article featured image


On Tuesday, 6 February 2023, Denis Mihaqlovic Dubnikov, a Russian citizen, pleaded guilty to the accusations of laundering ransomware money. The money came from cyberattacks made by the Ryuk ransomware group in the span of three years.

Dubnikov is a former crypto-exchange executive and the co-founder of crypto trading platforms Coyote Crypto and Eggchange. He was arrested in November 2021, in Amsterdam, and extradited to the United States in August 2022.

If convicted, the accused faces up to 20 years of prison, three years of supervised release, and a fine that can go up to $500,000.

The Money Laundering Scheme

Dubnikov was part of a money laundering group with other 13 individuals from August 2018 to August 2021. They received profits from ransomware attacks by Ryuk on people and organizations from the United States and worldwide.

The money laundering group, including Dubnikov, used various financial transactions, including international ones, to hide the origin, location, and identity of those who received the ransom payments.


After a ransom was paid by a victim in bitcoin private wallets, the sum was split into smaller amounts and transferred to other private wallets. Hundreds of private wallets were used for this scheme, each connected with thousands of public keys.

Then the ransom was once again transferred from the wallets to cryptocurrency exchange accounts and transformed into Tether, other cryptocurrencies, or fiat currency. The final step was that the now exchanged ransom (into Tether or another cryptocurrency) be sent to other accounts where it becomes fiat currency (usually Chinese Renminbi) using “over the counter” services.

The Bitcoin transferred to Dubnikov were directly sourced from the ransom paid by the American company. Dubnikov converted the Bitcoin to Tether and sent it to a second co-conspirator, who eventually exchanged it for Chinese Renminbi.


Ryuk ransomware group was a ransomware-as-a-service (RaaS) action that operated between August 2018 and the middle of 2020. Then the group switched to Conti ransomware, which was shut down in May 2022.

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.

Leave a Reply

Your email address will not be published. Required fields are marked *