Episode 106 of the Public Key podcast is here and this is our “Live from Links” series, where we showcase our podcasts recorded live at the Chainalysis Links Conference in NYC! Russia’s invasion on Ukraine over 2 years ago has been challenging, but today we speak to Yevhenii Panchenko (Head of Operational Analysis, Cyberpolice Department, National Police of Ukraine) who shares how the Ukranian Cyber Police are fighting back against Russian hackers and cyber attacks.
You can listen or subscribe now on Spotify, Apple, or Audible. Keep reading for a full preview of episode 106.
Public Key Episode 106: Fighting Cybercrime: Inside the Battle Against Russian Hackers
“They want to destroy as many of our systems and resources as they can get the access to.” – Yevhenii
In this episode Ian Andrews (CMO, Chainalysis) speaks to Yevhenii Panchenko (Head of Operational Analysis, Ukraine Cyberpolice Department.
Yevhenii discusses the global fight against Russian cyber actors, who target not only Ukraine but also other countries and shares the work his organization is doing to combat cyber threats, including investigating crimes related to fraud, ransomware, and illegal content.
He shares the challenges they face in stopping Russian organizations and the importance of international collaboration and the importance of volunteers in identifying fraud and scam projects.
Yevhenii also announces their new project, SCAMFARI and how they use OSINT to identify crypto fraud and collect data and the impressive features of the DIIA City and the implementation of digital documents in Ukraine.
Quote of the episode
“So fraud, it’s the main problem or the really big problem in Ukraine, but also responsible for investigating the crimes related to ransomware, to also illegal content, for example, child pornography. We investigate some crimes in bank sector sector, and also crime committed where we find the connections to the virtual assets.” – Yevhenii Panchenko (Head of Operational Analysis, Cyberpolice Department, National Police of Ukraine)
Minute-by-minute episode breakdown
2 | Discussion on the Ukraine Cyber Police mandate and global nature of cyber threats
5 | Describing Russian cyber attacks on Ukrainian infrastructure
8 | A day in the life of the Ukraine Cyber Police Unit
10 | Russian hackers using cryptocurrency to receive ransoms and evade sanctions
12 | Collaboration with US and EU agencies and training on using Chainalysis
15 | Discussion on the effectiveness of sanctions on crypto flows
18 | What is Scamfari and how they use OSINT to identify crypto fraud and collect data
21 | Impressive features of the DIIA City and the implementation of digital documents
23 | Recommendations for supporting Ukraine, including cryptocurrency investigation skills
Related resources
Check out more resources provided by Chainalysis that perfectly complement this episode of the Public Key.
Speakers on today’s episode
- Ian Andrews * Host * (Chief Marketing Officer, Chainalysis)
- Yevhenii Panchenko (Head of Operational Analysis, Cyberpolice Department, National Police of Ukraine)
Mentioned Episodes:
Crypto In Ukraine: The Digital Transformation Of A Country Under Siege – Episode 26
In this episode, we have an inspiring and impactful discussion with Alex Bornyakov, Ukraine’s Deputy Minister of the Ministry of Digital Transformation for IT Development, about building for the digital future in Ukraine.
This website may contain links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
Our podcasts are for informational purposes only, and are not intended to provide legal, tax, financial, or investment advice. Listeners should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Chainalysis. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Chainalysis employees are those of the employees and do not necessarily reflect the views of the company.
Transcript
Ian:
Hey everyone, this is Ian Andrews live from Lynx with another episode of Public Key. I’m joined on this episode by Yevhenii Panchenko, who is head of Operational Analysis of the Cyber Police Department of the National Police of Ukraine. Yevhenii, thank you so much for joining us this week at Lynx.
Yevhenii:
Yeah, thanks very much.
Ian:
Obviously, we at Chainalysis care deeply about the fight in Ukraine for your independence and defeating the Russians, and so the work that you do is of huge importance to that. We’ll talk about that in the conversation, but a personal thank you for taking time out from that fight to come to this conference and share your story and the work that your organization’s doing, which I think is incredible. You talked this morning on main stage, it was roaring applause, I think from everybody in the room, so thank you.
Yevhenii:
Yeah, thank you for inviting us and also in my role, as you say it, I’m a lead of one of the areas that I’m responsible for analysis, but not also for that. Sometimes we need to tell people what we do and what we’ve done on the perspective, how we fight also with Russians and what results we had in our daily jobs and activities. So it’s important to be here and also speak with you. Thank you.
