CLOSE

close

CLOSE

EN

How a billion-dollar laundering network exposed the limits of AML and the high stakes of sanctions compliance

Recommended
How a billion-dollar laundering network exposed the limits of AML and the high stakes of sanctions compliance

How a billion-dollar laundering network exposed the limits of AML and the high stakes of sanctions compliance
A landmark first conviction under the Bribery Act and a warning UK businesses cannot ignore

A landmark first conviction under the Bribery Act and a warning UK businesses cannot ignore
Sanctions sweep hits Mexican casino group accused of laundering millions for the Sinaloa Cartel

Sanctions sweep hits Mexican casino group accused of laundering millions for the Sinaloa Cartel

What comes to mind when you think about sanctions evasion? Shadowy bankers? Offshore accounts? Covert state actors? Likely not a Friday-night drug deal in a British city. 

 

But according to the National Crime Agency (NCA), there’s a direct link there and it’s dangerous. In fact, the NCA believes that those small street-level transactions are helping fuel the Russian military effort in Ukraine.

 

This is the main and sobering lesson of Operation Destabilise, a sweeping international investigation that exposed a billion-dollar money laundering scheme. The case demonstrates not only the ingenuity of organised crime, but also the limitations of current anti-money laundering (AML) systems and the real-world stakes of poor sanctions compliance.

 

And significantly, it offers organisations a roadmap for strengthening controls before they become the next unintentional conduit for hostile state financing.

 

A billion-dollar criminal ecosystem in plain sight

 

Operation Destabilise began as a look into ransomware group Evil Corp. What investigators discovered was far more extensive: A laundering network operating across 28 towns and cities in the UK, converting the proceeds of drugs, firearms, cybercrime and people smuggling into cryptocurrency, and ultimately into a state-sponsored sanctions evasion scheme.

 

Two key networks sat at the heart of the operation: TGR, led by George Rossi and Smart, run by Ekaterina Zhdanova. Both groups offered what the NCA called a “full spectrum” of money-laundering services. For a fee, they collected dirty cash, ran it through cash-rich businesses, moved it across borders in stash houses or hidden inside boxes of washing powder, and converted it into crypto through cash-for-crypto swaps. Together, they laundered billions. And, perhaps of most concern, it was discovered that this criminal ecosystem extended all the way up to the geopolitical level.

 

How organised crime undermines sanctions 

 

Sanctions are only as effective as the systems built to enforce them. When those systems are weak, bad actors find ways around them. What Operation Destabilise revealed was exactly how far they are willing to go.

 

It began with a bank purchase that, at first glance, looked like an ordinary investment. On Christmas Day 2024, a Rossi-linked company, Altair Holding SA, quietly acquired 75% of Keremet Bank in Kyrgyzstan. But this was no strategic financial move. It was a doorway. Keremet Bank soon emerged as the centre of a sanctions-evasion network, processing payments for Promsvyazbank, the Russian state bank that fuels the country’s military-industrial machine. Cash from UK drug sales was being laundered through this system and ultimately redirected to help sustain Russian arms production.

 

The operation didn’t stop at traditional banking. A7, a payment services provider later sanctioned for its role in the scheme, constructed an entire crypto ecosystem designed for illicit cross-border flows. It even issued a rouble-backed stablecoin, A7A5, created specifically to bypass international banking controls and slip through the cracks of fragmented crypto regulation. It was a glimpse into a growing frontier: digital infrastructure built from the ground up to defeat sanctions.

 

The implications were serious. As the UK’s National Crime Agency put it, “We can draw a thread between somebody buying cocaine on a Friday night and the geopolitical events causing suffering across the world.”

 

The reality is that organised crime isn’t just chasing profit. In the shadows, it enables hostile states to access money, technology and networks they’re meant to be cut off from. By creating alternative financial systems such as banks, crypto, laundering pipelines, criminal groups undermine sanctions and help rearm the very regimes those sanctions are meant to restrain.

 

A case study in the limits of AML

 

Operation Destabilise is more than a crime story. It’s a clear demonstration of where global AML efforts are falling short.

