Cryptocurrency Fraud in Russia (2019–2025): A Deep-Dive Timeline, Tactics, and Casebook

Executive Summary

Between 2019 and 2025, Russia experienced a sustained surge in crypto-related crime: large social-engineering operations in messengers, sophisticated phishing ecosystems, coercive robberies around P2P trades, sham tokens and ICO-style pitches, and high-profile prosecutions. Attackers increasingly exploited Telegram and look-alike domains, while authorities responded with seizures, arrests, and new investigative tooling. Below is a fully reworked, fact-preserving overview arranged by year, followed by the dominant schemes and practical defenses.

Quick Timeline of Notable Events

2025: Telegram as a Crime Hub, High-Profile Sentences, and New Social-Engineering Hybrids

Messenger-Driven Threats

• Scale: BI.ZONE observed Telegram-oriented phishing jump to roughly 12,500 domains in Q2 2025—nearly double the Q1 count—highlighting rapid attacker adaptation to messenger features and crypto add-ons.

• Scheme A — Login Capture: Phishing pages that mimic official Telegram login endpoints prompt for SMS or app codes. Once supplied, criminals hijack accounts, harvest linked wallets, and comb chats/Saved Messages for passwords, card data, and document images.

• Scheme B — “Rare Gift” Arbitrage: Scammers proposition victims with profitable purchases of rare Telegram digital gifts, sending fake tokens that appear legitimate but have no value and no redemption path.

Court and Police Actions

• Valeria/Valery Fedyakina (“Bitmama”): On June 24, 2025, the Presnensky District Court (Moscow) imposed 7 years in a general-regime colony for misappropriating crypto valued at ₽2.2 billion. (Preceded by a January 15 announcement that charges involved large sums in bitcoins/dirhams.)

• Moscow Police Case (April 29, 2025): Three officers detained on suspicion of extorting cryptocurrency under threat of prosecution; total alleged take ≈ ₽4 million in digital assets.

Emerging “Support” Con

• Playbook: Callers posing as a mobile operator pressure the target to share an SMS code, then lock the victim’s Gosuslugi account and redirect to a fake hotline. A purported “anti-fraud” official instructs immediate conversion of funds to crypto for safety.

• Commentary: State Duma Committee member Anton Nemkin underscored the use of panic and urgency to suppress critical thinking, exploiting gaps in crypto literacy.

Defensive basics: never disclose one-time codes; verify via official numbers; avoid urgent transfers on instruction; enable 2FA and use strong, unique passwords.

2024: Exchange Thefts, Cryptomat Network, Fake Coins, and Institutional Tooling

• BitFinex-Related Theft: Early April 2024: the Tverskoy District Court convicted Rustam Rakhmetov (Intrand LLC) and Artur Kudeli (Assessment-Dako LLC) for stealing $1,000,000 from Yan Shishkov, who sought to trade on BitFinex.

• Ukrainian-Run Cryptomat Ring: In December 2024, the MVD dismantled 20+ terminals used by phone scammers to route deposits directly into criminal wallets. A Ukrainian ringleader collected cash, converted to crypto, and forwarded proceeds. A soldier in rehabilitation reportedly lost >₽2.5 million. Case opened under Article 159(4) (especially large fraud).

• Novosibirsk Region (Kolyvan District Court): December 2024—3-year sentence for marketing a non-existent cryptocurrency (XPL coins) via the International Consumer Cooperative for the Development of Social Programs of the MAO. One victim was persuaded to swap a house and 148.2 m² plot for 92,000 XPL (alleged ₽6.7m equivalent). Property restored; accomplices sought.

• Additional 2024 milestones:

• St. Petersburg (Nov 1): four “crypto investor” impostors sentenced (up to 7 years) for ₽55m stolen from 45 victims.

• Moscow (Oct 18): court arrests assets of “Bitmama” totaling ₽2.2 bn.

• UAPS/Cryptex (Oct 2): case opened; 96 detained; 148 searches in 14 regions; alleged ₽112 bn turnover.

• SMEV (Sept): Prosecutor General Igor Krasnov notes SMEV’s role in surfacing illegal crypto holdings of officials via access to 100+ state databases.

• Moscow City: flagged in late May as a hotspot for crypto-linked fraud activity.

2023: Telegram Investment Lures, Litigation Boom, Infrastructure-Scale Scams

• Angara Security (Jan 19, 2024 report): Of ~22,000 Telegram posts about crypto, ~9,000 were flagged and removed as fraudulent. Baits included “turn ₽1,000 into ₽70,000,” “official” channels, “smart investments,” wallet promos, and deposit offers.

• Domain Typosquatting & Brand Mimicry: A spike in investment-themed domains (RU segment, ~1,500 in 2023; ~50% registered in Q4) paralleled Binance exiting Russia; criminals spoofed CommEX successors.

• Courts & Caseloads: RBC (Mar 26, 2024) citing Moscow Digital School and EBR: crypto-related cases rose to 2,653 in 2023 (from 510 in 2021). Bankruptcy disputes were 62% (up 91% YoY). Civil +60%, criminal +34%, administrative +19%. Trends: drug flows, theft via hacks/phishing/ransom, and fraudulent platforms/pyramids.

• Robbery & Misconduct:

• Moscow police extortion (Sept 7): two officers allegedly coerced transfer of 9.6 BTC (≈₽26.2m).

• Marat Tambiev (June 19): court recovered 1,032 BTC as illicit bribes.

• Mass-Scale Online Fraud: Trend Micro (June 6): Impulse Project (Impulse Team) ran 1,000+ polished fake platforms; over ~2.5 months, ≈$5m extracted from Russia/CIS users via “small activation deposit” + fabricated trading gains. Recruitment via TikTok, Twitter, online video ads.