Ian:
Well, and one of the things that really struck me in your presentation this morning is you’re fighting in cyberspace with a number of Russian actors, but those Russian actors aren’t just targeting Ukraine, they’re targeting Europeans Americans, Canadians, right? This is a global fight that you’re undertaking on behalf of so many other countries. Talk a little bit about the work that your organization is doing and some of the things that you shared on main stage today.
Yevhenii:
Yes, thanks for that question. So yeah, we are responsible for many things. In general, we of course investigate the crimes that commit in cybersphere. It’s many that’s really close to the people, to the also citizens, not from Ukraine, but from US also. I saw in the also main stage the cases that’s related to fraud. Fraud is really a big problem now, and especially in cryptocurrency because the transaction’s really fast. So we need to arrest the money, but it flows really, really fast.
So fraud, it’s the main problem or the really big problem in Ukraine, but also responsible for investigating the crimes related to ransomware, to also illegal content, for example, child pornography. We investigate some crimes in bank sector sector, and also crime committed where we find the connections to the virtual assets. Only Cyber Police in Ukraine responsible for that type of investigations in Ukraine, and of course it’s a really big challenge for us now because the legislative change, the technology also adopt really fast, and the actors and the criminal actors used all the benefits that cryptocurrency give us.
Ian:
Well, research that we’ve done at Chainalysis, it appears that the vast majority of ransomware activity globally, payments are going back to Russians. It’s almost exclusively a Russian organized crime activity, is what we can see in the on-chain activity. And my understanding is that those same individuals are also targeting Ukrainian infrastructure. Perhaps less so for ransoms, more in their offensive cyber related to the war effort. What are you able to do from your position to stop some of these organizations?
Yevhenii:
Yeah, it’s really big problem, and of course we can see the same situation, so really huge amount of funds in crypto goes to Russia. Why it happened, because probably all democracy worlds and countries not used and not allow any exchanges to work in that perspective, so to launder the money after ransom. But yeah, Russians do that and of course do in many cases.
I also will mention that in Ukraine we have another problem. It’s related, because the situation really close to the war action almost around Ukraine. So the Russians actors not only attack for ransom, but also for disruption their resources. So they try to destroy as many our systems and resources as they can to get the access. In this situation, we don’t have any magic keys or ideas how to prevent it or how to fight against it. We only do the systematic work for adopt the resources of our partners to new reality. So we provide some leads, we get them the information that could prevent attack, we also help them to deploy and integrate some systems which could help them in that situation and prevent the bad things that could happen with their resources.
Ian:
What are you seeing in terms of activity in terms of the cyber threats? Is it increasing or decreasing?
Yevhenii:
In Ukraine now?
Ian:
Yeah.
Yevhenii:
Of course, increasing.
Ian:
Yeah.
Yevhenii:
Increasing because as I told previously, so not only ransom now and target for Russian actors. They want to stone our data. They want to make the faces, and it’s easy to realize then some ransom. So they don’t need to go dive into the system or application or server infrastructure. They just use the first connection, the first stage of access, and then destroy data or do the faith for showing their powers for our citizens so they could think like, “Okay, our military and other who are responsible for cyber security not so effective.”
It’s of course really big damage and also not only depend how they realize that. So sometimes they used also the contact, the contact who inside of the organization, and in this situation we also find some links to the crypto. So they always try to pay in crypto for their agent who help them to commit a crime.
Ian:
Oh, interesting.
Yevhenii:
Yeah.
Ian:
And so what role does your organization play in stopping this? I mean, obviously you can investigate blockchain activity. What is a day in the life of Yevhenii look like?
Yevhenii:
Yeah, we have an amazing day. It’s always start at 8:00, maybe 8:30, and not only my day, also I will describe the day of cyber police in general. So we have the special units and the guys with really good knowledge in AT Sphere. So they not only investigate the cases, but as I tell you, they also prevent the crime. So try to scrape that data from the open sources, and sometimes we found deletes that give us some additional information could provided by other partners to prevent attacks because Russian not so smart in some cases.
Of course, they also have really good groups of actors that really organize strict and effective, but they also have a civil army. I don’t probably know the right word for that, but it’s like people who organized around some idea, for example, idea of [inaudible 00:09:03] our resources, and of course if you find the group, we join also and try to prevent attacks that we can see in a plan, in a perspective target of their activities. So it’s one way.
Also, we of course investigate the cases, so any cases related to cybercrime investigates in Cyber Police of Ukraine, and now we have almost all units who are responsible for all stages of investigation. So we could take the reports from our victims, start investigations, collect evidence, and then move the materials to the prosecutor for prosecute the cases and again, move to the court.
