{ "id": "46923456-9875-4a14-b8f1-43ea8ad3e7e3", "created_at": "2026-04-06T01:32:10.621386Z", "updated_at": "2026-04-10T03:36:01.589701Z", "deleted_at": null, "sha1_hash": "cdaf1d05e8c04337c65f80c548edb91ae267e852", "title": "Inside Operation Destabilise: How a ransomware investigation linked Russian money laundering and street-level drug dealing", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 630461, "plain_text": "Inside Operation Destabilise: How a ransomware investigation\r\nlinked Russian money laundering and street-level drug dealing\r\nBy Alexander Martin\r\nPublished: 2024-12-23 · Archived: 2026-04-06 00:28:28 UTC\r\nEarlier this month, the United Kingdom’s National Crime Agency (NCA) unveiled the most complex investigation\r\nthat staff can remember. Over nearly four years, Operation Destabilise involved almost everyone at the agency.\r\nWhat those staff uncovered was unprecedented for law enforcement: the complete financial chain connecting\r\nstreet-level drug dealing to the multibillion-dollar money-laundering operations that underpin criminal activities\r\non a global scale.\r\nBased on interviews with NCA investigators, this is the story of how pulling at the thread of a ransomware group’s\r\nextortion funds ended up unravelling a Russian-speaking money-laundering network used by transnational drug\r\ntraffickers, cybercriminals, Moscow elites evading sanctions and even the Kremlin’s espionage operations. Two\r\ninvestigators asked to remain anonymous to speak freely about the operation.\r\nIt begins during 2021. By the middle of that year, ransomware attacks on Colonial Pipeline and the software\r\ncompany Kaseya had firmly established the scale of the threat in the minds of the investigators. The cyber team at\r\nthe NCA was digging around the blockchain — the transparent ledger that underpins most crypto asset\r\ntechnologies — to track payments linked to the Ryuk ransomware group.\r\nRyuk, and the criminal conspiracy associated with it, had become a major focus for the NCA. Later, the agency,\r\nalongside the FBI, would expose several members of the cybercrime gang, linking them to another ransomware\r\nstrain, Conti, as well as the Trickbot banking trojan.\r\nInitially, the sheer volume of funds that the NCA had uncovered on the blockchain was shocking. “I genuinely\r\nthought that there’s a decimal point wrong,” said Will Lyne, the head of intelligence for the NCA’s cybercrime\r\nunit.\r\nThe scale “became apparent pretty quickly,” added the investigation’s tactical lead, who spoke to Recorded Future\r\nNews on the condition of anonymity. Blockchain analysis and other techniques allowed the investigators “to\r\nidentify hundreds of millions, if not billions” being turned over. It was well beyond what they expected.\r\n“We were still looking at this in the context of ransomware ransom payments. … We were originally thinking this\r\nis a financial service that’s enabling the Ryuk business model,” said Lyne, but the cyber team quickly realized that\r\nwhat was happening “was much broader than just our threat area.”\r\nIt was relatively straightforward for the NCA to link this blockchain activity to two particular real-world entities;\r\nRussian businesses called Smart and TGR Group, both based in Moscow’s landmark Federation Tower.\r\nhttps://therecord.media/operation-destabilise-money-laundering-investigation-uk-nca\r\nPage 1 of 7\n\nThe head of the Smart network was Ekatarina Zhdanova — a business celebrity in Russia, and “not your typical\r\norganized crime group boss,” as the NCA’s director general of operations Rob Jones told journalists when the\r\noperation was first unveiled. The TGR Group was led by George Rossi, assisted by Elena Chirkinyan.\r\nLeft to right: Elena Chirkinyan, George Rossi and Ekatarina Zhdanova. Images: U.K. NCA\r\nBoth entities became part of the investigation, but the blockchain linked these potential billions of dollars to other\r\norganizations well outside of the ransomware world. It meant the investigation was becoming something much\r\nmore than the cyber team’s typical fare. “We quite quickly began to think of it conceptually as a Russian illicit\r\nfinance and global money-laundering network operating across numerous jurisdictions, which changed our\r\nframing of the threat and the framing of our investigation,” said Lyne.\r\n“Even through a cursory search and open source, you can see how Zhdanova is connected to the Moscow social\r\nscene,” said the NCA’s tactical lead. “And through our review of other material, we were aware as well of the\r\nconnection into wider money laundering ecosystems around the world.”