Two independent investigations indicate the systematic exploitation of Estonian corporate and crypto-asset infrastructure for the laundering of proceeds linked to the Russian defence-industrial complex, sanctions evasion, and the integration of criminal proceeds at a scale comparable to the Danske Bank scandal (€200 billion). The pattern raises material FATF compliance concerns and triggers obligations for Suspicious Transaction Reports (STR/SAR) across multiple FATF jurisdictions.
Scheme 1 (Riedella / Rudov): An IT contractor to Russian state security services (an FSB-certified manufacturer of information-security products) maintained €13 million in crypto-assets on centralised exchanges through an Estonian legal entity. This €13M represents merely 5% of a single account's volume (per Veresov's witness testimony). The realistic scale of the network is approximately 200 accounts × €260M = €13–52 billion in throughput. The civil case is conducted by the former Prosecutor General of Estonia, to whom the prosecution service released criminal-case materials on the same day the civil claim was filed. The criminal case was closed without establishing the destination of €12 million — a clear failure to investigate the predicate offence.
Scheme 2 (Fishman / HitBTC): St Petersburg-based programmer Grigory Fishman built a conglomerate (HitBTC, Changelly, Freewallet, Cointelegraph, BeQuant and others) with monthly trading volumes of $20+ billion — operating de facto as unlicensed global infrastructure for crypto-asset laundering: used to launder proceeds from WannaCry, the WEX exchange collapse and dozens of cyber-intrusions. Beneficial-ownership disclosures are deliberately obscured; multiple subsidiaries received regulatory warnings from the FCA, MFSA, BVI FSC and SVG FSA.
How did Riedella OÜ — the Estonian subsidiary of a Moscow-based IT contractor to Russian state security services, declaring a €276,000 loss in 2019 — accumulate €13,000,000 in crypto-assets on Binance and Huobi? Neither the Estonian Prosecutor's Office nor the court addressed this question. The investigator whose materials underpin the civil claim reports to the prosecution service led for nine years by the claimant's counsel, Norman Aas. This presents a textbook conflict of interest under Council of Europe anti-corruption standards (GRECO).
Per witness testimony of Andrey Veresov (closed criminal case No. 19230100730), only ~5% of total account balances was reported as "stolen". This permits a direct calculation of the realistic operational scale of Riedella OÜ — a company that publicly declared an annual loss of €276,000.
Conclusion: Riedella OÜ is not a "victim of hackers." It is a professional financial operator with multi-billion-euro throughput, exploiting an Estonian corporate shell to channel a money flow whose origin remains unverified. The scale is commensurate with the Danske Bank Estonia scandal (€200 billion) — but in crypto-asset form.
Direct quotation from the testimony of Andrey Yurievich Veresov:
This indicates: a centralised network of 200–300 accounts opened in third-party names, a shared password sheet, accessible to all Riedella OÜ staff. This is not a "hack victim" — it is industrial-scale laundering infrastructure based on smurfed KYC accounts. The single account decoded in the case file (Riedella OÜ on Binance) showed transactions of approximately €13M — visible only as the tip of the iceberg.
From case materials: "potential linkage to money laundering of Russian oil oligarchs (Fishman's clients/Investors)". Riedella OÜ is therefore an operational unit within a broader network associated with Grigory Fishman (see Section 4). Within defence correspondence, the Riedella matter is referred to directly as the "Fishman's Case". The Estonian prosecution service did not investigate this connection.
| Parameter | Danske Bank (Estonia, 2007–2015) | Riedella / Estonian Crypto (2018–2023) |
|---|---|---|
| Total throughput | €200 billion | >$1 billion documented; 55% of global VASPs domiciled in Estonia in 2021 |
| Mechanism | Correspondent accounts | VASP licences without effective KYC (AML officers identified as taxi drivers and welders) |
| Russian nexus | Russian shell-company clients | Companies with FSB certification; OFAC-sanctioned exchanges |
| Prosecution response | Belated, financial penalties | Effectively absent — case closed without tracing €12M |
| Key figure | Branch managers | Former Prosecutor General — claimant's counsel |
Complete dataset of blockchain addresses from the Russian criminal-case file No. 1190***** (Interrogation Protocol of A.Y. Veresov of 12.05.2020, St Petersburg) and the Estonian criminal case No. 19230100730. Riedella OÜ filing: stolen ~880 BTC + 6,499.98 ETH + 999,998.1 USDT. The Estonian Prosecutor's Office did not trace any of these addresses except the final USDT recipient.
