ZachXBT Reports Russian OTC Broker Allegedly Laundered $4.7M+ in Crypto

Blockchain investigator ZachXBT reported today that Russian OTC broker Aleksandr Khinkis allegedly laundered over $4.7 million in crypto. The activity reportedly occurred between July 2025 and March 2026 across a single exchange account. According to the findings, three suspected ransomware payments totaling 796 BTC drove the transactions through Bitcoin, Avalanche, and Tron networks.

Crypto Flows Linked to Bitcoin, Avalanche, and Tron

According to ZachXBT in an X thread, investigators first engaged Khinkis through Telegram while posing as a client. Khinkis allegedly provided an exchange deposit address, which was key to tracing the crypto flows. That address, beginning with 0xa756, linked multiple transfers tied to suspected ransomware proceeds.

The investigator stated that the crypto funds moved from Bitcoin into Avalanche using cross-chain bridges. From there, approximately 75 transfers directed over $4.7 million into the same exchange deposit address. Meanwhile, an additional $16.6 million remains deposited in related addresses or platforms, with some funds actively off-ramped.

Source: ZachXBT

However, ZachXBT emphasized that the laundering routes extended further. Funds passed through crypto exchanges and bridges before reaching the Tron network. Timing analysis reportedly helped match Bitcoin outflows to specific Tron wallet outputs tied to the same activity.

Three Ransom Payments 

The largest recent crypto case dates to October 10, 2025. ZachXBT traced six Bitcoin bridge deposit addresses linked to a 164 BTC ransom payment. Around $3.8 million in Bitcoin moved through instant exchanges before reaching Tron-linked outputs.

Seven Tron addresses tied to this flow were blacklisted by Tether in November 2025. ZachXBT added that the frozen Tether’s USDT was burned three weeks ago, confirming enforcement action tied to the case. A second case from September 2, 2025, involved a 72 BTC ransom payment.

ZachXBT said four Bitcoin bridge addresses linked to that transaction showed exposure to known ransomware wallets. One initiating address had more than 15% overlap with flagged entities across compliance tools.

During that period, roughly $1.36 million in Bitcoin moved through instant exchanges. The crypto funds later consolidated into a Tron wallet connected to addresses previously frozen by Tether. The earliest case dates back to September 19, 2023.

ZachXBT linked five Bitcoin bridge deposit addresses to a 560 BTC ransom payment. Those funds moved across intermediary services before bridging into Avalanche during 2024.

OSINT Data Outlook

Beyond crypto transaction flows, ZachXBT included open-source intelligence findings tied to Khinkis. According to the report, Khinkis frequently travels outside Russia, including trips to Southeast Asia and Australia.

Additionally, his personal data reportedly appears in multiple breach records. He also documents travel activity openly on social media platforms, providing identifiable public traces.

ZachXBT stated that 73 BTC linked to the broader crypto cluster remains dormant at a separate Bitcoin address. He also confirmed that compliance teams and law enforcement agencies received details related to the traced addresses and fund movements.