\r\nBreakthrough\r\nAt that point, the investigation was a matter of high-level money laundering all taking place abroad. The major\r\nbreakthrough came in November 2021, when a suspected criminal cash courier — a man called Fawad Saiedi —\r\nwas arrested while driving southbound on the M1 motorway toward London with £250,000 in cash in his vehicle\r\nalongside a tranche of invaluable evidentiary material.\r\nThis material was key. The NCA now knew that as a single cash courier, Saiedi had laundered over £15,650,000.\r\nMoreover, there was evidence he had done so for Ekatarina Zhdanova in a sprawling cash-for-crypto scheme.\r\n“It was a really important arrest and it demonstrated this cash-for-crypto activity in the U.K. in a way that I don’t\r\nthink we were totally unaware of, but it connected it in a way that I think was really interesting,” said Lyne.\r\n“Effectively following that arrest, and when we reviewed all of [Saiedi’s] exhibits, we put together a suspicion\r\nthat Zhdanova was also connected to this, as well as other key associates with links to the Smart group,” said the\r\nhttps://therecord.media/operation-destabilise-money-laundering-investigation-uk-nca\r\nPage 2 of 7\n\nNCA’s tactical lead.\r\nBody camera footage of Fawad Saeidi's arrest. Image: U.K. NCA\r\nBy “exploring those links” between Zhdanova and her associates and cash couriers in the United Kingdom, the\r\nNCA eventually was “able to further connect those individuals into a series of other U.K.-based cash-to-crypto\r\nnetworks. Effectively, the investigation began from there and really began to flourish afterwards.”\r\nSaiedi’s cash runs were being managed by a man called Nikita Krasnov, whom the NCA identified as one of\r\nZhdanova’s associates. Krasnov was ultimately also found to be coordinating other courier networks utilizing\r\nRussian-speakling individuals.\r\nThe investigators put this critical cash courier level — linking street-level dealers to international crime — under\r\ntheir spotlight. The NCA used a range of covert capabilities to track these couriers and the coordinators who\r\ndirected them on behalf of Smart and TGR, as well as the cash and other stores of value being routed around the\r\nworld, often through the United Arab Emirates.\r\n“From the criminal perspective, cryptocurrency effectively turbo-charges [value exchanges] and speeds everything\r\nup from them. Obviously you can move value there across borders in seconds, very cheaply. And it gives\r\ncriminals a form of value that they’re happy to transact in, rather than having cash move from one jurisdiction to\r\nanother,” said the tactical lead.\r\nAnother NCA officer who can only be identified as the strategic operational lead told Recorded Future News that\r\nthe realization came “very slowly” about how the different parts of this conspiracy were interconnected. “It was\r\nquite clear that it was cross-cutting, from the Russian angle into serious organized crime, but at that moment we\r\nknew that there would be a massive opportunity if we looked at it as a cross-threat thing rather than a cyber\r\nthing.”\r\nThe investigation was now definitely beyond the cyber team’s threat area.\r\nCurveballs\r\nhttps://therecord.media/operation-destabilise-money-laundering-investigation-uk-nca\r\nPage 3 of 7\n\nAnd then the NCA encountered something it was not only not expecting, but wasn’t able to investigate. Among\r\nthe laundering services’ clients were Russian elites using the networks to purchase property in the West, and also\r\nto RT (formerly Russia Today) — owned by an entity sanctioned by the U.K. — which used the network to fund\r\nanother media organization in Britain. But while these could fall within the NCA’s remit, the agency said that\r\n“from late 2022 to summer 2023 the Smart network was used to fund Russian espionage operations.” Unlike in\r\nthe U.S., where the FBI has a counterintelligence function as well as its work tackling serious crime, the NCA\r\ndoesn’t investigate state-sponsored threats such as espionage, which instead largely fall to the Security Service\r\n(MI5).\r\nThe British state’s approach is strictly compartmentalized, even when cases such as this highlight the blurred\r\ndistinctions between state-sponsored threats and organized crime. But for the NCA, the discovery of a state-sponsored link means handing off certain aspects of the investigation to those other parts of government, and\r\ncontinuing to progress its investigation into the criminal networks.