Blockchain analysis reveals how the Russian government uses international criminal networks across multiple countries to move state funds — documented for the first time
THE COINS THAT COULDN’T HIDE
The previous part of this series traced how Russian state funds moved through Bitcoin wallets, Frankfurt go-betweens, and cash-out points across the EU. But Bitcoin, despite its complexity, is a transparent ledger. Every transaction is public. The operators behind this network knew that — and for their most sensitive operations, they turned to something designed to be genuinely untraceable.
ZCash and Monero are the privacy coins — cryptocurrencies built from the ground up to conceal sender, recipient, and amount. They are the tools of choice for those who cannot afford to leave any trace at all. And yet, as this part of the investigation documents, they left one.
“The most sophisticated anonymity tools in the world were not defeated by technology. They were defeated by human error — the kind that happens when someone stops being careful for just a moment.”
THE ZCASH TRANSACTION
The public ZCash wallet of the foundation received exactly one incoming transaction in its entire existence. On 21 June 2018, a transfer of $512,012 arrived. The wallet itself had been created on that same day. Not in advance, not as a standing donation address — opened specifically for this single transaction. That is not the behavior of a spontaneous donor. That is the behavior of a planned operation.
Two days later, on 23 June 2018, the full amount — $512,012 — was sent out in a single outgoing transaction to a wallet operated by a closed group providing ZCash cash-out services. The wallet opened, received, and cleared out in 48 hours. Its entire purpose was this single round trip.
Investigating the wallet that sent the $512,012 donation revealed something the operator did not intend. The same wallet that funded the ZCash transfer had also made purchases inside TWD Survivors — a mobile game — under the account name IMMAX. And the IP address of the IMMAX account resolves to one location: 79.174.12.175 — Skolkovo Innovation Center, Moscow. The IMMAX account belongs to the same operator who administers the Skolkovo cryptocurrency network — the individual whose full identity and profile will be documented in the next part of this series.
ZCash transaction scheme: the $512,012 donation traced from its origin wallet — which also made purchases in TWD Survivors under account IMMAX — to the foundation wallet and out to the cash-out group. The IMMAX IP resolves to Skolkovo Innovation Center, Moscow. Source: intelligence analysis of public blockchain data.
THE CRIMINAL NETWORK
The group that received the outgoing ZCash transfer — known in closed criminal forums under the name Johnny_sky — is a closed group of three to five individuals: Russian nationals, originally from Chechnya, living in Spain. Their operation runs across borders. They coordinate work orders exclusively through Discord and maintain a presence on specialized forums in the closed Tor network. They manage financial activity through Banco Santander in Barcelona and Banco di Napoli in Naples. In Naples, they operate through personal connections inside an Italian criminal organization. They also provide secret cash collection services throughout the EU, handling amounts from €500,000 upward.
This is not an independent criminal enterprise that happened to intersect with Russian state operations. This is a contracted service — a criminal infrastructure deliberately engaged by Russian state operators to handle the cash conversion end of the network.
“The Kremlin does not just employ intelligence officers. It employs criminals. And the blockchain proves it.”
One detail from the investigation is worth noting separately: the same Vladislav Surkov who appears in the Skolkovo command chain is, by nationality, Chechen. The evidence points to a possible personal connection between Surkov and the Johnny_sky group — a version that has not been confirmed, but that the evidence does not rule out.
“The man who built Skolkovo from the ground up. The man who runs the cryptocurrency network from inside it. And the man who — by blood and origin — may be the personal bridge between the Russian state and the criminal group that handles the money. Three roles. One name.”
THE MONERO TRAIL
The foundation’s Monero wallet tells a similar story — but with one detail that makes it more revealing. Two incoming transactions were recorded: $325,920 on 12 December 2019 and $37,055 on 23 January 2020. The wallet that sent the larger donation is one of four addresses used by a separate Russian group operating across the Central African Republic — Russian nationals living in Spain who provide Monero cash-out services.
Two days after the second incoming transfer, on 25 January 2020, the foundation sent out the combined total — $362,975 — in a single outgoing transaction. The destination wallet belongs to the same criminal group that sent the original donations. The money left their hands, passed through the foundation’s wallet, and returned to their hands.
The foundation was not a donor. It was a transit point — a layer of cover inserted into a circular flow of funds that began and ended with the same criminal group.
Monero transaction scheme (London, Scheme 1): incoming donations from a CAR-linked criminal group, outgoing transfer to the same group — with a single unprotected login from a London IP address that exposed the network’s physical location. Source: intelligence analysis of public blockchain data.
THE LONDON CONNECTION
The Monero wallet that sent the $325,920 donation logged into the network once without a VPN. That single unprotected login (out of thousands of protected ones) resolved to IP 45.156.88.226, provider Eonix London, King’s Cross. This is the same IP address that connects the Monero operation to the broader transaction network documented throughout this series.
Additional analysis indicates that both the ZCash and Monero tokens were bought using USDT through a “prolonged three-phase transaction” from a single device — a phone with a multi-cryptocurrency wallet. On the surface they looked like unrelated operations. They were not. Both privacy coin transactions point back to a single coordinating source.
“Two different privacy coins. Two different criminal groups. Two different continents. One coordinating source — and one video game account that connects it all back to Skolkovo.”
The IMMAX account — the Skolkovo-based gaming profile that was connected to the ZCash operation — is not a footnote. It is the thread that connects the entire network to a single individual. The next part of this series pulls that thread. His name, his location, his daily schedule, his two chains of command — one running to the Presidential Administration, one to the Foreign Intelligence Service — are all documented. And none of it was ever supposed to be found.
All analysis in this series is based on publicly available blockchain data from the Anti-Corruption Foundation’s official donation wallets at donate.fbk.info. Technical findings — including specific IP addresses, wallet addresses, and transaction identifiers — are presented in full in the relevant installments.
NEXT: The Sistema Files | Part 5 — MaxiCo: The Man Who Doesn’t Exist