He was arrested in Russia for a Bitcoin bribe and now the coins are being moved to exchanges.

There is an ongoing investigation in Russia involving a large amount of bitcoin. However, some of the evidence related to the crime is being transferred to crypto exchanges by unknown individuals, according to blockchain intelligence firm Crystal Blockchain.

The case revolves around a disgraced law enforcement officer in Moscow who is being investigated for allegedly extorting bitcoin from hackers, as reported by Russian media in June.

The officer, Marat Tambiev, aged 35, arrested several members of the Infraud Organization in January 2022. Infraud is a notorious Russian cybercriminal group known for trading stolen personal data, credit card information, malware, and other illegal goods. Two members of the group were sentenced to federal prison in the U.S. in 2021.

The hackers arrested by Tambiev, namely Mark and Konstantin Bergman and Denis Samokutyayevsky, allegedly paid a bribe of 1,032 BTC to prevent Tambiev from confiscating all of their cryptocurrency. However, leaked court documents showed that only 1,032 BTC were confiscated, with some blockchain addresses redacted.

The hackers claimed that they actually sent Tambiev more than double the amount of crypto, specifically 2,718 BTC. The funds were transferred through their attorney, Roman Meyer. This larger bribe amount was confirmed by Vadim Bagaturya, a lawyer at the same law firm as Tambiev’s attorney, who shared court documents on his Telegram channel.

While the officially confiscated 1,032 BTC were stored as material evidence by the Investigative Committee, it is unclear what happened to the rest of the bribe or the additional 1,686 BTC claimed by the hackers.

Tambiev himself was later arrested for bribery, and his laptop with bitcoin was seized.

“Retirement” fund in a MacBook

The hackers provided a more detailed account of the events. According to Konstantin Bergman’s interrogation transcript, two days after their arrest, Tambiev made an offer through their attorney. If they agreed to give him half of their bitcoins, he would return the remaining amount to them. The hackers accepted the offer, and a Moscow district court released them on bail.

Later that same day, the three hackers met Tambiev at the Investigative Committee office and spent hours going through their crypto wallets. They discovered that they collectively had a total of 5,212.9 BTC. They paid Tambiev 2,718.66 BTC and kept the rest.

In March 2022, Tambiev was arrested, and a search of his Moscow apartment revealed a file on his MacBook titled “Retirement,” containing photos of hand-written notes with seed phrases for two wallets.

Investigators found 931.1 BTC and 100 BTC in those wallets. The bitcoins were then confiscated, transferred to another address using a Ledger Nano X hardware wallet, and stored in a secure vault as evidence.

During his 11-year tenure at the Investigative Committee, Tambiev earned a total salary of approximately $134,300, which is less than 1% of the value of the bitcoins found in his wallets.

The investigation is ongoing, and Tambiev’s guilt has not been established in court. He has been dismissed from his job and is currently challenging his dismissal.

Following the money

Crystal Blockchain was able to locate the wallets that received the bribe based on fragments of addresses mentioned in the leaked court documents. According to the blockchain data research firm, the wallets that received 100 BTC and 932 BTC in July 2022 are now empty, as their contents were transferred to a wallet held by law enforcement in November 2022.

“We analyzed the transactions associated with the 1,032 BTC address and identified an additional payment of 1,032 BTC, as well as the remaining 654 BTC. We believe that these payments were likely made to other officials who have not been held accountable but have connections to Russia-based cybercrime groups,” said Nick Smart, director of blockchain intelligence at Crystal Blockchain.

He added that Crystal located additional, previously unreported wallets belonging to the Infraud Organization, and those appeared to be closely connected with the darknet marketplaces UniCC and LuxSocks.

The story gets even more interesting when following the disputed remainder of the bribe money. The initial bribe amount, connected to the known Infraud wallets, was distributed among several wallets and then moved between a bunch of intermediary addresses, according to the data provided to blockchain by Crystal. On March 7, 1,032 BTC landed in the two wallets seized by the law enforcement. On November 17, 2022, the day Tambiev was arrested and his bitcoins seized, those two wallets sent all of their bitcoins to a new one and the bitcoins haven’t moved from there since. This is presumably the official money confiscated by authorities and held for evidence.

Another bitcoin wallet , which received 1,032 BTC at the same time as the arrested wallets, remained inactive until Dec. 6, 2022. The remainder of the bribe money that the hackers said they gave Tambiev may have been stored in a third wallet with 654.1 BTC in it, according to Crystal. During 2022, most of those funds moved to centralized crypto exchanges, namely, Huobi, WhiteBit and a little-known Estonia-registered exchange Bitexbit, Crystal’s data show.

WhiteBit CEO Vladimir Nosov told blockchain that the holders of the bitcoins traced by Crystal used an over-the-counter (OTC) service to cash out, and that service, in turn, used WhiteBit. The transactions did not look suspicious and had a low risk score, Nosov added.

Transaction-tracking services like Crystal label wallets as risky or criminally connected based on data from law enforcement agencies or public reports. However, wallet owners often cash out their crypto from exchanges before the criminal connection becomes known, or use small OTC services that pay much less attention to know-your-customer and anti-money laundering checks than bigger exchanges.

Huobi and Bitexbit have not returned comment as of press time.

CORRECTION (July 7, 2023 16:26 UTC): The original version of this story had an incorrect calculation for Tambiev’s total job earnings compared to the value of the BTC in his wallets.

Edited by Jeanhee Kim.