The prominent on-chain investigator known as ZachXBT has exposed an extensive money laundering operation allegedly orchestrated by Aleksandr (Aleks) Khinkis, a Russian Over-the-Counter (OTC) broker. According to the investigation, Khinkis processed over $15.7 million for various ransomware syndicates using a single exchange account since July 2025. The illicit activity involved the movement of large quantities of Bitcoin and subsequent conversion into other digital assets to obscure the paper trail.
Mechanism of the Ransomware Fund Flow
The investigation identifies three specific suspected ransom payments totaling 796 BTC. To bypass detection and break the linear transaction history, the funds were reportedly moved through cross-chain protocols, shifting from the Bitcoin network to the Avalanche blockchain. Once on the Avalanche network, the capital was dispersed across a complex web of multiple wallet addresses.
The laundering process involved several key steps:
- The receipt of 796 BTC across three major ransom events.
- Utilization of bridge services to swap assets to the Avalanche ecosystem.
- Strategic distribution of funds to numerous secondary addresses to complicate tracking efforts.
Current Asset Status and DeFi Involvement
According to ZachXBT, a significant portion of the laundered capital remains active within decentralized finance (DeFi) protocols. Approximately $10.6 million is currently deposited in Aave, where it is reportedly being phased out through consistent withdrawals. This method allows actors to earn yield or borrow against collateral while slowly off-ramping funds into fiat or stablecoins.
"Some related addresses had previously been frozen by Tether for USDT due to ransom events", stated ZachXBT.
The involvement of Tether in freezing previous associated wallets highlights the ongoing efforts by centralized stablecoin issuers to mitigate the use of their assets in criminal activities. Despite these interventions, the broker allegedly managed to continue operations by utilizing various decentralized liquidity pools and non-custodial platforms.
This latest revelation underscores the persistent challenge of OTC-based money laundering within the CIS region. As blockchain forensics become more sophisticated, the focus has shifted toward high-volume brokers who act as gateways between the illicit digital economy and the traditional financial system. The tracking of these 796 BTC provides critical data for law enforcement agencies monitoring the financial infrastructure of global ransomware groups.
Frequently Asked Questions
Quick answers to the most common questions about this topic.
For educational purposes only. Nothing here constitutes financial or investment advice. Crypto markets are highly volatile — always DYOR before making any decisions.
Fact-checked per our editorial policy. We maintain strict independence from advertisers. Spot an error? Let us know.