No Honor Among Troll Faces: The Latest Lawfare against Prigozhin’s Trolls

Yesterday, Treasury sanctioned four people for election interference. Rudy Giuliani associate Andreii Derkach has gotten most of the attention. But Treasury also sanctioned three people associated with Yevgeniy Prigozhin’s troll operation.

Today, Treasury also designated three IRA actors pursuant to E.O. 13694, as amended by E.O. 13757, and E.O. 13848 for having acted or purported to act for or on behalf of, directly or indirectly, the IRA, an entity designated pursuant to E.O. 13694, as amended, and E.O. 13848. Russian nationals Artem Lifshits, Anton Andreyev, and Darya Aslanova, as employees of the IRA, supported the IRA’s cryptocurrency accounts. The IRA uses cryptocurrency to fund activities in furtherance of their ongoing malign influence operations around the world.

The identifying information announcement provides not just passport and date of birth information (which is normal), but for two of the sanctioned individuals, it includes 17 and 6 crypto-currency addresses, respectively.

ANDREYEV, Anton Nikolaeyvich (Cyrillic: АНДРЕЕВ, Антон Николаевич), 9 3 Bloshevikov Prospect Apt 35, Saint Petersburg, Russia; DOB 03 Mar 1985; POB Saint Petersburg, Russia; nationality Russia; Email Address [email protected]; Gender Male;

Digital Currency Address – XBT 1Fz29BQp82pE3vXXcsZoMNQ3KSHfMzfMe3;

alt. Digital Currency Address – XBT 1AeSq93WDNdLoEJ92sex7T8xQZoYYm8BtS;

alt. Digital Currency Address – XBT 1AoxtfiBQ22DvbhqAN9Ctb8sULMRhrdwTr;

alt. Digital Currency Address – XBT 18Qj1THHuETfYhuRDZycXJbWwDMGw73Poa;

alt. Digital Currency Address – XBT 1MnbhWe5wr7Ut45ReyQsm96PwnM9jD7KaH;

alt. Digital Currency Address – XBT 1DYFJ6CuBvrxyoQSuBzVsNcetY9tvdsrag;

alt. Digital Currency Address – XBT 15Pt4NwZaUmMUwS2bQbyyncc7mzgWShtv8;

alt. Digital Currency Address – XBT 1PhqQpaGCrqSxQ6QDXcv14QCd1U98Zp34E;

alt. Digital Currency Address – XBT 13YBQr2Cp1YY3xqq2qngaPb7ca1o4ugeq6;

alt. Digital Currency Address – XBT 1KgudqxMfYaGzqAA7MS4DcsqejtMteqhix;

alt. Digital Currency Address – XBT 1FRyL9gmFGbzfYDAB4iY9836DJe3KSnjP9;

alt. Digital Currency Address – XBT 1DbShx4r8i2XesthoDBf5EkYWz5dsKEusV;

Digital Currency Address – ETH 0x8576acc5c05d6ce88f4e49bf65bdf0c62f91353c;

Phone Number 79315403678;

Digital Currency Address – LTC LWnbjLYUfqeokfbWM4FcU7uk2FP2DSxuWS;

alt. Digital Currency Address – LTC LaYUy1DGfVSuSF5KbPhbLrm8kRotqiwUJn;

Digital Currency Address – ZEC t1WSKwCDL1QYRRUrCCknEs5tDLhtGVYu9KM;

Digital Currency Address – BSV 12sjrrhoFEsedNRhtgwvvRqjFTh8fZTDX9; Passport 4005504207 (Russia) (individual) [CYBER2] [ELECTION-EO13848].


LIFSHITS, Artem Mikhaylovich (Cyrillic: ЛИФШИЦ, Артем Михайлович), Primorsky Prospect 159, Saint Petersburg 197374, Russia; DOB 26 Dec 1992; nationality Russia; Email Address [email protected]; alt. Email Address [email protected]; Gender Male;

Digital Currency Address – XBT 12udabs2TkX7NXCSj6KpqXfakjE52ZPLhz;

alt. Digital Currency Address – XBT 1DT3tenf14cxz9WFNxmYrXFbB6TFiVWA9U;

Digital Currency Address – ETH 0x901bb9583b24d97e995513c6778dc6888ab6870e;

alt. Digital Currency Address – ETH 0xa7e5d5a720f06526557c513402f2e6b5fa20b00;

Phone Number 79110354982;

Digital Currency Address – LTC Leo3j36nn1JcsUQruytQhFUdCdCH5YHMR3;

Digital Currency Address – DASH Xs3vzQmNvAxRa3Xo8XzQqUb3BMgb9EogF4; Passport 719032284 (individual) [CYBER2] [ELECTION-EO13848].

