Top Six Crypto Wake-Up Calls from Operation Destabilise
Operation Destabilise

In the wake of Operation Destabilise, the UK’s National Crime Agency (NCA) struck a significant blow against Russian money laundering networks tied to drug trafficking, ransomware, and espionage. The crackdown resulted in 84 arrests and the disruption of two major illicit networks, known as Smart and TGR.

These networks used cryptocurrency to funnel illicit funds across borders, enabling both money laundering and the evasion of Western sanctions against Russia. In response, the U.S. Office of Foreign Assets Control (OFAC) sanctioned five individuals and four entities linked to these operations.

Two players were among those sanctioned. One is Elena Chirkinyan, the second-in-command of the TGR network, and the other is Khadzhi Murat Dalgatovich Magomedov, a professional money launderer serving Russian clients.

The Global Ledger team decided to shed light on how cryptocurrency was embedded in these operations.

Six key takeaways from the case

1. USDT is the laundering crypto of choice

When it comes to laundering money, Tether (USDT) is #1. This popular stablecoin helps maintain the value of funds during transfers, making it great for large-scale operations. The networks frequently used cash-to-crypto exchanges and high-volume transactions, and USDT allowed them to avoid the volatility of other cryptocurrencies.

2. Over $195 million USDT laundered through Magomedov’s wallet

According to Global Ledger’s Counterparty Report, more than $195 million USDT flowed through Magomedov’s wallet. It engaged with a wide range of counterparties. Notably, the wallet’s biggest connection was with a prominent centralized crypto exchange.

GL Counterparty Report for Magomedov’s wallet from 01.01.2020 to 17.12.2024

GL Counterparty Report for Magomedov’s wallet from 01.01.2020 to 17.12.2024

3. Over $146,000 USDT flowed via Chirkinyan’s wallet

Compared to the vast sums handled by Magomedov’s wallet, Elena Chirkinyan’s wallet moved a more modest amount — over $146,000 USDT.

GL Counterparty Report for Magomedov’s wallet from 01.01.2020 to 17.12.2024

GL Counterparty Report for Chirkinyan’s wallet from 01.01.2020 to 17.12.2024

4. Direct deposits to CEXs: From regulated platforms to sanctioned Garantex

Both Chirkinyan’s and Magomedov’s wallets regularly funnelled funds to well-known centralized crypto exchanges (CEXs), including reputable, regulated platforms. However, they also continued using Garantex, the Russian crypto exchange sanctioned in April 2022.

For example, between June 2022 and February 2023, Chirkinyan’s wallet received deposits totalling $22,000 from Garantex. Additionally, in October 2023, an unsanctioned wallet sent 1,295 USDT to Chirkinyan’s wallet and over $41,000 to Garantex.

When comparing activity, Magomedov’s wallet interacted with a broader range of exchanges and counterparties than Chirkinyan’s. His transactions were even linked to a high-risk wallet flagged for hacking. Interestingly, Magomedov’s laundering strategy didn’t rely on multiple “hops” to hide fund movement; instead, he favoured straightforward deposits to CEX wallets.

Meanwhile, Chirkinyan’s transactions were simpler, typically culminating in deposits to a prominent centralized exchange. 

5. Partial KYC exchanges 

In addition to CEXs, the wallets also engaged with platforms requiring only partial Know Your Customer (KYC) verification. On these exchanges, KYC checks were often triggered based on user activity—for instance, applying to crypto transfers but not fiat transactions. 

6. Cyprus-based gambling service ties

Notably, Chirkinyan’s wallet received crypto deposits from a Cyprus-based gambling service that exclusively handles transactions in cryptocurrency. 

Sanctioned addresses: Ongoing challenges for the industry

While the two sanctioned wallets are unlikely to remain active—thanks to identification by blockchain analytics tools and blacklisting by major crypto exchanges—the broader network of connected wallets remains a significant risk. These wallets can continue enabling professional money laundering activities if left unchecked. To mitigate this, industry players should monitor these wallets using tools like Global Ledger to ensure compliance and prevent exposure.

Criminal organizations can easily create new crypto addresses even without reusing flagged wallets. The process is quick and straightforward, often taking just seconds to minutes—especially for decentralized wallets, which rarely require verification. In contrast, custodial wallets on centralized exchanges typically enforce KYC checks, which can slow the process.

Key recommendations 

  • Blacklist and monitor

While Chirkinyan’s and Magomedov’s wallets are unlikely to resurface, placing them—and their linked activity—under close monitoring is critical. Crypto exchanges and platforms should maintain internal blacklists to prevent future exposure.

  • Investigate wallet networks

Use blockchain analytics tools to fully trace these wallets’ activity, identify past direct counterparties, and add them to watchlists. 

  • Address ongoing Garantex exposure

A recurring theme in this case was continued interaction with Garantex even after its sanctioning. Industry participants should proactively use blockchain analytics tools to detect and block exposure to sanctioned entities.

  • Identify high-risk wallets

Crypto wallets showing frequent, high-value transactions with an unusually large number of counterparties should be flagged as high-risk for money laundering. Such patterns often signal organized laundering operations.

To recap

Sanctioning these wallets is an important step, but the fight isn’t over. The industry players will have to monitor flagged wallets to spot new risks. Understanding and addressing the broader networks linked to illicit wallets can help reduce exposure to criminal activities.