Ian:
Wow. Now, you mentioned open source intelligence. In your presentation this morning, you shared some screenshots from Telegram groups that your team had infiltrated. I know that we, in collaboration, I think with your organization perhaps, found Wagner group, the paramilitary organization supporting the Russian side here, had been fundraising via Telegram. Is that continuing? I mean, we saw that US levied sanctions against some of the people that were raising those funds, but do you still see that activity today?
Yevhenii:
Unfortunately yes, especially after the sanction was provided by some clusters or exchanges. The fundraisers campaign of Russians moved to the banking sector of Russia. So it’s really difficult now to stop that because they use their own bank accounts card, they use their own moves for some exchanges that also operate in Russian territory. So only one way is to try to get by missiles. But yeah, we don’t have unfortunately in cyber police the tools for that.
Ian:
They don’t give you access to those.
Yevhenii:
So only cyber things. That’s why we try to of course evaluate the addresses. So we make some [inaudible 00:11:18], we proactively ask about the addresses that they used for collect money, and then also send that information to partners, to your organization, to other tools that helps to prevent some types of fundraisers and any type of money laundering.
Ian:
Yeah. Now, I know there’s been, you mentioned partners, some interesting collaboration with US agencies. I think there was some training at your organization to learn how to use Chainalysis and do more crypto tracing. That happened a few months ago in Germany, I think. Talk about the international collaboration and some of the partnerships to support your efforts.
Yevhenii:
Yeah, the studying was half year, but yeah, in Germany, and IRST, the United States agency, really helps us. So they [inaudible 00:12:17] for us and also provides really good studying. So it was amazing course about the basic understanding of tools and also deep dive to the technical issues that you have in Chainalysis. So yeah, we cooperate with them a lot and also other agencies not from only US, but also from European Union. We have good connection with Europol, Interpol, and other international organization. So it’s only one way how to be really effective in the investigation that’s related to cryptocurrency because it has not border. That’s why we need to cooperate and also helps information to each other.
Ian:
Yeah. In your presentation this morning, you shared some successes where you had actually seized quite a bit of cryptocurrency and you had a number of arrests that had occurred. Maybe can you share a story or two?
Yevhenii:
Yeah, almost $1 million. Almost 1 million US dollars we arrested in the cases that really close to the fundraisers campaigns of Russia. Yeah. Also, Chainalysis helps us with this data. We take it and also include in our investigations. The funny thing is that sometimes we found the people from Ukrainian territory who also donate to the Russian addresses, and the funny story was once when we come to the search actions in the property of one guy and he just say that, “I just donate to help the bats on the occupied territory.” Of course it’s not true. Yeah. He understands what he do.
Ian:
Yeah, that’s a bad lie.
Yevhenii:
Yeah, because I have not any chance to find the addresses that we found and include in our investigation. That description would be for help bats only for by some night vision and drones and other things.
Ian:
Yeah.
Yevhenii:
Yeah, now he arrested and also in the prison.
Ian:
Amazing. Good work. I’m curious about your opinion on the sanctions and their effectiveness, particularly in the crypto world. So Garantex is the big Russian exchange. They’ve been sanctioned by the US and by the European Union now I believe. But when we look at their on chain activity, it doesn’t seem to have slowed down, right? There’s still a large amount of money passing through that particular exchange. What’s your perspective on this? Is there more that can be done to stop the flow of funds? Because it seems like it’s a mechanism that the criminals are using to bypass the sanctions against Russia.
Yevhenii:
Yeah, unfortunately it’s a big problem and yeah, we know that it’s not only problem for the cooperative exchanges who still works with probably Garantex or other exchanges from Russian territory, but it’s also big challenge because the Garantex and other sanctioned entities always adopt their technology and how it works with crypto. So they start to create more addresses for receive the funds, they start to launder money in ways that probably not so usual for that type of activity.
And that’s why we should, again, works hard, labeled addresses, recognize their networks, and cooperate with exchanges that could help us in that perspective. We don’t have some ideas how to change it today or in probably next hour, but in strategic plan of our work, of course included the activities and tasks that could help us. So we not stopped and also enjoyed to see other partners who could help us in that perspective. For example, we have really good group of volunteers who still, on a regular perspective, help us to recognize the addresses of sanctioned entities.
Ian:
Interesting. Tell me more about the volunteers. Who are these people? Are they just Ukrainian citizens who are technologically enabled, sort of cyber sleuths?
Yevhenii:
Yeah. It’s not only Ukrainians. Many from US also connect with us and help us to find the information, sometimes also provide some investigation regarding Russians. Not only US, also some people from European Union, also other police officers.
Ian:
Okay.
Yevhenii:
They do that on a volunteer based, but they’re really smart and their technical knowledge really deep, so it’s really help us.
