Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
17APR

FBI seizes E-Note, $70m ransomware rail

2 min read
13:56UTC

Michigan State Police co-led. German BKA and Finnish KRP ran infrastructure. A Russian national is charged with running the exchange since 2017.

TechnologyAssessed
Key takeaway

The enforcement focus has moved up the supply chain from operators to the cash-out services they depend on.

The US Federal Bureau of Investigation (FBI) and Michigan State Police seized cryptocurrency exchange and payment processor E-Note and charged Russian national Mykhalio Petrovich Chudnovets with conspiracy to launder more than $70 million in ransomware and account-takeover proceeds through E-Note since 2017 1. The German Federal Criminal Police (Bundeskriminalamt, BKA) and Finnish National Bureau of Investigation (Keskusrikospoliisi, KRP) cooperated on the infrastructure seizure. Account-takeover proceeds are the funds stolen from hijacked bank or crypto accounts; ransomware proceeds are the extortion payments victims send to recover encrypted files.

E-Note had operated openly for years despite visible ties to the ransomware ecosystem. Its role in the supply chain is the off-ramp: the service that converts bitcoin, monero or stablecoins paid by victims into cash, clean tokens or traditional fiat held in jurisdictions beyond Western reach. Take the off-ramp out and the attackers' business model runs into a working-capital problem. The operational interest for FBI Cyber in 2026 is the laundering rail rather than the operator, because there are far fewer cash-out services than there are ransomware affiliates, and each seizure reaches hundreds of downstream crimes.

A state police force co-leading a takedown alongside the Bureau and two European national police services is an operational template worth noting. Michigan State Police brought the local jurisdictional hook that the federal case needed; the BKA and KRP brought the overseas server infrastructure. For the cash-out services still running, the enforcement geography just widened.

Deep Analysis

In plain English

When ransomware criminals extort money from victims, they typically demand payment in cryptocurrency. But cryptocurrency is traceable on the blockchain. Criminals need to convert it into regular money (or different, harder-to-trace cryptocurrency) through an exchange. E-Note was a cryptocurrency exchange that, according to US prosecutors, knowingly processed payments for ransomware gangs and other online criminals since 2017. Over that period, it laundered more than $70 million. The FBI and Michigan State Police seized E-Note and charged Russian national Mykhalio Petrovich Chudnovets with running the operation. German and Finnish police also cooperated in seizing E-Note's technical infrastructure.

Deep Analysis
Root Causes

Ransomware proceeds require conversion from cryptocurrency to spendable currency. Exchanges that accept large volumes of cryptocurrency without robust KYC and AML checks, and operate from jurisdictions with limited regulatory cooperation, provide this conversion service. E-Note operated from a regulatory grey zone for nine years because the US, German, and Finnish investigative cooperation required to build a prosecutable case across multiple jurisdictions took time to assemble.

The $70m+ figure, spread across nine years, represents roughly $7-8 million per year in laundered ransomware proceeds, which is small relative to the overall ransomware ecosystem but substantial in absolute terms. The seizure's significance is partly about precedent and partly about recovering criminal proceeds.

What could happen next?
  • Consequence

    The three-country coordination (US, Germany, Finland) in the E-Note seizure reinforces the Five Eyes and EU pattern of coordinated cryptocurrency exchange seizures, increasing operational tempo compared to the 2017-2019 period when such operations were primarily US-led.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

The Record· 17 Apr 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.