Blockchain investigator ZachXBT reveals a complex pattern of illicit fund transfers involving a Russian OTC broker exploiting multiple networks to launder over $4.7 million in ransomware proceeds, highlighting increasing reliance on cross-chain infrastructure and human brokers.
Blockchain investigator ZachXBT has accused Russian over-the-counter broker Aleksandr Khinkis, also known as Aleks, of helping move more than $4.7 million in suspected ransomware proceeds through a single exchange account from July 2025 onwards. The trail, according to his findings, begins with three ransom-linked payments totalling 796 bitcoin and runs across Bitcoin, Avalanche and Tron, showing how illicit funds can be shifted through multiple layers of cross-chain infrastructure before reaching more liquid outlets.
In the most recent leg of the alleged laundering route, ZachXBT said about 164 BTC connected to an October 2025 ransom payment was channelled through bridge deposit addresses, then passed through instant swap services before being converted into roughly $3.8 million. He said the resulting Tron wallets were later flagged by Tether, which blacklisted seven addresses in November 2025 and subsequently burned the frozen USDT three weeks ago. He also identified a separate September 2025 ransom flow involving 72 BTC, with parts of the proceeds traced through instant exchanges and onward to Tron addresses already linked to other suspicious activity.
The earliest transaction in the pattern, according to ZachXBT, dates back to September 2023, when a 560 BTC ransom payment was traced to Khinkis’ exchange account via several bridge deposit addresses. Those funds were reportedly moved through intermediary services before being bridged from Bitcoin to Avalanche in 2024, reinforcing the view that the account has been used repeatedly over time rather than in a single isolated event. Other reports based on the same investigation said the funds were dispersed across dozens of transactions and that a further $16.6 million remains parked in Aave and is being gradually withdrawn.
ZachXBT also said his team contacted Khinkis on Telegram while posing as a client, obtaining an exchange deposit address that became a key pivot point in the tracing effort. He added that open-source material suggests Khinkis travels frequently outside Russia, with journeys to Southeast Asia and Australia, and that his personal details have surfaced in multiple data breaches. The broader picture, the investigator argued, is that ransomware laundering is increasingly relying less on mixers alone and more on human brokers, bridges, swap services and stablecoin off-ramps.
Source Reference Map
Inspired by headline at: [1]
Sources by paragraph: - Paragraph 1: [2], [3] - Paragraph 2: [4], [5] - Paragraph 3: [3], [6] - Paragraph 4: [1], [2], [5]
Source: Noah Wire Services
This analysis was produced by the NOAH PREDICT desk from signals detected across our monitored source network. Every claim traces to a timestamped source item inside the Noah Predict evidence bundle. For the full provenance trail, sign in to the workspace.