MOSCOW -- Russian ransomware criminals who have extorted millions of dollars from American companies, hospitals and city governments have one very notable thing in common, according to intelligence officials and cybersleuths.
They share one of Moscow's most prestigious addresses, known as Federation Tower East (Vostok).
Promotional materials for the 97-floor glass and steel tower, built in 2017, boast of its supposed fortification against "missiles and explosions", Bloomberg Businessweek reported last month.
High-ranking Russian government officials and business executives live and work in the building, and residential units in the tower sell for upward of $36 million.
Since 2018, the building has also housed more than a dozen companies that convert cryptocurrencies to cash, according to addresses listed on company websites.
While such dealings are not inherently illegal, such companies can enable criminals to cash out profits from digital crimes -- such as those committed by ransomware gangs.
The gangs encrypt targets' digital data and then demand ransom payments to unscramble it.
The victims typically make payments in cryptocurrencies, which can be owned anonymously, and then the gangs convert them to standard currencies such as euros, US dollars or rubles.
Kremlin turns a blind eye
In one high profile case in May, a Russian ransomware gang called "Darkside" extracted $4.4 million from Colonial Pipeline, a major pipeline in the United States that carries refined gasoline and jet fuel from Texas to New York.
The attack forced the pipeline to temporarily shut down, disrupting supplies and creating lines at gas stations up and down the eastern United States.
At a summit meeting in June, US President Joe Biden pressed Russian President Vladimir Putin to crack down on ransomware gangs and warned that failure to end such attacks would be met with retaliation.
But Russia-based ransomware criminals have continued to target US-based networks.
The US government's targeting of several companies in Federation Tower East as it seeks to penalise Russian ransomware gangs has convinced many security analysts that Russian authorities tolerate the ransomware operators, The New York Times reported December 6.
The tower is in the heart of Moscow's financial district, within sight of several government ministries, including the Russian Ministry of Digital Development, Signals and Mass Communications.
Russia's powerful internet regulator and media censorship agency, Roskomnadzor, falls under that ministry.
"It's hard to come up with a stronger illustration of the ineffectiveness of Russian enforcement than the existence of multiple entities with links to ransomware operating out of what is perhaps Moscow's most prestigious office tower," Bloomberg reported November 3.
"It says a lot," Dmitry Smilyanets, a threat intelligence analyst with the Massachusetts-based cybersecurity firm Recorded Future, told The New York Times.
Recorded Future has counted about 50 cryptocurrency exchanges in Moscow's financial district that it considers to be engaged in illicit activity.
The cluster of cryptocurrency exchanges in Federation Tower East that are suspected of illicit activity illustrates how Russian ransomware criminals are allowed to hide in plain sight.
"Russian law enforcement usually has an answer: 'There is no case open in Russian jurisdiction. There are no victims. How do you expect us to prosecute these honourable people?'" Smilyanets said.
The targets are almost exclusively outside Russia, making prosecution inside Russia nearly impossible.
Other factors further complicate justice, the newspaper reported, citing at least one case documented in a US sanctions announcement in which the suspect was assisting a Russian espionage agency.
Ransomware attacks on the rise
In the first six months of 2021, victims of ransomware attacks paid about $590 million to criminal hackers -- a 42% increase compared to a total of $416 million for all of 2020, the US Treasury Department's Financial Crimes Enforcement Network (FinCEN) reported October 15.
The report was released following a two-day Counter Ransomware Initiative meeting at the White House involving cybersecurity leaders from the United States and more than 30 countries.
"Ransomware is an escalating global security threat with serious economic and security consequences," the leaders wrote in a joint statement released October 14.
The nations pledged to address "safe haven" countries where malicious actors are able to operate. The US government did not invite Russia to participate in the meeting.
If current trends continue, the FinCEN report said, suspicious activity reports filed this year are projected to have a higher ransomware-related transaction value than in the previous 10 years combined.
Since 2011, Americans have paid an estimated $1.56 billion in ransoms to cybercriminals, according to FinCEN.
"Ransomware is an increasing threat to the US financial sector, businesses and the public," the report said.
Recent attacks have targeted sectors perceived to have less security or higher value because of the criticality of their services, including manufacturing, legal, insurance, health care, energy, education and the food supply chain.
Additionally, since at least late 2019, ransomware gangs have engaged in tactics to maximise revenue and create an additional incentive for victims to pay.
In one such tactic called "double extortion", gangs seize massive amounts of a victim's data, encrypt the stolen data and then threaten to publish them if ransom demands are not met.
For example last year, a Russian ransomware gang called "Ryuk" made an estimated $162 million encrypting the computer systems of American hospitals during the COVID-19 pandemic and demanding fees to release the data, according to Chainalysis, a company tracking cryptocurrency transactions.
Crackdown on Federation Tower East
"Ransomware actors are criminals who are enabled by gaps in compliance regimes across the global virtual currency ecosystem," Deputy US Treasury Secretary Wally Adeyemo said in a statement following the release of the FinCEN report.
"Treasury is helping to stop ransomware attacks by making it difficult for criminals to profit from their crimes, but we need partners in the private sector to help prevent this illicit activity."
In September, the US government imposed sanctions on a cryptocurrency exchange called Suex, accusing the company of laundering $160 million in illicit funds since 2018.
Those transactions account for 40% of the company's known business, according to Chainalysis.
Suex operates out of Suite Q on the 31st floor of Federation Tower East.
Suex founder Vasily Zhabykin and the company's largest shareholder at the time of the sanctions, Egor Petukhovsky, both deny any wrongdoing or illegal activity.
In November, Dutch police using a US extradition warrant detained Denis Dubnikov, the owner of a firm called EggChange, Russian news outlets reported.
EggChange has offices on the 22nd floor of Federation Tower East and is under investigation in the United States and Europe for allegations of money laundering, Bloomberg reported.
Dubnikov, in a statement released November 5 by another one of his companies, Briefcase, denied any wrongdoing.
The world's largest cryptocurrency marketplace, Binance, has also "flagged several accounts and illicit flows associated with" platforms including EggChange and CashBank, another company operating out of Federation Tower East.
Binance said it alerted law enforcement of "potentially illicit activities" and shut down the accounts it identified.
Buy-bitcoin.pro, another operator with headquarters at Federation Tower East, has processed hundreds of thousands of dollars in ransomware funds, including for other illicit operators including Hydra, the largest darknet market based in Russia, according to Chainalysis.
EggChange, CashBank and Buy-bitcoin.pro did not respond to Bloomberg's requests for comment.