Key Highlights
- Blockchain investigator ZachXBT traced millions in Bitcoin linked to suspected ransomware payments across Bitcoin and Tron networks.
- A suspected individual, Aleks, is connected to multiple ransom transactions, including 72 BTC in 2025 and 560 BTC in 2023.
- Some wallets were blacklisted by Tether, and around 73 BTC remains dormant but could be moved later.
Blockchain investigator ZachXBT has alleged that Russian OTC broker Aleksandr “Aleks” Khinkis helped launder more than $4.7 million in crypto tied to ransomware proceeds, using what he described as a single exchange account since July 2025. The case centers on three suspected ransom payments worth a combined 796 BTC.
In a detailed X thread on Tuesday, ZachXBT reported these funds moved across different routes, including Bitcoin wallets, exchanges, and bridges into the Tron network.
ZachXBT and his team reportedly contacted Khinkis on Telegram while posing as a client seeking to convert funds from Avalanche into fiat. Khinkis allegedly shared a deposit address that became the starting point for tracing flows tied to the laundering trail.
During the conversation, conducted in Russian, Khinkis allegedly provided an exchange deposit address:
0xa75666786a4e120110418ed3b4865a114d70706e
This address became a key anchor point in tracing the laundering flows.
Ransom payment traced to Aleks’ accounts
A second case dates to September 2025. ZachXBT said Khinkis’ exchange account traced back to four Bitcoin bridge deposit addresses tied to a suspected 72 BTC ransom payment from Sept. 2, 2025.
One of these addresses had more than 15% links to other wallets already known for ransomware activity, which means these addresses may be used to collect or process ransom payments.
Around that same time, about $1.36 million in Bitcoin was sent through instant exchange services. ZachXBT used timing analysis to match these Bitcoin transfers to Tron wallet addresses, including ones labeled TKdsVDE and TWxkK. Zack also revealed that one of these Tron wallets was also linked to another ransom transaction in October 2025.
Three ransom-linked flows form the core of the case
The most recent case in ZachXBT’s thread dates to October 2025, when he said Khinkis’ exchange account traced back to six Bitcoin bridge deposit addresses tied to a suspected 164 BTC ransom payment made on Oct. 10, 2025.
According to the post, funds moved through instant exchanges and bridges before about $3.8 million in Bitcoin was swapped out. Using timing analysis, ZachXBT said he identified the related Tron outputs. He added that seven Tron addresses were blacklisted by Tether in November 2025, and that the frozen USDT was burned three weeks ago.
A second case dates to September 2025, involving a suspected 72 BTC ransom payment from Sept. 2, 2025. ZachXBT said the flow traced back to four Bitcoin bridge deposit addresses, and that the initiating address had more than 15% exposure to other ransomware-linked wallets across multiple compliance tools, suggesting it may have acted as a payment processor.
In a follow-up post, he said roughly $1.36 million in Bitcoin from that September flow was swapped through an instant exchange and later consolidated into a Tron wallet that had transfers with a Tether-frozen address.
The earliest case goes back to September 2023, when ZachXBT linked Khinkis’ exchange account to five Bitcoin bridge deposit addresses tied to a suspected 560 BTC ransom payment from Sept. 19, 2023. He said those funds moved through intermediary services before being bridged from Bitcoin to Avalanche in 2024.
OSINT flags public exposure
ZachXBT also included open-source intelligence details on Khinkis, saying OSINT indicated he frequently travels outside Russia to Southeast Asia and Australia. The investigator added that Khinkis’ personal information appears in multiple data breaches and that he openly documents his travels on social media.
That public footprint, ZachXBT implied, stands out for someone allegedly involved in laundering ransomware proceeds.
Why this matters
Ransomware laundering methods are evolving beyond the older mixer-heavy playbook. The route described here blends OTC brokerage, bridge infrastructure, instant swap services, DeFi parking, and stablecoin exits — all while revolving around one exchange deposit address.
For exchanges and compliance teams, that raises a familiar question: whether the weak point in crypto crime is no longer just anonymous tooling, but the human intermediaries connecting illicit wallets to liquid off-ramps.
Also Read: Solana Launches API Platform for Stablecoins, Payments, and RWAs
