Russian OTC Broker Accused in $4.7 Million Ransom Crypto Laundering Case

A new investigation by leading on-chain analyst ZachXBT has triggered fresh concern across the digital asset industry, exposing what appears to be an active and ongoing ransomware money laundering operation. The report links Russian over-the-counter (OTC) broker Aleksandr, widely known as Aleks Khinkis, to the movement of more than $4.7 million in suspected illicit funds since 2025.

The scale, consistency, and timing of the transactions suggest that this is not a historical case, but a continuing risk. Funds tied to ransomware activity are not only being processed but may still be circulating within the crypto ecosystem, posing a direct threat to market integrity and compliance efforts.

At the centre of the findings are three major ransom payments, totalling approximately 796 bitcoins. These funds were transferred in a structured manner to a single deposit address linked to the brokers trading account. Before reaching this endpoint, the assets were bridged between the Bitcoin and Avalanche blockchains which is an increasingly common tactic used to obscure transaction trails and delay detection.

Between 2025 and 2026, at least 75 separate transactions were executed, indicating a deliberate and sustained laundering strategy. This level of activity points to a system designed to handle repeated inflows of illicit capital rather than isolated incidents.

More concerning is the current status of the funds. An estimated $16.6 million remains locked within the decentralised finance platform Aave, where it is being gradually liquidated. This suggests that the laundering process is still unfolding in real time. The presence of such a large sum within DeFi infrastructure demonstrates the difficulty of halting illicit flows once they enter decentralised environments.

The investigation outlines several key ransom payments that illustrate the pattern. In September 2025, roughly 72 bitcoins were traced through cross-chain transfers to the address in question. The following month, a further 164 bitcoins were identified and converted into approximately $3.8 million. These transactions demonstrate how quickly large sums can be restructured and absorbed into the broader market.

There is also clear evidence of regulatory intervention, though it appears to have come after significant movement had already taken place. In November 2025, Tether blacklisted a number of addresses associated with the activity. The affected USDT was frozen and ultimately destroyed, confirming that compliance teams and enforcement bodies had stepped in. However, the delayed response underscores the speed at which such operations can outpace oversight mechanisms.

The case becomes more serious when viewed in a broader timeline. The same account had previously been linked to a 560-bitcoin ransom transaction in 2023. Those funds were routed through multiple intermediary wallets and trading platforms before being bridged back into the Avalanche network in 2024. This pattern suggests repeated use of the same infrastructure to process illicit proceeds over several years.

Perhaps the most troubling aspect of the report is the strong correlation between the originating wallets and known ransomware addresses. These links indicate that the addresses involved may function as critical transit points within a wider criminal network. In effect, they may serve as financial arteries through which ransomware groups move and recycle their earnings.

While some of the identified funds remain inactive, the risk is far from contained. Dormant assets can be reactivated at any time, especially if monitoring efforts weaken or attention shifts elsewhere. This creates a persistent threat, not only to exchanges and platforms but also to unsuspecting counterparties who may unknowingly interact with tainted liquidity.

The findings point to a deeper structural challenge within the crypto sector. Despite the transparency of blockchain technology, the combination of cross-chain bridges, OTC services, and decentralised finance platforms continues to provide fertile ground for sophisticated laundering operations.

ZachXBTs investigation reinforces the need for immediate and coordinated action. Rapid reporting of suspicious addresses, closer collaboration between platforms, and faster enforcement responses are essential. Without decisive measures, the industry risks allowing illicit capital to circulate unchecked, undermining trust at a time when scrutiny is already intensifying.

As ransomware attacks continue to rise globally, this case serves as a stark warning: the infrastructure enabling these crimes is not only intact, but actively in use.