HitBTC hot/cold wallets are annotated in public databases. Inflows include: WEX 10,000 BTC (November 2022), Ripple insider $112.5M (February 2024), US Government address $19.2M (October 2024).
| Database | Available data | Link |
|---|---|---|
| Arkham Intelligence | Annotated wallets of HitBTC, BeQuant, Freewallet, Changelly | arkham → entity/hitbtc |
| Etherscan Labels | Tagged HitBTC addresses on Ethereum | etherscan.io/accounts/label/hitbtc |
| Bitquery (HitBTC) | All deposit / withdrawal addresses by exchange | bitquery.io/labs/hitbtc |
| Walletexplorer (BTC) | HitBTC clusters across Bitcoin addresses | walletexplorer.com/wallet/HitBTC.com |
| ZachXBT investigations | Public addresses with tracing screenshots | t.me/investigations (Telegram channel) |
| OpenSanctions Cryptos | Sanctioned addresses (Garantex, Hydra, etc.) | opensanctions.org/datasets/crypto |
Step 1: Request to Binance via the appellate court (or EGMONT FIU-to-FIU channel) for the complete list of withdrawal transactions from Riedella OÜ accounts on 10.07.2019. Records retained for 10 years and remain accessible.
Step 2: Run first-tier addresses through Chainalysis Reactor / TRM Labs / Crystal Intelligence or an open-source equivalent (GraphSense).
Step 3: Match against known clusters of HitBTC / Changelly / MinerGate — high probability of overlap given that both schemes share St Petersburg origins and operate via Estonia.
| Company | Role | Regulator | Scandals |
|---|---|---|---|
| HitBTC | Crypto exchange (front) | NONE BVI liq. 2023, SVG — fraudulent | WannaCry, WEX 10k BTC, Ripple $112M, US Gov $19M, account freezes |
| Freewallet | Custodial wallet | FCA Warning 2023 Malta MFSA Warning | Hidden $50/month fees, freezes, Monero theft |
| Cointelegraph | Media front, market manipulation | None | Fake BTC ETF tweet Oct 2023 → $136M liquidations |
| Changelly | Non-KYC exchanger | None of substance | Founders identical to MinerGate founders; used for layering |
| BeQuant | "Institutional" front | Malta MFSA — surrendered licence 2022 | Owner Georgy Zarya (Russian → British citizenship) |
| MinerGate | Mining pool (closed 2023) | None | Withdrawals → auto-routed to Freewallet; shared founders with Changelly |
| TradeSanta | Trading bot | None | 0% fee on HitBTC for users — direct traffic redirection |
| Coin360 | Aggregator (JV with Hilbert Group) | None | 60% Hilbert; 40% Cointelegraph + Chiron Partners |
| LTFS Enterprise (Cyprus) | Exchange software (matching + custody) | None | Anonymous directors; profile matches HitBTC technology core |
| Date | Event | Amount | Source |
|---|---|---|---|
| 2017–2018 | WannaCry ransomware — portion of ransom routed via HitBTC | n/a | Le Monde |
| November 2022 | WEX 10,000 BTC — ~65 BTC (~$1M) to a HitBTC address | $1M+ | GetBlock |
| February 2024 | Ripple insider hack — laundering through HitBTC | $112.5M | ZachXBT (TG: 1963527562) |
| October 2024 | Compromise of US Government address — withdrawal via HitBTC | $19.2M | ZachXBT |
| November 2024 | Metawin casino hack — HitBTC nested service | $4M+ | ZachXBT |
| October 2023 | Cointelegraph fake BTC ETF post → market manipulation | $136M liquidations | Coinglass / Reuters |
"HitBTC is unequivocally the worst example" among 83 exchanges analysed. "Practically all reported volume is wash trading." CipherBlade (Richard Sanders): "the largest fraud by scale and duration in cryptocurrency history." No genuine reserves despite reported billion-dollar volumes.
The Lenta.ru investigation into Viktor Mangazeev publicly linked Grigory Fishman to specific financial transactions for the first time: Fishman's claim in the High Court of London for $19.7 million, and the freezing of Mangazeev's assets totalling $20 million in the UK. From the materials of the same case, the High Court publicly disclosed that Fishman is the owner of HitBTC, Freewallet and Cointelegraph (Rambler/Finance, tek.fm, September 2025).