 

AML frameworks are built for banks while criminals are using cash, couriers and crypto

The networks relied on low-paid couriers moving cash around the UK. These individuals earned 0.5% commissions£500 for every £100K. Traditional AML systems barely touch this layer of the ecosystem.

 

“Cash-to-crypto” swaps sit at the edge of regulatory coverage

Despite tightening regulations, the off-exchange conversion of cash into digital assets remains a weak point. Criminal networks exploited the speed, pseudo-anonymity, and lack of global alignment in crypto controls.

 

Buying a foreign bank revealed gaps in cross-border supervision

Even robust jurisdictions rely on weaker ones for the integrity of global finance. Purchasing Keremet Bank allowed TGR to route payments under the radar of Western controls.

 

Complex networks overwhelm siloed monitoring systems

Many firms’ AML and sanctions processes operate separately. Criminals exploit this division by moving from one system to another without any single institution seeing the whole picture. 

 

AML is only as strong as the weakest jurisdiction, the least-integrated data and the least-protected sector in the chain.

Strengthening AML and sanctions compliance

Whether you’re a bank, fintech, crypto exchange, payment service provider or a business at risk of becoming a conduit, the implications are significant. Operation Destabilise provides a roadmap of where criminals exploit gaps and how organisations should respond.

 

Enhance transaction monitoring for “cash-to-crypto” patterns

 

Companies should flag and investigate:

  • Unexplained cash deposits followed by crypto purchases

  • Rapid movement of funds to high-risk jurisdictions

  • Use of money-service businesses or payment intermediaries that lack transparency

  • Transfers linked to known laundering typologies

Crypto exchanges in particular need robust onboarding and enhanced due diligence (EDD) for:

  • High-volume OTC trades

  • Frequent small deposits leading to large crypto transfers

  • Accounts with ties to Kyrgyzstan, Russia, or known sanction-linked entities

 

Strengthen sanctions screening beyond simple list-matching

 

Given the involvement of front companies and indirect ownership structures:

  • Screen beneficial ownership and control, not just named individuals.

  • Apply 50% rule and look-through screening for corporate structures.

  • Monitor for entities linked to OFAC-designated networks

 

Beware of high-risk payment service providers (PSPs)

 

Payment firms can be used as laundering or sanctions-busting intermediaries. Companies should:

  • Conduct jurisdiction-specific risk assessments

  • Review PSP governance, licensing, and enforcement history

  • Apply EDD to PSPs with exposure to Central Asia, the Caucasus, and high-risk crypto activity

 

Integrate AML and sanctions controls

 

These networks exploited the artificial separation between:

  • Fraud teams

  • AML teams

  • Sanctions teams

  • Crypto compliance teams

Firms should:

  • Merge key data sets

  • Conduct joint typology reviews

  • Share intelligence internally

  • Use automated network-analysis tools to detect hidden links

 

Train staff to recognise criminal infrastructure

 

Staff should be trained on:

  • Crypto-based sanctions evasion

  • Use of legitimate businesses for laundering

  • Red flags associated with cash-intensive operations

  • Emerging risks in foreign bank ownership or correspondent relationships

 

Participate in public-private information sharing

 

Operation Destabilise succeeded partly because of collaboration across the UK, US, France, Spain, Ireland and others. Firms should:

  • Join information-sharing partnerships

  • Report suspicious patterns proactively

  • Share insights on emerging typologies

Sanctions are only as strong as our defences

 

Operation Destabilise is a stark reminder that organised crime isn’t just a social harm. It’s a national security threat. The networks exposed by the NCA demonstrate how quickly illicit cash can be transformed into geopolitical influence when AML and sanctions controls are weak or fragmented.

 

Strengthening AML, crypto controls, sanctions screening, and cross-border risk management is no longer just about compliance. It’s about preventing your organisation from unknowingly becoming the next enabler of hostile state activity.

 


Sanctions have been growing increasingly complicated in recent years. As events in Russia, Iran, China and other countries grab global headlines, businesses are struggling to stay on top of changes. Our sanctions compliance courses give your staff the tools they need to understand and comply with sanctions requirements in these volatile times. Try it here.