\r\nIt is not known what espionage operations were funded using the Smart network. In November, two Bulgarian\r\nnationals pleaded guilty to being part of a spy ring run by a Russian agent in Britain. Three of their alleged\r\naccomplices have denied the allegations. That alleged spy ring was operational between August 2020, and\r\nFebruary 2023 according to prosecutors, and the trial is ongoing.\r\nAs the investigation continued, the NCA interdicted 24 different cash swaps and learned of many more, often\r\nalmost immediately accompanied by a transfer. One network alone was identified conducting “cash handovers in\r\n55 different locations across England, Scotland and Wales and the Channel Islands, over a four-month period.\r\nThey did so on behalf of at least 22 suspected criminal groups,” according to Lyne.\r\nCash seized by the NCA in Operation Destabilise.\r\n“We had multiple cash seizures in quite quick succession, which was obviously fantastic. These interdictions\r\nalmost always happen over the weekend. Drug dealers seemingly don’t like keeping loads of money in stash\r\nhouses over the weekend,” said Lyne.\r\nhttps://therecord.media/operation-destabilise-money-laundering-investigation-uk-nca\r\nPage 4 of 7\n\n“Whether it’s rival crime groups or more probably law enforcement, [they are] quite keen to get rid of the cash as\r\nsoon as possible,” the tactical lead explained. “It’s a reassurance policy, ‘I’ve got rid of this big lump of cash that\r\ncould easily be seized by law enforcement or whoever else it might be, rival groups. And in fact I’ve got a receipt\r\nhere that proves that I’m getting back £100,000 from the money-laundering group.’ It gets rid of heavy assets that\r\nthey could easily lose to something that’s slightly insured to an extent.”\r\nRepeatedly, the the money-handling members of the drug dealing gangs were seen handing cash to the couriers in\r\nexchange for cryptocurrency — usually the dollar-linked USD Tether crypto asset — which Lyne said the NCA\r\nsaw being transferred almost immediately after the handover, and believes eventually made its way to South\r\nAmerican drug cartels to fund more shipments of cocaine.\r\nAll of these incidents provided valuable intelligence and numerous leads, both of the onward movement of cash as\r\nwell as of the crypto assets. The most challenging task for the NCA was not just analyzing that intelligence\r\neffectively, but establishing a structure for the investigation with each of its many parts — from the Russia-based\r\nentities through to the coordinators and cash courier networks — all being complex investigations in and of\r\nthemselves.\r\n“We broadened it out, we had to bring in and leverage expertise from across the agency and elsewhere to make\r\nsure that we’ve got the right skill sets, and then we had to set up our governance structure to bring all of those\r\nskills cohesively together,” said Lyne.\r\n“We recognized this was too big to be one single investigation, and so we took the decision that we would have\r\nOperation Destabilise as an almost overarching governance structure, with some leadership and decision-making,\r\nobjective-setting skills,” he added.\r\nBreaking down the investigation meant identifying distinct networks. “That’s fairly easy, if you’ve got a group of\r\npeople that are co-conspiring to commit whatever offending, you clearly want to do that [investigation] as a\r\ncollective,” said the strategic operational lead.\r\n\"It’s probably the first time in 34 years I’ve seen such a variance of interconnection.”\r\n— The strategic operational lead for the U.K. NCA's Operation Destabilise.\r\nThen “within that group you’ll identify the hierarchy, from there the hierarchy leads to another set of controllers,\r\n[there will be another] hierarchy there that you’ll separate off. So [you] allow [another] team to focus on that, and\r\nwe’re literally breaking them [the criminal networks] up, understanding [the intelligence] within the U.K., and\r\n[then] allocating investigation teams wherever the most appropriate place is,” explained the strategic operational\r\nlead.\r\nThe NCA followed street cash being consolidated and counted and then washed through traditional high-cash\r\nturnover businesses in the United Kingdom, or simply being driven out of the country into other jurisdictions. The\r\nNCA’s Jones explained that there was simply so much money being made that no single laundering route was used\r\nand that millions of pounds are regularly smuggled across the border, despite these transfers regularly being\r\ncaught.