17APR

FBI seizes E-Note, $70m ransomware rail

2 min read

13:56UTC

Michigan State Police co-led. German BKA and Finnish KRP ran infrastructure. A Russian national is charged with running the exchange since 2017.

← Back to Stryker MDM wipe exposes identity perimeter Jump to analysis ↓

TechnologyAssessed

Key takeaway

The enforcement focus has moved up the supply chain from operators to the cash-out services they depend on.

The US Federal Bureau of Investigation (FBI) and Michigan State Police seized cryptocurrency exchange and payment processor E-Note and charged Russian national Mykhalio Petrovich Chudnovets with conspiracy to launder more than $70 million in ransomware and account-takeover proceeds through E-Note since 2017 ¹. The German Federal Criminal Police (Bundeskriminalamt, BKA) and Finnish National Bureau of Investigation (Keskusrikospoliisi, KRP) cooperated on the infrastructure seizure. Account-takeover proceeds are the funds stolen from hijacked bank or crypto accounts; ransomware proceeds are the extortion payments victims send to recover encrypted files.

E-Note had operated openly for years despite visible ties to the ransomware ecosystem. Its role in the supply chain is the off-ramp: the service that converts bitcoin, monero or stablecoins paid by victims into cash, clean tokens or traditional fiat held in jurisdictions beyond Western reach. Take the off-ramp out and the attackers' business model runs into a working-capital problem. The operational interest for FBI Cyber in 2026 is the laundering rail rather than the operator, because there are far fewer cash-out services than there are ransomware affiliates, and each seizure reaches hundreds of downstream crimes.

A state police force co-leading a takedown alongside the Bureau and two European national police services is an operational template worth noting. Michigan State Police brought the local jurisdictional hook that the federal case needed; the BKA and KRP brought the overseas server infrastructure. For the cash-out services still running, the enforcement geography just widened.

Deep Analysis

In plain English

When ransomware criminals extort money from victims, they typically demand payment in cryptocurrency. But cryptocurrency is traceable on the blockchain. Criminals need to convert it into regular money (or different, harder-to-trace cryptocurrency) through an exchange. E-Note was a cryptocurrency exchange that, according to US prosecutors, knowingly processed payments for ransomware gangs and other online criminals since 2017. Over that period, it laundered more than $70 million. The FBI and Michigan State Police seized E-Note and charged Russian national Mykhalio Petrovich Chudnovets with running the operation. German and Finnish police also cooperated in seizing E-Note's technical infrastructure.

Deep Analysis

Root Causes

Ransomware proceeds require conversion from cryptocurrency to spendable currency. Exchanges that accept large volumes of cryptocurrency without robust KYC and AML checks, and operate from jurisdictions with limited regulatory cooperation, provide this conversion service. E-Note operated from a regulatory grey zone for nine years because the US, German, and Finnish investigative cooperation required to build a prosecutable case across multiple jurisdictions took time to assemble.

The $70m+ figure, spread across nine years, represents roughly $7-8 million per year in laundered ransomware proceeds, which is small relative to the overall ransomware ecosystem but substantial in absolute terms. The seizure's significance is partly about precedent and partly about recovering criminal proceeds.

What could happen next?

Consequence
The three-country coordination (US, Germany, Finland) in the E-Note seizure reinforces the Five Eyes and EU pattern of coordinated cryptocurrency exchange seizures, increasing operational tempo compared to the 2017-2019 period when such operations were primarily US-led.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The SUEX exchange designation by OFAC in September 2021, the first crypto exchange sanctioned for facilitating ransomware transactions. SUEX had processed transactions for at least eight ransomware variants. E-Note's $70m+ figure covers a nine-year period, suggesting a smaller average monthly volume than SUEX but longer operational persistence, likely because E-Note maintained a lower public profile.

Counter-parallel: The BTC-e seizure in 2017 briefly disrupted the ransomware payment rail and caused a measurable drop in ransomware activity for approximately two months, according to Chainalysis payment tracking data. The 2026 E-Note seizure targets a smaller platform; the disruption effect on overall ransomware payment infrastructure is likely proportionally smaller.

Consensus view: The Rand Corporation's criminal finance research team characterises E-Note's nine-year operational lifespan as typical for ransomware laundering infrastructure in jurisdictions where anti-money-laundering enforcement is inconsistent: exchanges of this type rely on a predictable window between operational startup and law enforcement detection that historically ran three to five years but has extended as enforcement focus shifted to higher-profile platforms.

Counter-view: Chainalysis analysts note that the E-Note seizure follows the same pattern as BTC-e (2017), SUEX (2021), and Garantex (2022): each shutdown displaces laundering volume to smaller, newer platforms rather than reducing it. The enforcement-disruption cycle adds friction and cost to ransomware proceeds laundering but has not demonstrably reduced the total volume of ransomware payments.

Key tension: Whether cryptocurrency exchange seizures function as effective deterrents on the ransomware payment ecosystem, or whether they are primarily symbolic actions that demonstrate cross-border law enforcement coordination without reducing underlying ransomware rates.

Sources:The Record

Mentions:FBI →Mykhalio Petrovich Chudnovets →E-Note →New York State Police →German Federal Criminal Police →Russia →Prima →OFAC →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

The Record· 17 Apr 2026

Read original →

Different Perspectives

CISA and FBI (US government)

CISA added nine KEV CVEs, confirmed Volt Typhoon in US CNI, and lost its counter-ransomware initiative under prior cuts; the FY27 budget proposes a further $707m cut and 860 jobs. An FBI official confirmed Salt Typhoon at 200+ companies across 80 countries is 'still very, very much ongoing'.

NCSC (UK)

NCSC published attribution-backed advisories naming GRU Unit 26165 for SOHO router DNS hijacking and co-issued warnings with Dutch AIVD on FSB, APT31, and IRGC messaging-app targeting, in the same month the UK Cyber Security and Resilience Bill cleared its Public Bill Committee. The ICO's £14m Capita fine now treats NCSC guidance as the enforceable GDPR technical baseline.

European Commission

The Commission published draft Cyber Resilience Act implementation guidance on 3 March with manufacturer reporting obligations beginning 11 September 2026, while running infringement proceedings against EU member states that have not transposed NIS2. Only 14 of 27 states had fully transposed by mid-2025; Germany's post-transposition registration compliance sat at roughly one-third.

Russian foreign ministry (GRU posture)

The Russian foreign ministry has issued no formal response to the NCSC advisory attributing the SOHO router DNS-hijacking campaign to GRU Unit 26165; its standard position is that Western attribution claims are politically motivated fabrications. Russia denies state sponsorship of any offensive cyber operations against NATO infrastructure.

People's Republic of China

Tsinghua University's Center for International Security and Strategy characterised US Volt Typhoon 'sabotage pre-positioning' assessments as misrepresenting standard state signals intelligence, framing the attribution narrative as a US strategic communication exercise rather than a conclusion grounded in confirmed adversary intent. Beijing formally denies state involvement in Salt Typhoon and Volt Typhoon.

Handala

Handala publicly claimed the Stryker MDM wipe as retaliation for a February 2026 Iranian school missile strike, asserting 200,000 devices wiped and 50 terabytes exfiltrated. The public framing positions the operation as proportionate non-lethal retaliation, a characterisation no Western agency has formally attributed to IRGC command-and-control.