, or named payment-institution relationship beyond the general "U.S.-sanctioned Russian financial institutions" language is documented in open sources. Granular fiat-rail mapping is an intelligence gap (Section 10).
Licensing and Regulatory Standing
Cryptex's registrant, International Payment Service Provider LLC, holds a St. Vincent and the Grenadines business registration (No. 1628). St. Vincent and the Grenadines does not license or supervise virtual asset service providers, making the registration a jurisdictional-of-convenience shell rather than evidence of regulatory compliance. Analyst Inference PM2BTC has no documented licensing in any jurisdiction. Credible
Technical Infrastructure and Platform Footprint
Domains
| Domain | Node | Status | Source |
|---|---|---|---|
| cryptex.net | Cryptex (primary) | Listed on SDN entry; seized | OFAC SDN |
| cryptex.one | Cryptex (admin/operations) | Seized (District of Maryland order) | DOJ |
| btc2pm.me | PM2BTC | Associated; infrastructure seized | Chainalysis / USSS |
| UAPS / PM2BTC web domains | UAPS, PM2BTC | USSS court-authorized seizure | DOJ |
Hosting and Resilience After Disruption
Confirmed Both Cryptex and PM2BTC had server infrastructure based in the Netherlands. On September 26, 2024 the Dutch FIOD and National High Tech Crime Unit, coordinating with the U.S. Secret Service, took those servers offline at various locations worldwide and seized cryptocurrency worth €7M (~$7M+). [FIOD, DOJ, TRM Labs]
Confirmed Chainalysis and Tether assisted the Dutch seizure of the €7M in funds. [Chainalysis]
Apps, Nodes, and Channels
Financial Intelligence and On-Chain Analysis
Transaction Volume : By Source and Methodology
Per the volume sourcing rule, figures from different vendors and authorities are presented separately with methodology, not averaged or collapsed.
| Figure | Scope / methodology | Source |
|---|---|---|
| $5.88B+ | Cryptex lifetime transaction value since 2018 inception | Chainalysis |
| $1.4B (62,586 BTC, 37,500+ tx) | Bitcoin addresses associated with Cryptex; value at time of transactions | DOJ (citing a blockchain analytics firm) |
| $1.15B | Crypto addresses tied to Ivanov's UAPS/PinPays/PM2BTC services, 12 Jul 2013 – 10 Aug 2024 | DOJ |
| $1B+ | PM2BTC lifetime processed value | FinCEN / Chainalysis |
| $500M+ | Laundered through UAPS/PinPays, 2022–2024 | TRM Labs |
Three-Phase On-Chain Flow
Layering: PinPays/UAPS apply a "mixer" technique, pooling and redistributing funds through interconnected wallets to obscure origin; CryptexPay generates a new wallet address per transaction and mixes deposits. This is the "unusual obfuscation that inhibits attribution" cited by FinCEN.
Extraction: Funds consolidate to Cryptex addresses (in 2024, $92M+ of $97M+ UAPS outflow reached four Cryptex addresses) and exit via CVC-to-ruble conversion (PM2BTC) or onward transfer to other cash-out venues including Garantex. [Chainalysis, TRM Labs, FinCEN]
Illicit-Exposure Breakdown
| Metric | Value | Source |
|---|---|---|
| Cryptex BTC inflow from criminal addresses | ~31% ($441M): $297M fraud + $115M+ ransomware | DOJ |
| Cryptex BTC inflow from cybercriminal-used services | 9% ($162M) | DOJ |
| Cryptex BTC outflow to U.S.-sanctioned entities / darknet markets | 28% of all BTC sent | DOJ |
| Cryptex ransomware-derived inflows | $51.2M+ | OFAC |
| Cryptex transactions to fraud shops, mixers, no-KYC exchanges, Garantex | $720M+ | OFAC |
| Ivanov addresses from criminal sources | ~32%: $158M+ fraud, $8.8M+ ransomware, $4.7M darknet drug markets | DOJ |
| PM2BTC activity linked to illicit sources | Nearly 50%; worse than 99% of VASPs | FinCEN |
Sanctioned Wallet Addresses (OFAC SDN, Cryptex)
| Asset | Address |
|---|---|
| BTC (XBT) | 13JtX4h7G5ZuNK5mFudKGq9DHLvvMFuNuz |
| ETH | 0x0931cA4D13BB4ba75D9B7132AB690265D749a5E7 |
| LTC | M8yFL6SFC6TreATegTyuSYkDfDRbisdpT3 |
| TRX | TTUDyVhhpCC1xJoPmWzdjLAzeoPwbSABdr |
OFAC listed four addresses; Elliptic notes it is aware of thousands of additional addresses connected to Cryptex, PM2BTC, Joker's Stash, and PinPays beyond the SDN list. [OFAC, Elliptic]
Sanctions and Risk Ratings
