17APR

FBI seizes E-Note, $70m ransomware rail

2 min read

13:56UTC

Michigan State Police co-led. German BKA and Finnish KRP ran infrastructure. A Russian national is charged with running the exchange since 2017.

← Back to Stryker MDM wipe exposes identity perimeter Jump to analysis ↓

TechnologyAssessed

Key takeaway

The enforcement focus has moved up the supply chain from operators to the cash-out services they depend on.

The US Federal Bureau of Investigation (FBI) and Michigan State Police seized cryptocurrency exchange and payment processor E-Note and charged Russian national Mykhalio Petrovich Chudnovets with conspiracy to launder more than $70 million in ransomware and account-takeover proceeds through E-Note since 2017 ¹. The German Federal Criminal Police (Bundeskriminalamt, BKA) and Finnish National Bureau of Investigation (Keskusrikospoliisi, KRP) cooperated on the infrastructure seizure. Account-takeover proceeds are the funds stolen from hijacked bank or crypto accounts; ransomware proceeds are the extortion payments victims send to recover encrypted files.

E-Note had operated openly for years despite visible ties to the ransomware ecosystem. Its role in the supply chain is the off-ramp: the service that converts bitcoin, monero or stablecoins paid by victims into cash, clean tokens or traditional fiat held in jurisdictions beyond Western reach. Take the off-ramp out and the attackers' business model runs into a working-capital problem. The operational interest for FBI Cyber in 2026 is the laundering rail rather than the operator, because there are far fewer cash-out services than there are ransomware affiliates, and each seizure reaches hundreds of downstream crimes.

A state police force co-leading a takedown alongside the Bureau and two European national police services is an operational template worth noting. Michigan State Police brought the local jurisdictional hook that the federal case needed; the BKA and KRP brought the overseas server infrastructure. For the cash-out services still running, the enforcement geography just widened.

Deep Analysis

In plain English

When ransomware criminals extort money from victims, they typically demand payment in cryptocurrency. But cryptocurrency is traceable on the blockchain. Criminals need to convert it into regular money (or different, harder-to-trace cryptocurrency) through an exchange. E-Note was a cryptocurrency exchange that, according to US prosecutors, knowingly processed payments for ransomware gangs and other online criminals since 2017. Over that period, it laundered more than $70 million. The FBI and Michigan State Police seized E-Note and charged Russian national Mykhalio Petrovich Chudnovets with running the operation. German and Finnish police also cooperated in seizing E-Note's technical infrastructure.

Deep Analysis

Root Causes

Ransomware proceeds require conversion from cryptocurrency to spendable currency. Exchanges that accept large volumes of cryptocurrency without robust KYC and AML checks, and operate from jurisdictions with limited regulatory cooperation, provide this conversion service. E-Note operated from a regulatory grey zone for nine years because the US, German, and Finnish investigative cooperation required to build a prosecutable case across multiple jurisdictions took time to assemble.

The $70m+ figure, spread across nine years, represents roughly $7-8 million per year in laundered ransomware proceeds, which is small relative to the overall ransomware ecosystem but substantial in absolute terms. The seizure's significance is partly about precedent and partly about recovering criminal proceeds.

What could happen next?

Consequence
The three-country coordination (US, Germany, Finland) in the E-Note seizure reinforces the Five Eyes and EU pattern of coordinated cryptocurrency exchange seizures, increasing operational tempo compared to the 2017-2019 period when such operations were primarily US-led.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The SUEX exchange designation by OFAC in September 2021, the first crypto exchange sanctioned for facilitating ransomware transactions. SUEX had processed transactions for at least eight ransomware variants. E-Note's $70m+ figure covers a nine-year period, suggesting a smaller average monthly volume than SUEX but longer operational persistence, likely because E-Note maintained a lower public profile.

Counter-parallel: The BTC-e seizure in 2017 briefly disrupted the ransomware payment rail and caused a measurable drop in ransomware activity for approximately two months, according to Chainalysis payment tracking data. The 2026 E-Note seizure targets a smaller platform; the disruption effect on overall ransomware payment infrastructure is likely proportionally smaller.

Consensus view: The Rand Corporation's criminal finance research team characterises E-Note's nine-year operational lifespan as typical for ransomware laundering infrastructure in jurisdictions where anti-money-laundering enforcement is inconsistent: exchanges of this type rely on a predictable window between operational startup and law enforcement detection that historically ran three to five years but has extended as enforcement focus shifted to higher-profile platforms.

Counter-view: Chainalysis analysts note that the E-Note seizure follows the same pattern as BTC-e (2017), SUEX (2021), and Garantex (2022): each shutdown displaces laundering volume to smaller, newer platforms rather than reducing it. The enforcement-disruption cycle adds friction and cost to ransomware proceeds laundering but has not demonstrably reduced the total volume of ransomware payments.

Key tension: Whether cryptocurrency exchange seizures function as effective deterrents on the ransomware payment ecosystem, or whether they are primarily symbolic actions that demonstrate cross-border law enforcement coordination without reducing underlying ransomware rates.

Sources:The Record

Mentions:FBI →Mykhalio Petrovich Chudnovets →New York State Police →German Federal Criminal Police →Russia →Prima →OFAC →E-Note →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

The Record· 17 Apr 2026

Read original →

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.