| Date | Event | Amount | Source |
|---|---|---|---|
| 2017 | WannaCry ransomware — ransom laundered through HitBTC | ~$140K BTC | Quartz |
| 2017–2018 | BTC-e seizure by FBI — portion of BTC routed via HitBTC | — | Wikipedia |
| Dec 2017 | Mass complaints regarding HitBTC account freezes; class-action threats on Reddit / Bitcointalk | — | Bitcointalk |
| May 2018 | Karma Group v HitBTC — listing fee paid, services not rendered | 527.01 ETH | Karma Medium · Coinspeaker |
| Jan 2019 | Pre Proof-of-Keys freeze — HitBTC blocks withdrawals en masse | hundreds of thousands of complaints | Finance Magnates |
| 2019 | SEC / Bitwise report: HitBTC is "unequivocally the worst example" of wash trading among 83 exchanges | 95% of volume fake | Bitwise SEC |
| 2019 | HitBTC declared an "insolvent scam operation" (CipherBlade / Richard Sanders) | reserves < 90 BTC | CryptoBriefing |
| Nov 2021 | Lazarus Group laundering — BTC laundered through Changelly (revealed via ShapeShift API bug, Convex Labs) | Lazarus operation | BankInfoSec |
| Nov 2022 | WEX 10,000 BTC — ~65 BTC routed via HitBTC | ~$1M+ (visible portion only) | GetBlock |
| Nov 2022 | CrossTower acquires BeQuant (financing the Fishman / Lopez Lydian Group) | not disclosed | PRNewswire |
| Apr 2023 | HitBTC phishing clone (hitbt2c.lol) — funds stolen via spoofing | ~$15M | CoinDesk / Chainalysis |
| May 2023 | Fishman files claim against Alex Grebnev (Samcoins / MAPS / OXY, Alameda-backed) | $750K → $19.7M | XBO |
| Jun 2023 | Atomic Wallet hack (shared founder with Changelly — Konstantin Gladych) — Lazarus DPRK | $100M+ | Elliptic |
| Oct 2023 | Cointelegraph fake tweet regarding BlackRock BTC ETF | $100–136M liquidations | CoinDesk |
| Nov 2023 | BVI FSC: HiTech Digital Business Ltd (HitBTC) struck off and liquidated | de-registration | BVI FSC |
| Dec 2023 | UK FCA Warning against Freewallet | not authorised | FCA |
| Feb 2024 | Ripple insider hack — laundering via HitBTC | $112.5M | ZachXBT (TG: 1963527562) |
| Mar 2024 | SVG FSA: HitBTC documents are "false and forged" | fraudulent docs | SVG FSA |
| Oct 2024 | Compromise of US Government address — withdrawal via HitBTC | $19.2M | ZachXBT |
| Sep 2023 | Fishman's claim against Mangazeev (High Court London), asset freezing order | $19.7M claim / $20M frozen | Lenta.ru |
| Jun 2025 | Cointelegraph front-end exploit — fake airdrop pop-up | phishing | CoinDesk |
| Aug–Sep 2025 | Lenta.ru / Gazeta.ru / tek.fm: Fishman publicly identified as owner of HitBTC + Freewallet + Cointelegraph | disclosure | tek.fm |
BankInfoSecurity (Mathew J. Schwartz, November 2021), citing the Convex Labs investigation that exploited a ShapeShift API vulnerability: "Lazarus also appeared to exchange some bitcoin at Changelly, another exchange." This is the first and most concrete public reference to Changelly in the context of laundering for the North Korean Lazarus hacking group. Lead IRS-CI investigator: "The laundering is harder than the hacks themselves."
| Category | Description | Source |
|---|---|---|
| LAZARUS | Direct reference to Changelly as a Lazarus Group BTC laundering channel | BankInfoSec 2021 |
| $100M+ HACK | Atomic Wallet (shared founder) — hacked by Lazarus, $100M+ stolen | Elliptic |
| US TREASURY | Allegations: "flagged transactions by U.S. Treasury", cooperation with ransomware | Cybercriminal.com |
| FCA UK | Not authorised by FCA · "avoid this firm" | FCA |
| FROZEN FUNDS | Hundreds of complaints: KYC trap (swap completed — funds vanish — support silent for months) | Trustpilot · BlockNuggets |
| CANADA | Prohibited in Ontario (OSC non-compliance) | OSC Ontario |
| FINCEN | Registered as MSB — but this is a basic registration, not a licence. "Basic compliance, not comprehensive oversight" | Bitget Academy |
If the €12 million from Riedella accounts moved through Changelly — this is a crypto exchanger without genuine KYC, with a confirmed Lazarus connection and a Russian team based in St Petersburg. Changelly enables conversion to Monero (privacy coin) or to non-traceable tokens. Riedella accounts plus the Changelly structure form an ideal pairing for the secure laundering of money flows whose origin must be concealed.
Both schemes have St Petersburg roots, operate via Estonian / EU legal entities, evade AML scrutiny through Russia-linked fixers (Aas — Norman / Rudov — Trinity) and the absence of effective regulation at the level of crypto-asset infrastructure. The €12M that disappeared in the Riedella case may have moved through HitBTC or Changelly — meaning both schemes may form a single chain.
If money laundering of proceeds from contracts with Russian state security services is established, the assets of Riedella OÜ and Trinity Europe OÜ (including the missing €12M) are subject to confiscation as property linked to the financing of armed aggression. Separately — the assets of HitBTC / Lydian Group, which transited funds of designated persons (Garantex / WEX). Recovery channels: US (18 U.S.C. §981 civil forfeiture), EU (Directive 2024/1260 on asset recovery), UK (Proceeds of Crime Act 2002, Part 5). Whistleblower protection and rewards available under the FinCEN Whistleblower Program (up to 30% of sanctions collected) and the EU Whistleblower Directive (2019/1937).