Cryptex and Ivanov are OFAC SDN-listed (blocked; secondary sanctions risk flagged). PM2BTC is subject to a FinCEN Section 9714(a) order prohibiting covered U.S. financial institutions from certain transmittals of funds involving it. Confirmed [OFAC, FinCEN]
Client Profile and Criminal Use
Crimeware Verticals by Evidence Tier
| Vertical | Specific actors | Evidence tier | Source |
|---|---|---|---|
| Fraud shops / carding | Genesis Market, Rescator, Joker's Stash, BriansClub/Brian Dumps, Faceless | Confirmed | OFAC, DOJ, Chainalysis |
| Ransomware | Conti and Trickbot named for PM2BTC; ransomware proceeds broadly | Confirmed (cluster) / Credible (named families) | TRM Labs, OFAC, DOJ |
| Darknet drug markets | Unnamed DNMs ($4.7M into Ivanov addresses) | Confirmed | DOJ |
| Initial access brokers | Unnamed; cited categorically by OFAC | Credible | OFAC |
| Sanctions evasion | Flows to OFAC-designated Garantex; CVC-to-ruble via sanctioned banks | Confirmed | OFAC, Elliptic |
High-Profile Criminal Flows
Confirmed Genesis Market. Ivanov (via UAPS) served as a payment processor for the OFAC-designated fraud shop Genesis Market, whose website was taken down by law enforcement in 2023. [OFAC, Chainalysis]
Confirmed Rescator and Joker's Stash. Ivanov provided bitcoin payment-processing support for Rescator and laundered proceeds from Joker's Stash. Rescator advertised data from up to 40 million payment cards and PII of ~70 million people stolen from a major U.S. retailer in 2013, costing that victim at least $202M. Joker's Stash sold ~40M cards annually (hundreds of millions overall); profit estimates range $280M to $1B+. [DOJ]
Credible Ekaterina Zhdanova. Chainalysis identifies a Cryptex connection to the OFAC-sanctioned Russian money launderer Ekaterina Zhdanova, who laundered for Russian elites and ransomware groups. Single Source [Chainalysis]
Geographic Patterns
Client base is overwhelmingly the Russian-speaking cybercrime ecosystem: Cryptex advertised in Russian, marketed on exclusive Russian-language criminal forums, and settled into rubles. Victim base (carding) is concentrated in the United States. Confirmed [Treasury, DOJ]
State Nexus Assessment
Three-Jurisdiction Separation
| Jurisdiction type | Finding | Confidence |
|---|---|---|
| Entity registration | Cryptex: St. Vincent and the Grenadines (IPSP LLC, Reg. 1628). PM2BTC: not formally documented (assessed Russia-based) | Confirmed / Credible |
| Infrastructure hosting | Netherlands (seized servers); distributed globally | Confirmed |
| Assessed operator location | Russia (St. Petersburg : Ivanov) | Confirmed |
Negative Evidence
If a higher nexus tier (probable cooperation or direct control) applied, one would expect indicators such as: documented FSB/Rosfinmonitoring tasking, state protection from Russian prosecution paired with selective targeting of state adversaries, or integration into state sanctions-evasion programs. None of these is present in open sources for this cluster. What is documented is the absence of Russian enforcement against Ivanov despite a U.S. indictment and a $10M reward, which is consistent with passive safe harbor rather than active direction. Analyst Inference
Law Enforcement and Regulatory Response
September 26, 2024 Coordinated Action
| Instrument | Authority / agency | Effect |
|---|---|---|
| OFAC designation | E.O. 13694 (as amended by 13757) [CYBER2] + E.O. 14024 | Cryptex and Ivanov added to SDN List; property blocked; 4 wallet addresses listed |
| FinCEN order | Section 9714(a), Combating Russian Money Laundering Act | PM2BTC named "primary money laundering concern"; covered FIs prohibited from certain transmittals (2nd-ever 9714(a) use, after Bitzlato) |
| EDVA indictment | USAO-EDVA + USSS Cyber Investigative Section | Ivanov and Shakhmametov charged (bank fraud, access device fraud, money laundering) |
| Domain seizures | USSS; District of Maryland seizure order | cryptex.net, cryptex.one, plus UAPS/PM2BTC domains seized |
| Server seizures | Netherlands Police / FIOD / NHTCU | Servers taken offline worldwide; €7M crypto seized (with Chainalysis + Tether) |
| Rewards | State Dept. TOCRP | Up to $10M each for Ivanov and Shakhmametov; up to $1M for other named-group leaders |
