Operation Final Exchange: Shining a Light on Global Darknet Takedowns

On September 19, 2024, the Frankfurt am Main Public Prosecutor’s Office, in collaboration with the Federal Criminal Police Office (BKA), managed to strike a significant blow against the criminal infrastructure of the underground economy. As part of Operation Final Exchange, 47 crypto exchange platforms hosted in Germany that were used by cybercriminals for money laundering and other illegal activities were seized.

Background and scope of the operation

The shut down platforms enabled the anonymous exchange of cryptocurrencies without complying with legal requirements for identity verification (“Know Your Customer” or KYC). These gaps in the security net were primarily used by ransomware groups, darknet traders and botnet operators to conceal extorted ransoms and other criminal proceeds and bring them into the legal financial circuit.

A central element of these platforms was the apparent anonymity they promised users. The operators advertised that no user data was stored and transactions were immediately anonymized. However, the investigation showed that extensive data, including IP addresses, transactions and registration information, could be secured.

Warning to users of the affected platforms

The seized platforms now redirect to the official website of Operation “Final Exchange”. There, visitors are informed that the promised anonymity was a deception and that their data is now available to law enforcement authorities. Users who were active on these platforms risk being caught in ongoing investigations.

If you have been a user of one of the affected platforms, we strongly advise you to seek legal advice. The authorities are currently evaluating the secured data and have announced that further arrests and criminal prosecutions are to be expected.

Overall complex

As early as 2023, the server infrastructure of the world’s highest-grossing crypto mixer on the Darknet, ChipMixerconfiscated and the equivalent of around 90 million euros, as well as the infrastructure of several criminal marketplaces, including Kingdom Market. In addition, the malware could Qakbot in 2023 and The emotion will be taken offline in 2021. Both were among the greatest threats from cyberspace and caused hundreds of millions of dollars in damage worldwide.

In 2024, the international operation “targetedEndgame“ against six of the largest malware families and targeted their infrastructures, specific actors and their financial resources.

Affected platforms

Below is a list of the affected platforms that were seized by the BKA as part of Operation “Final Exchange”:

  1. Xchange.cash
    • Active since: 2012
    • Users: 410,208
    • Transactions: 1,279,739
  2. 60cek.org
    • Active since: 2016
    • Users: 303,673
    • Transactions: 899,774
  3. Baksman.com
    • Active since: 2016
    • Users: 280,184
    • Transactions: 754,707
  4. Prostocash.com
    • Active since: 2017
    • Users: 266,922
    • Transactions: 472,327
  5. Bankcomat.com
    • Active since: 2016
    • Users: 254,312
    • Transactions: 762,174
  6. Multichange.net
    • Active since: 2018
    • Users: 185,798
    • Transactions: 430,720
  7. 4ange.me
    • Active since: 2020
    • Users: 91,488
    • Transactions: 206,716
  8. CoinBlinker.com
    • Active since: 2022
    • Users: 80,477
    • Transactions: 105,942
  9. Mchange.net
    • Active since: 2018
    • Users: 77,670
    • Transactions: 138,117
  10. Ex-Money.cc
    • Active since: 2019
    • Users: 77,398
    • Transactions: 134,020
  11. Cryptostrike.org
    • Active since: 2021
    • Users: 50,871
    • Transactions: 54,779
  12. GrandChange.cc
    • Active since: 2020
    • Users: 45,686
    • Transactions: 57,428
  13. BlaBla.Money
    • Active since: 2021
    • Users: 43,709
    • Transactions: 56,973
  14. DotSatoshi.com
    • Active since: 2022
    • Users: 41,091
    • Transactions: 30,617
  15. Nordchange.com
    • Active since: 2022
    • Users: 40,244
    • Transactions: 49,984
  16. BTCWorm.com
    • Active since: 2022
    • Users: 27,874
    • Transactions: 33,099
  17. NitroCrypt.net
    • Active since: 2022
    • Users: 22,808
    • Transactions: 15,866
  18. CrystalMoney.net
    • Active since: 2022
    • Users: 21,876
    • Transactions: 21,269
  19. IceSatoshi.com
    • Active since: 2022
    • Users: 16,812
    • Transactions: 17,159
  20. BitFondo.com
    • Active since: 2022
    • Users: 15,857
    • Transactions: 19,813

The full list and further information can be found on the operation’s website „Final Exchange“.

It is no coincidence that the whole thing looks like a set of dominoes falling over: it is becoming increasingly clear how investigators are now able to build extensive investigations on access that has already taken place. It is no coincidence that such successes have been celebrated since the cyber bunker access: the investigators obviously have access to entire networks and have learned how to expand it.

Users of illegal services should be aware of the risks associated with using such offers and rethink their online activities: investigators are no longer just taking action against operators but also users.

outlook

For investigators, the success of the “Final Exchange” operation is another significant step in the fight against cybercrime and the criminal use of cryptocurrencies. The current dismantling of these platforms in this mass shows that investigators have more and more starting points and can increasingly take action against cybercrime.

The users themselves – and not just the operators – will increasingly come into focus. At the moment, it is probably the sheer volume of data that is still overwhelming investigators. Modern investigative approaches, such as the use of AI, will increasingly eliminate this deficit. In any case, users will always have to fear proceedings for (reckless) money laundering when using such services. There is a risk of confiscation of assets used, which in individual cases could have significant financial consequences.

Last articles by lawyer Jens Ferner (specialist lawyer for IT & criminal law) (Show all)

Leave a Replay