Yesterday, EDVA also announced a single criminal charge of conspiracy to commit wire fraud against one of the sanctioned people, Artem Lifshits, who in 2017 was head of the “Translator Department [or Project],” which is what the troll project focusing on the US is called. As the excerpt above notes, Lifshits actually got fewer of his cryptocurrency accounts sanctioned than another of the targets, Anton Andreyev.

I’d like to look at how the criminal complaint complements the two other sets of charges against Prigozhin’s troll operation, the indictment against 13 of the actual trolls as well as some of the companies involved (here’s a very long post on that prosecution), and Prigozhin himself and a complaint against one of the accountants involved, Elena Alekseevna Khusyaynova (here’s my post on that). Along with renewing and fleshing out the case against Prigozhin, the complaint may be an effort to sow discord within Prigozhin’s operation, by alerting him that some of his employees may be helping themselves to company troll funds.

The affidavit by a Secret Service Agent supporting the complaint incorporates the other two legal actions and includes them as exhibits to this charge. It even includes a footnote explaining why DOJ dismissed the charges against Prigozhin’s shell companies.

On March 16, 2020, the United States dismissed Concord Management and Consulting LLC from the Indictment. Concord “availed itself of the Court’s jurisdiction to obtain discovery from the United States . . . while positioning itself to evade any real obligations or responsibility,” even refusing to produce a corporate representative despite “appearing” through counsel. Mot. to Dismiss Concord Defs., 2, 6, United States v. Internet Research Agency, et. al, 1:18-cr-32 (DLF) (D.D.C. Mar. 16, 2020). In light of the defendant’s conduct, the United States dismissed these parties from the Indictment, stating substantial federal interests were no longer served by continuing the proceedings against them. See id. at 9. The Indictment remains pending and active as to thirteen named individual defendants and the IRA.

After some introductory matter, the affidavit:

  • Describes the Lakhta disinformation project generally, including a brief overview of its attempts to sow discord between December 2016 through May 2018, incorporating some but not all of the examples from the Khusyaynova complaint, and adding a few new ones, including three paragraphs on use, starting in July 2019 of a cover company located in Accra, Ghana.
  • Describes how in October 2018 the Secret Service started investigating the role of cryptocurrency in the operation.
  • Explains that Lifshits served as head of the Translator Department.
  • Describes how Lifshits transferred money from a BTC account opened using the stolen identity of “T.W.” to his own personal account, the central allegation of wire fraud laid out in the indictment.

The basic proof accusing Lifshits of using T.B.’s stolen identity to open a Bitcoin account that he then used to transfer money into his own account relies on very basic metadata analysis obtained using legal process:

  • Evidence backing the selectors of Lifshits tie to his biological person and one of the cryptocurrency accounts he transferred money into (including two other Internet troll employees’ address book entries with his phone number, one of which referred to him as “Troll Face”).
  • Evidence showing Lifshits applying to Project Lakhta in July 2015 and appearing on rosters of Project Lakhta employees dated January 28, 2017 to October 26, 2017.
  • A description of finding order confirmations in the known IRA email, allforusa, from a criminal marketplace that sold fraudulent identities (this might be Richard Pinedo’s site).
  • Two paragraphs describing interviews with T.W. and another identity theft victim, T.B.,  in which they said he had never owned any cryptocurrency themselves and had not authorized anyone to do so on their behalf.
  • IP analysis showing Lifshits accessing cryptocurrency addresses (including his own) from an IRA IP address, as well as from a US-based account set up using a stolen identity but controlled by IRA.
  • IP address analysis showing him accessing the T.W. cryptocurrency account at the same time he accessed one of his own accounts, into which he transferred funds.
  • User Agent String analysis showing those accounts being accessed by the same browser.
  • IP analysis establishing venue in EDVA via some AWS servers.