\r\nhttps://therecord.media/operation-destabilise-money-laundering-investigation-uk-nca\r\nPage 5 of 7\n\n“So the evidence you gleaned from ‘Brian Smith’ with 30,000 quid in a carrier bag can be directly linked to\r\nmovements that Zhdanova’s facilitating through the international controller networks, who act as the connectors\r\nand are often located in the Middle East, and from Russia,” said the strategic operational lead. While those value\r\nmovements often involved cryptocurrency, the laundering services were also seen trading property and other\r\nstores of value including shares and bonds to enrich their clients.\r\n“It’s probably the first time that in my time we’ve seen the interconnection between global impacts and money\r\nlaundering at the highest possible level, and its interconnection to street level organized crime, traditional\r\norganized crime, whether it be guns, drugs, whatever, and evolving in a new methodology of money exchanges,\r\nwhich is clearly changing. It’s probably the first time in 34 years I’ve seen such a variance of interconnection,”\r\nthey added.\r\nSeeing how this value was transferred internationally, particularly through the lens of the movement of crypto\r\nassets — on top of all of the other evidence that the agency was acquiring — provided the NCA with “a really\r\ngood opportunity to understand the methodology as well as the connection” between both ends of the criminal\r\nworld.\r\n“When we talk about the pool data, it’s absolutely everything, you know, from handwritten notes through to digital\r\nforensics, in some cases wet forensics as well, it all gets pooled and analyzed together,” explained the tactical\r\nlead, using a term for physical forensic evidence. “The way that we pooled data from all of the different\r\ninvestigations under Destabilise to one place so that we had a single version of the truth for us, and the ability to\r\nanalyze that material from a centralized perspective, was really powerful for us.\r\n“And then when you combine that with blockchain activity, and especially when we can deanonymize some of\r\nthat through the powers that the NCA has under the Crime and Courts Act and others, it provides a really powerful\r\npool of data where we can effectively link this back to senior individuals and really trace it from the courier level\r\nright up to the senior Russian level,” they added.\r\n“In terms of the complexity and the global reach, I think the scale of this is beyond anything that I’ve been\r\ninvolved in,” said the strategic operational lead.\r\nThe networks being investigated were “operating on local-to-global levels, and our response to it has mirrored\r\nthat, tackling the street-level drug deals in towns and cities up and down the U.K., to the South American cartels\r\nand senior coordinators, all the way through to enabling Russian espionage. This is the kind of investigation the\r\nNCA was built for, in my view, and I think we’ve risen to the challenge of tackling something like this in a really\r\nholistic way,” said Lyne.\r\nhttps://therecord.media/operation-destabilise-money-laundering-investigation-uk-nca\r\nPage 6 of 7\n\nAlexander Martin\r\nis the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow\r\nat the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal\r\non: AlexanderMartin.79\r\nSource: https://therecord.media/operation-destabilise-money-laundering-investigation-uk-nca\r\nhttps://therecord.media/operation-destabilise-money-laundering-investigation-uk-nca\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/operation-destabilise-money-laundering-investigation-uk-nca" ], "report_names": [ "operation-destabilise-money-laundering-investigation-uk-nca" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f6f95b20-4c86-4e09-b82d-c9ef72fed729", "created_at": "2024-03-12T02:02:11.297739Z", "updated_at": "2026-04-10T02:00:04.991462Z", "deleted_at": null, "main_name": "[Unnamed groups: Russia]", "aliases": [ "Operation Destabilise" ], "source_name": "ETDA:[Unnamed groups: Russia]", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439130, "ts_updated_at": 1775792161, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cdaf1d05e8c04337c65f80c548edb91ae267e852.pdf", "text": "https://archive.orkl.eu/cdaf1d05e8c04337c65f80c548edb91ae267e852.txt", "img": "https://archive.orkl.eu/cdaf1d05e8c04337c65f80c548edb91ae267e852.jpg" } }