The Financial Architecture of War: Typologies of Money Laundering and Terrorist Financing

To understand how the aggressor’s financial machinery operates, YouControl has examined, specifically for SPEKA, three typological cases identified by the State Financial Monitoring Service in 2025. These cases are set out in the typological study “Risks and Threats of Legalisation (Laundering) of Proceeds of Crime and Terrorist Financing amid the Military Aggression of the Russian Federation – 2025.”

How Russia finances terrorism through cryptoassets, agents, and cyber fraud

Financial flows today have become a weapon in their own right, comparable to missiles. The aggressor’s war machine is being financed at an unprecedented official level: according to intelligence data, Russia has allocated a record 41% of its 2025–2027 expenditure to military needs, increasing its “national defence” budget to USD 133.6 billion. Although terrorist financing and money laundering are not formally recognised as lawful sources of state budget revenue, these criminal instruments are actively enabled by the aggressor state. Together, they form a strategic shadow infrastructure that enables Russia to sustain the war and finance subversive operations beyond the official economy.

A scheme for financing criminal activity through crypto wallets involving the FSB and international terrorist organisations

One of the most telling cases, No. 2025.4.1.1, exposes the use of multi-currency crypto wallets to finance the preparation of terrorist attacks within Ukraine. The scheme relied on USDT (Tether USD), a stablecoin pegged to the US dollar, operating on the Tron network via a mixer wallet. This mechanism was used to obscure the origin of illicit funds. 

Criminal mechanism: Over a seven-year period, the wallet received assets from sanctioned Russian services, including Garantex, Grinex, and Hydra, as well as from Iranian entities and even the terrorist organisation Hamas. The subsequent chain of transactions led to wallets owned by employees of the Russian Federation’s FSB. At the final stage, USDT was converted into Ukrainian hryvnia through P2P platforms on the Binance and WhiteBIT exchanges. The funds were received by Ukrainian citizens recruited by Russian special services via Telegram channels to carry out terrorist attacks.

Garantex’s international connections can be examined using YC World by YouControl, an international platform for global search and visualisation of business links that helps uncover hidden insights. These include, for example, risk factors associated with an entity’s connections, such as traces of exposure to high-risk countries. By default, such countries include Russia, Belarus, Iran, Cuba, North Korea, Syria, and China. In this case, the company in question has probable links to Russian legal entities and individuals.

The YouControl ecosystem supports compliance with the financial monitoring requirements outlined in the Typological Study approved by Order No. 116 of the State Financial Monitoring Service of Ukraine dated December 22, 2025.

Garantex was incorporated in Estonia in 2019 and liquidated in 2024. One of the company’s co-founders is Russian national Sergey Mendeleev. Mr Mendeleev has been subject to sanctions imposed by the National Security and Defence Council of Ukraine since July 2025, as confirmed by an individual check based on a full-name match in the YouControl analytical system.

In the recent study “Baltic States Generated More Than UAH 111 Billion in Revenue Through Ukrainian Businesses in Q3 2025”, published on February 23, 2026, YouControl analysts established that 28 companies with Estonian co-owners had sanctions alerts linked to their participants or ultimate beneficial owners. A further 26 companies had Russian participants or ultimate beneficial owners in their ownership structures, in addition to representatives of the country analysed in the study.

Proxy accounts: financing sabotage from occupied territories

Case No. 2025.4.1.2 demonstrates how Russia uses ordinary personal bank accounts to finance sabotage operations. The central figure in the case was an individual who was, in fact, located in temporarily occupied territory and involved in subversive activity.

Criminal mechanism: Funds were credited to the individual’s accounts by a group of people, both in cash and through non-cash transfers. These funds were then redistributed: part was used to top up mobile accounts and purchase goods for saboteurs, while the remainder was withdrawn in cash or transferred to a group of accomplices.

For banks, an important red flag was the “unacceptably high risk” associated with certain counterparties. In such cases, using YouControl enables investigators to determine quickly whether a counterparty has already been included in the Myrotvorets database or has links to occupation administrations. Such findings serve as a direct indicator of terrorist financing.

 IT fraud as a resource for “rogue states”

The most unusual, though no less dangerous, example is case No. 2025.4.1.4, in which North Korean government organisations used Ukrainian IT specialists to generate revenue that was channelled to support the DPRK regime and its ally, Russia. 

Criminal mechanism: The scheme involved cyber fraud, including unauthorised access to accounts, the extraction of funds from victims’ contacts, and the transfer of these funds through the accounts of Ukrainian “IT specialists”. Most of these individuals were officially registered as unemployed, yet substantial sums were charged to their bank cards, significantly exceeding their declared income. 