• Other incidents:

• April (Moscow): student carrying $53,000 to “crypto earnings courses” was robbed.

• March (Nizhny Novgorod): >₽10m in BTC lost due to address substitution.

• February: first Russian verdict tied to P2P trading on a crypto exchange (Garantex code sale; 2-year suspended).

• Dec 2022 case follow-up: suspects detained for kidnapping and torturing Andrei Lifanov to obtain a 250 BTC password.

2022: Exchange-Asset Embezzlement Case and High-Value Kidnapping

• Exchange-Asset Embezzlement (Mar 22): MVD announced the first Russian criminal case over embezzlement of a crypto exchange’s assets. The suspect—publicly linked by attorneys to Alexei Bilyuchenko of WEX—allegedly diverted funds he controlled.
  Seized: ₽190m+ cash (two suitcases), $1m, €70k, hardware, and hardware wallets across 29 searches in Moscow, St. Petersburg, Novosibirsk, Yalta. Charged under Art. 160(4); assets worth >₽2 bn frozen.

• Lifanov Kidnapping (Dec 1, 2022): Entrepreneur Andrei Lifanov abducted and tortured with a blowtorch for the passphrase to a wallet holding 250 BTC (~₽262m at the time). He reported the crime; funds were reportedly still on the account immediately after release.

2021: Prosecutions Soar; Threat Activity Concentrates in Russia

• Convictions (2017–2021): ≈2,500 decisions tied to cryptocurrency; +5,000% over four years (per Alexander Volevodz, MGIMO). Many remain unsolved due to regulatory gaps and cross-border obstacles.

• RTM Group (2021): 954 criminal crypto cases (+40% YoY); 62% of all crypto-related proceedings were criminal, dominated by drug trafficking (738), plus laundering and illegal gambling. Civil unjust-enrichment disputes were frequent but often failed due to risk assumptions; crypto appeared more in bankruptcy; miners faced claims for unmetered electricity.

• ESET (Feb 14, 2022): Russia ~11.2% of global crypto threat detections (Peru 6.4%, USA 5.8%). The Win/CoinMiner family >50% of detections; spikes tracked Bitcoin’s move toward ~$68k in Nov 2021. Attackers increasingly abused mobile apps and NFT narratives.

• ICO-Style Frauds: Sberbank’s Stanislav Kuznetsov described glossy token pitches where funds vanish post-payment; scammers imitate official channels/admins. Kaspersky highlighted the SquidToken episode as emblematic of trend risk.

• Global Fraud Share: By Oct 1, 2021, ESET ranked Russia as leading source/target for crypto scam campaigns (~10% share), with widespread look-alike domains, celebrity-bait, and malware hosted on adult/torrent/streaming sites.

2020: Shadow Crypto Dominance, Large Phishing Losses, and “Browser Mining” Scams

• Clain Technologies: Russia’s share of shadow crypto operations reached 41.1% in 2020, with Hydra and low-KYC exchanges enabling drug and fraud flows. Ukraine followed (6.54%), then UK (2.8%), Germany (1.87%). Up to 350m exchange users worldwide; transactions >$19.7bn (+30% YoY); illicit flows $4.2bn (+16%); ~$800m moved between dark-web services and exchanges.

• Major Phishing Incidents (Dec 2020):

• A Muscovite scanned a QR to a blockchain.com clone and lost >6 BTC + 70 ETH (≈₽11.2m).

• In Omsk, another victim lost ₽900k attempting to buy BTC over weeks.
  Kaspersky noted more polished email lures and Facebook page clones with near-identical names masking deceptive URLs.

• FSB Extortion (Oct 2020): Central-office employees Sergei Belousov and Alexei Kolbov accused of extorting bitcoins worth ~₽65m.

• “Mining in Your Browser” / “Rent a Rig” Hoaxes: Qrator Labs documented portals promising ₽20k for lending CPU time; “verification fees” exposed full card data (incl. CVV/CVC), enabling drains. Kaspersky counted ~23k such resources in H1 2020. Earlier variants installed real miners but routed payouts to attacker wallets.

2019: Early Warning from the Central Bank

In September 2019, the Bank of Russia warned that anticipated cryptocurrencies from Facebook and Telegram would catalyze fraud and pyramid activity—especially via cross-border marketing and investor hype.

Dominant Tactics (Cross-Year)

1. Impersonation & Phishing: Exchange/wallet clones; Telegram login look-alikes; typosquatted domains; polished email and social profiles.

2. Social Engineering: “Official support” impostors, urgency scripts, blocked accounts, “safe” transfers to crypto.

3. Investment Lures: Telegram channels and “admins,” fake tokens and ICOs, celebrity endorsement fabrications, “rare gift” arbitrage.

4. P2P Hazards & Physical Crimes: Robberies, coercion, and extortion around in-person deals.

5. Platform-Scale Operations: Affiliate programs powering hundreds of fake trading portals with professional design and ad buying.

Practical Defenses (What Actually Helps)

• Never share one-time codes or seed phrases; no legitimate support will ask.

• Verify independently using official websites/phone numbers; ignore “urgent” instructions.

• Use only recognized apps from Google Play/App Store; confirm the publisher.

• Inspect domains (WHOIS, age, subtle typos). Bookmark official portals.

• Harden accounts: enable 2FA (app-based preferred), strong unique passwords, password manager.

• Check counterparties: consult the Bank of Russia blacklist; avoid ad-link funnels.

• Antivirus/EDR: keep protections current; update OS and browsers.

• For P2P trades: prefer escrowed, reputation-based platforms; avoid cash meetups; never go alone.