| Operation framework | Operation Endgame (multinational) | Coordinated with Latvia, Europol, German BKA, UK NCA, NCFTA |
Indictment Detail
Confirmed Ivanov: one count conspiracy to commit and aid/abet bank fraud (Rescator payment processing) and one count conspiracy to commit money laundering (Joker's Stash proceeds). Shakhmametov: bank fraud, access device fraud, and money laundering conspiracies tied to operating Joker's Stash. Prosecuted by AUSA Zoe Bedell (EDVA) and CCIPS; Cryptex investigation handled with the District of Maryland (AUSA Thomas Sullivan). [DOJ]
Post-Disruption / Post-Sanction Reconstitution
Operator capacity: intact. Ivanov and Shakhmametov remain at large in Russia. The enforcement action removed domains, servers, and ~$7M, but did not reach the operators, their relationships, or their tradecraft. The structural risk is operator-led reconstitution under new branding, consistent with the cluster's documented rebrand-and-layer history (UAPS → PinPays → PM2BTC → Cryptex). Analyst Inference
Connected Entities and Ecosystem Relationships
Two-tier model applied to all entries. Tier 1 : Transaction confidence: how confident are we that funds transited this cluster from/to the entity? Tier 2 : Facilitation assessment: characterization of the cluster's role (Active facilitation / Structural enablement / Incidental processing). These are independent assessments and must not be collapsed.
| Entity | Relationship type | Tier 1: Transaction confidence | Tier 2: Facilitation assessment | Corroborating vendors | Notes |
|---|---|---|---|---|---|
| Garantex | OFAC-designated peer exchange; downstream cash-out | CONFIRMED OFAC: Cryptex associated with $720M+ in transactions to services including Garantex. Elliptic: Cryptex transferred millions to Garantex. |
Structural enablement Cluster routed value to another no/low-KYC venue rather than coordinating a joint scheme. |
OFAC, Elliptic | Two-vendor corroboration. Garantex separately sanctioned April 2022. |
| Genesis Market | OFAC-designated fraud shop; payment-processing client | CONFIRMED OFAC and DOJ: Ivanov/UAPS served as payment processor for Genesis Market (taken down 2023). |
Active facilitation UAPS knowingly processed payments for the fraud shop as a service it integrated. |
OFAC, DOJ, Chainalysis | Multiple authorities. Direct service relationship, not incidental flow. |
| Joker's Stash | Carding marketplace; Shakhmametov-operated; Ivanov laundered proceeds | CONFIRMED DOJ indictment: Ivanov laundered Joker's Stash proceeds; co-charged with operator Shakhmametov. |
Active facilitation Laundering of proceeds is a charged, deliberate service. |
DOJ, State Dept., Elliptic | Co-defendant relationship binds the two operators. |
| Rescator | Carding website; UAPS/PinPays payment-processing client | CONFIRMED DOJ: Ivanov provided bitcoin payment-processing support for Rescator via UAPS and PinPays. |
Active facilitation Charged as conspiracy to commit/aid bank fraud. |
DOJ | Single-authority but it is the charging document. Single Source for processing detail. |
| BriansClub / Brian Dumps, Faceless | Fraud shops; UAPS payment-processing clients | CREDIBLE Chainalysis names these as UAPS fraud-shop clients; not individually quantified. |
Active facilitation Same integrated payment-processor model as Genesis/Rescator. |
Chainalysis | Single Source. TRM/Elliptic have not published entity-specific figures. |
| Conti / Trickbot | Ransomware groups; PM2BTC cash-out | CREDIBLE TRM: PM2BTC a "preferred platform" for Conti and Trickbot via direct CVC-to-ruble conversion. Not wallet-level attributed in public text. |
Structural enablement No-KYC ruble cash-out predictably served these actors at scale. |
TRM Labs | Single Source for the named-family attribution. |
| Ekaterina Zhdanova | OFAC-sanctioned money launderer; on-chain link to Cryptex | CREDIBLE Chainalysis Reactor shows a Cryptex connection to Zhdanova. |
Incidental processing / Structural enablement Nature of the link (direct dealing vs shared counterparties) not specified publicly. |
Chainalysis | Single Source. Relationship depth unresolved. |