Ian:
You mentioned something during your presentation this morning, I think it was called Scamfari?
Yevhenii:
Yeah.
Ian:
Yeah. Tell me more about that.
Yevhenii:
It’s the also volunteer project and the main goal of the project is to collect addresses that belongs to the fraud clusters or could be used in a fraud perspective, some maybe scam project. So the name tell the same, yeah. Scamfari. We try to find as many addresses that we can find in the internet and be proactive. So not only collect the data after our victims report us about the facts that happened and the crime was committed, but also we try to deep dive into dark net Telegram channels, other projects that probably published on OpenWeb, and understand what’s the perspective.
So sometimes after probably just five minutes of OSINT and checking the leaders of project, that probably their successful projects was previously in history, you can understand that it’s not about the institution, it’s about fraud. And today we have more than 600 users who already sent leads for us, and we have confirmed more than 42,000 addresses that belongs to fraud.
Ian:
Wow.
Yevhenii:
Yeah, it’s really cool. The partners who organize that also work Ukraine in a private sector, but they come to us and try to build a project for help us in the situation that we have now. So we only not focused on the fraud addresses, but also we try to find the fundraisers addresses that Russians use. So it’s included in the numbers that I tell you.
Ian:
Yeah. We’ve talked a lot about the war obviously and about crime, but two years ago I had the deputy minister for technology from Ukraine on the podcast, and one of the things that I was amazed about was the innovation happening in Ukraine on the technology front and the embracing of cryptocurrency to support Ukraine’s war effort. We talked a lot about the tens of millions of dollars that had been raised in the early days of the war to support Ukraine. How is the tech scene today in Ukraine? I know we talked about DIIA City and the startup culture there as well. Has that survived despite the war?
Yevhenii:
Yeah. I’m impressed about the result that Ministry of Digital Transformation has in Ukraine. So it’s amazing things. For example, DIIA, the application DIIA, it’s probably first application in the world that we have in our pocket, the documents that we need for daily life. So it’s a driver license, it’s passport, it’s used in any type of agencies, and-
Ian:
You’ve got all that digitally on your phone now?
Yevhenii:
Yeah, of course.
Ian:
I mean, we don’t have that in the US. You’re well ahead of us. I wish I could have my driver’s license on my phone.
Yevhenii:
It’s always surprised the people, especially not from Ukraine.
Ian:
Yeah.
Yevhenii:
I use it only once in Dubai. It’s impressed many.
Ian:
Did they know what to do with it when you were in Dubai, when you shared it?
Yevhenii:
I don’t know. Maybe they don’t understand correctly, but I tell that it’s only one passport that I have with me.
Ian:
Yeah. That’s amazing.
Yevhenii:
Yeah, it’s really cool. And DIIA City, it’s also a cool project. I know that many company who, from IT sphere also, joined to that project because they have some special conditions for do their business in that type.
Ian:
Yeah. Well, I know that we have listeners to the podcast who want to support Ukraine. What would you recommend as being the most impactful thing that they could do to help the work you’re doing or other aspects of support for Ukraine?
Yevhenii:
Yeah, it’s really important question. Thank you. Of course, if they have some special knowledge in cryptocurrency investigation or blockchain analysis, they could contact with me. I could also left my contact to you or in a podcast. We could organize their activities and try to use their knowledge in the best way that we can.
If someone wants to donate for Ukraine, so it’s not recommendation to which addresses you need to use, but it’s recommendation to which addresses you should not donate because many of frauders today create the campaign that’s really looks like the same, like original, but it’s of course the fake. So only really famous project, only official sites could help the people who wants to help Ukraine to donate because we know that we have now really good many of funds that represent in the internet their resources. And if you just Google and try to find famous funds it’s okay, but never try to send money to some advertise that you can see or some pages that you never seen before. Especially if they show you some really… I don’t know, the pictures that looks like a true, so they want to involve you because they use your emotion.
Ian:
Yeah, yeah. Be safe out there. Don’t donate to a random site.
Yevhenii:
Yeah.
Ian:
Definitely don’t click on an advertisement. Be certain about where you’re directing your money if you’re donating-
Yevhenii:
Of course.
Ian:
… Is a good lesson. Don’t fall victim to a scam while you’re trying to help people. Well, that’s amazing. We’ll include your contact information so that if anyone listening that has blockchain analysis skills and feels like they can contribute, we’ll be able to get in touch with you.
This is amazing. Thank you again for spending time with us and best of luck in all your efforts.
Yevhenii:
Thanks a lot. Thanks a lot.
Ian:
Thank you.