He Got Arrested in Russia for a Bitcoin Bribe. Now the Coins Are Moving to Exchanges

A criminal case involving a whopping amount of bitcoin is being investigated in Russia, but some of the evidence of the crime seems to be moving to crypto exchanges by unknown parties, blockchain intelligence firm Crystal Blockchain found.

The long and convoluted story concerns a disgraced law enforcement officer in Moscow, who is under investigation for allegedly extorting bitcoin from hackers, Russian media reported in June.

Marat Tambiev, age 35, a mid-ranking officer on Russia’s Investigative Committee, in January 2022 arrested several members of the Infraud Organization, the notorious Russian cybercriminal group. (Two members of Infraud were sentenced to five to 10 years in federal prison in the U.S. in 2021 for trading stolen personal data, credit card information, malware and other illegal goods.)

The hackers Tambiev arrested in Moscow, Mark and Konstantin Bergman and Denis Samokutyayevsky, allegedly paid a bribe of 1,032 BTC so that Tambiev would not confiscate all of their crypto, according to the Russian newspaper Kommersant. In June, an anonymous Russian-language Telegram channel leaked a fragment of a court document showing that 1,032 BTC were confiscated, with partially redacted blockchain addresses.

The hackers testified, however, that they sent Tambiev more than twice as much crypto – 2,718 BTC – the newspaper Arguments and Facts reported. The funds were transferred via the hackers’ attorney Roman Meyer, according to the publication. The larger bribe amount appears to have been confirmed by a lawyer, Vadim Bagaturya, who works at the same law firm as Tambiev’s attorney. Bagaturya posted court documents in his Telegram channel showing the initial bribe amount of 2,718 BTC.

And while the officially confiscated 1,032 BTC were put in storage by the Investigative Committee for material evidence, it’s unclear what happened to the rest of the bribe, or the 1,686 BTC that the hackers said they gave Tambiev.

Just three months after the hackers’ arrests, Tambiev himself was arrested for bribery, and his laptop with bitcoin was confiscated.

The story from the hackers’ perspective is more detailed. Two days after the hackers were arrested, according to the transcript from Konstantin Bergman’s interrogation, their attorney passed along an offer from Tambiev that if they agreed to give him half of the bitcoins they possessed, he would return the rest to them. The hackers agreed to the offer, and on the same day, a Moscow district court released the three men on bail.

At 9 p.m. that same evening, the three hackers met Tambiev at the Investigative Committee office and spent hours going through their crypto wallets. By 7 a.m., they found that they together had 5,212.9 BTC in total. They paid Tambiev 2,718.66 BTC and kept the rest.

In March 2022, Tambiev was arrested, and his apartment in Moscow was searched. On his MacBook, Tambiev’s colleagues found a file titled “Retirement,” with photos of hand-written notes that contained seed phrases for two wallets.

In those wallets, investigators found 931.1 BTC and 100 BTC. After that, the bitcoins were confiscated, sent to another address using the Ledger Nano X hardware wallet and stored in a safe vault for evidence, Kommersant wrote.

During his 11-year tenure at the Investigative Committee, Tambiev earned a total salary of about $134,300, according to the charging documents by the Prosecutor General’s Office, which was leaked online. His earnings represent less than 1% of the value of the bitcoins in his wallets.

The investigation is continuing and Tambiev’s guilt hasn’t been established in court. In the meantime, he was fired from his job and is currently fighting his dismissal in court.

Crystal Blockchain located the wallets that contained the bribe based on fragments of addresses listed in the leaked court documents, the blockchain data research firm told CoinDesk. The wallets that received 100 BTC and 932 BTC in July 2022 are both empty now, their contents sent to the wallet in the custody of law enforcement in Nov. 2022.

“We reviewed the transactions associated with the 1,032 BTC address and identified an additional payment of 1,032 [BTC], as well as the remaining 654 [BTC]. We assess that these payments were probably made to other officials who have not been held accountable but have some connections to Russia-based cybercrime groups,” Nick Smart, director of blockchain intelligence at Crystal Blockchain, told CoinDesk.

He added that Crystal located additional, previously unreported wallets belonging to the Infraud Organization, and those appeared to be closely connected with the darknet marketplaces UniCC and LuxSocks.

The story gets even more interesting when following the disputed remainder of the bribe money. The initial bribe amount, connected to the known Infraud wallets, was distributed among several wallets and then moved between a bunch of intermediary addresses, according to the data provided to CoinDesk by Crystal. On March 7, 1,032 BTC landed in the two wallets seized by the law enforcement. On November 17, 2022, the day Tambiev was arrested and his bitcoins seized, those two wallets sent all of their bitcoins to a new one and the bitcoins haven’t moved from there since. This is presumably the official money confiscated by authorities and held for evidence.

Another bitcoin wallet, which received 1,032 BTC at the same time as the arrested wallets, remained inactive until Dec. 6, 2022. The remainder of the bribe money that the hackers said they gave Tambiev may have been stored in a third wallet with 654.1 BTC in it, according to Crystal. During 2022, most of those funds moved to centralized crypto exchanges, namely, Huobi, WhiteBit and a little-known Estonia-registered exchange Bitexbit, Crystal’s data show.

WhiteBit CEO Vladimir Nosov told CoinDesk that the holders of the bitcoins traced by Crystal used an over-the-counter (OTC) service to cash out, and that service, in turn, used WhiteBit. The transactions did not look suspicious and had a low risk score, Nosov added.

Transaction-tracking services like Crystal label wallets as risky or criminally connected based on data from law enforcement agencies or public reports. However, wallet owners often cash out their crypto from exchanges before the criminal connection becomes known, or use small OTC services that pay much less attention to know-your-customer and anti-money laundering checks than bigger exchanges.

Huobi and Bitexbit have not returned comment as of press time.

CORRECTION (July 7, 2023 16:26 UTC): The original version of this story had an incorrect calculation for Tambiev's total job earnings compared to the value of the BTC in his wallets.