| U.S.-sanctioned Russian financial institutions | Fiat ruble settlement rails for PM2BTC | CONFIRMED FinCEN: PM2BTC provides direct CVC-to-ruble exchange using U.S.-sanctioned financial institutions. Institutions not named. |
Structural enablement Sanctioned banks provided the off-ramp; no evidence of bespoke coordination. |
FinCEN, Treasury | Specific banks unnamed in public text. Fiat-rail gap. |
| Tether (USDT) | Stablecoin issuer; froze/assisted seizure (counter-party, not facilitator) | CONFIRMED Tether assisted the Dutch €7M seizure alongside Chainalysis. |
Incidental processing Listed for completeness as a remediating counterparty, not an enabler. |
Chainalysis, FIOD | Included to document the asset-freeze relationship. |
Trajectory Assessment
Market Position and Volume Trends
Confirmed Pre-disruption, the cluster was a significant Russian-speaking-ecosystem launderer: Cryptex was one of OFAC's largest-ever service-level crypto designations by lifetime throughput ($5.88B+), and PM2BTC carried an illicit ratio worse than 99% of VASPs. It was a specialist fraud-and-ransomware cash-out rail, not a mass-market exchange like Garantex. [Chainalysis, FinCEN]
Disruption Impact
Reconstitution Status
Cryptex brand: No confirmed reconstitution. Seized domains; SDN-listed. Confirmed
PM2BTC / UAPS: No confirmed reconstitution under a new brand in credible reporting as of June 2026. Credible
Operator network: Intact. Ivanov and Shakhmametov at large in Russia; no extradition path. Confirmed
Intelligence Gaps
Recent Reporting
[Oct 7, 2024] Chainalysis issues a correction clarifying that only Ivanov, not the UAPS service as a standalone entity, was the named OFAC target; "UAPS" appears as an alias of Ivanov in the SDN entry. [Chainalysis]
[Sept 26, 2024] Coordinated U.S.-Dutch action: OFAC designates Cryptex and Ivanov; FinCEN names PM2BTC a primary money laundering concern (2nd-ever 9714(a) use after Bitzlato); EDVA unseals indictment of Ivanov and Shakhmametov; USSS and Dutch FIOD seize domains/servers and €7M. [Treasury, DOJ, FIOD, TRM Labs, Elliptic]
[Oct 2025] Open-source confusion: an unrelated "Cryptex" investment scheme (cryptex.to) rebrands to "Bytnex." Flagged here only to prevent misattribution; not the sanctioned Cryptex.net. [behindMLM, Decripto]
Sources
- U.S. Treasury: Treasury Takes Coordinated Actions Against Illicit Russian Virtual Currency Exchanges and Cybercrime Facilitator (JY2616) : September 26, 2024
- OFAC: Russia-related Designations; Cyber-related Designation (SDN entries, Cryptex + Ivanov, 4 wallet addresses) : September 26, 2024
- FinCEN: Section 9714(a) Order Imposing Special Measure Prohibiting Transmittals Involving PM2BTC
- DOJ EDVA: Two Russian Nationals Charged; Justice Department Seizes Web Domains for Multiple Illicit Crypto Exchanges : September 26, 2024
- Chainalysis: OFAC Designates Russian Exchange Cryptex, FinCEN names PM2BTC (updated Oct 7, 2024)
- Elliptic: OFAC and FinCEN target major Russian money laundering services including Cryptex and PM2BTC
- TRM Labs: US Treasury Takes Coordinated Actions Against Illicit Russian VC Exchanges and Cybercrime Facilitators PM2BTC and Cryptex
- U.S. Department of State: TOCRP Reward Offers for Ivanov and Shakhmametov : September 26, 2024
- U.S. Secret Service: Most Wanted : Sergey Sergeevich Ivanov
- U.S. Secret Service: Most Wanted : Timur Kamilevich Shakhmametov
- Dutch FIOD: Seizure of €7M of cryptocurrency and 2 crypto exchanges taken offline
- The Record (Recorded Future News): US-led operation disrupts crypto exchanges linked to Russian cybercrime
- CyberScoop: Two Russian nationals indicted for servicing millions of dollars in cybercrime funds
- FinCEN: Bitzlato 9714(a) action (first use precedent) : January 2023
- behindMLM: Cryptex reboots as Bytnex (UNRELATED investment-scheme entity : disambiguation only)
Profile produced using open-source intelligence. Confidence labels applied per schema: CONFIRMED (multiple independent sources), CREDIBLE (single strong source or multiple weaker sources), ANALYST INFERENCE (logical extrapolation from confirmed facts). All volume figures cited with source and methodology; figures from different vendors are not averaged. Two-tier connected entity model applied throughout Section 09. Designation date is September 26, 2024.