This international chain confirms that the financing of Russia’s war is closely intertwined with global terrorist regimes. YC World is particularly useful for tracking such cross-border connections, as it helps identify the involvement of foreign actors in sanctioned DPRK- or Russia-linked organisations.

Transaction mechanics: operational tools and capital movement channels

To counter the financing of aggression effectively, it is essential to distinguish between the strategic architecture of a scheme and its direct technical execution. In professional terminology, these levels are divided into systemic mechanisms (Tool Groups) and Operational Instruments. 

While Tool Groups define the architecture of a scheme, for example, through the use of shell companies or non-profit organisations, Operational Instruments are the scheme’s practical execution tools. They serve as the model's operational “workhorses,” enabling specific payments regardless of the criminal structure's overall complexity.

How Operational Instruments work in real-world cases 

An analysis of the investigations outlined above shows how criminals combine various Operational Instruments to obscure transactions and sever traceable links between participants.

In the case concerning the financing of terrorist attacks by Russian special services, the key instrument was USDT transactions on the Tron network. Through P2P conversion, the aggressor disrupted the direct transactional chain between the sender and the perpetrator. Exposing such schemes requires analysing digital traces in YC World's international sanctions risk databases to determine whether legal entities and individuals are subject to sanctions.

To organise sabotage groups, Russia frequently uses ordinary personal card accounts. In such cases, the movement of funds is disguised as routine transactions, including payments for goods and services or mobile phone top-ups. These hidden links can be detected by verifying participants through YouControl, which highlights critical red flags in its Express Analysis, such as company registration in temporarily occupied territories, inclusion in the Myrotvorets database, or probable affiliation with Russian war criminals.

IT fraud cases conducted for the benefit of the DPRK rely on creating a multi-layered veil of P2P transfers, followed by mass cash withdrawals. Participants in such schemes are typically individuals officially registered as unemployed whose accounts process unusually large sums. This mechanism enables the aggressor and its allies to effectively conceal both the origin of assets and their ultimate destination.

Participant Indicators: where to identify deviations

The key to exposing these chains lies not only in analysing transaction volumes, but also in examining the behaviour of the participants themselves. Participant Indicators, or PI, are the “digital fingerprints” of a crime: deviations from standard economic logic that may signal illicit activity.

Grouping such indicators enables law enforcement bodies and analysts to identify high-risk clients as early as the monitoring stage. The most pronounced PIs in the schemes examined include:

• Income inconsistency
• Toxic geography
• Anomalous transaction patterns.

These deviations make it possible to establish potential involvement in war financing, transforming fragmented Operational Instruments into an evidentiary basis for criminal activity.

It should be noted that despite the high effectiveness of modern digital algorithms, full automation cannot adequately assess the economic rationale of a business or distinguish a genuine company from a fictitious entity created to divert funds. Many critical factors are inherently non-digital, including contract content, negotiation nuances, and the presence of staff. These elements necessarily require human expertise and analytical judgement.

How to stop the aggressor’s financial machine

The financial architecture of Russia’s war rests on hybrid schemes in which state resources are tightly intertwined with criminal instruments. In recent years, the aggressor’s methods have evolved from conventional money laundering to complex crypto gateways, P2P transfers through networks of money mules, and cross-border cyber fraud.

Timely detection of preparations for sabotage or terrorist attacks is possible through automated monitoring of war financing indicators (WF). These indicators highlight anomalies such as night-time transactions or links to temporarily occupied territories at the payment execution stage. However, while automation is essential, the final decision must remain with the expert conducting the deeper analytical assessment.

The use of OSINT tools is critical to uncovering hidden links involving Russian beneficiaries. This is where YouControl plays a central role: an analytical system that builds an evidence base from open data and equips both businesses and the state with tools to detect concealed threats. Ultimately, stopping aggression means not only maintaining defence on the front line, but also systematically dismantling the financial chains that sustain it.

The free YouControl Academy courses How to Search for Information on the Internet and OSINT for Business help users enter the world of open-source intelligence and strengthen their practical knowledge of OSINT techniques for finding and verifying information. As the educational hub of a leading developer of compliance services, the Academy advances business intelligence methodologies and supports the professional development of specialists. The programmes were created by YouControl’s expert team in collaboration with international experts in compliance, financial monitoring, and cybersecurity from more than 20 countries worldwide.

Check your business partners comprehensively with YC World.
Schedule a demo to see how the solution supports in-depth due diligence and risk analysis.