In other words, the complaint, after invoking the two other legal actions against IRA and Prigozhin, finds one manager amid Prigozhin’s employees and shows some very basic metadata evidence — relying on neither intelligence nor some of the more sophisticated blockchain analysis the US government would like to hide — to accuse the manager, Lifshits, of wire fraud because of a financial transfer involving the stolen identity of an American.

There are two interesting aspects of the complaint, besides the way it slowly builds the case against Prigozhin via interlocking accusations.

First, a key passage of all this describes that Lifshits made this transfer “for personal gain.”

60. On or about December 29, 2017, LIFSHITS accessed and used the T.W. Exchange 1 Account to conduct an electronic transfer of funds from the T.W. Exchange 1 Account to his personal Exchange 3 account. This transaction is publicly viewable on the Bitcoin blockchain and USSS confirmed its existence through other investigative means.

61. On or about December 29, 2017, LIFSHITS used United States IP Address 1 at 15:35 UTC to access his Exchange 3 account. Then, three minutes later, he used the same IP address to access the T.W. Exchange 1 Account. This is on the same day that the T.W. Exchange 1 Account sent an electronic funds transfer to LIFSHITS’ Exchange 3 account.

62. With this transaction, LIFSHITS (1) intentionally and voluntarily devised or participated in a scheme to defraud — as evidenced by controlling and using a fraudulent cryptocurrency account, and (2) used interstate wire communications to further the fraud — as evidenced by the online cryptocurrency transactions.

It doesn’t say, one way or another, whether this was a sanctioned transfer of funds out of an IRA-controlled account or not. The government may have used this 34-page affidavit not only to flesh out the case against Prigozhin, but also to reveal that one of his employees is bilking him, effectively stealing trolling funds.

But the complaint also mentions a Co-Conspirator 1, who along with Lifshits bought identities using cryptocurrency.

Law enforcement obtained a search warrant for the contents of the email account [email protected], which as stated above is associated with a cryptocurrency account linked to both LIFSHITS and Co-Conspirator 1. During a review of the emails, law enforcement located “Order Confirmation” emails received from an online criminal marketplace that sells fraudulent passports and similar identification documents (the “Criminal Marketplace”). These emails corresponded to purchases of United States driver licenses that reflected the real names, addresses, and dates of birth of United States identity theft victims. This type of personally identifiable information is a “means of identification” as defined in Title 18, United States Code, Section 1028(d)(7).

It describes Co-Conspirator 1 as the sole other beneficiary of transfers out of a different IRA trolling account (though also suggests that one of the guys charged in the larger indictment might also be conducting such transfers as well).

The T.W. Exchange 1 Account reflected debits to several beneficiaries, including accounts registered to LIFSHITS and another known Project Lakhta member (“Co-Conspirator 1”). The IP activity associated with the T.W. Exchange 1 Account also matched the IP address activity of cryptocurrency accounts registered to LIFSHITS and Vladimir Venkov, who is charged in the USAO-DC Indictment.

It then introduces an account based off a different stolen identity, that of T.B., from which funds were transferred into an account controlled by the Co-Conspirator.

USSS identified a second account, which was hosted at another United States cryptocurrency exchange (“Exchange 2”). The Exchange 2 account was registered to a known Project Lakhta email account, [email protected] (hereinafter the “AllforUSA Exchange 2 Account”).7 Project Lakhta members opened the AllforUSA Exchange 2 Account using the identifiers of T.B. According to Exchange 2’s records, Project Lakhta members solely funded the AllforUSA Exchange 2 Account with an incoming credit from an account also in the name of T.B. at a United States-based financial institution. This credit was used exclusively to fund outgoing payments to a Blockchain wallet that USSS investigators determined was controlled by Co-Conspirator 1.

Now, it may be that the government only introduced Co-Conspirator 1 to establish venue in EDVA (which went through the T.B. account).

But it sure sounds like it is describing Co-Conspirator 1 as engaging in the same kind of transfers from IRA accounts into his own personal accounts that it describes Lifshits as doing.

Perhaps stealing from the troll till is considered part of their official compensation (elsewhere, the complaint cites the salary of Lifshits, so the US government may know the answer). Or perhaps these guys whose cryptocurrency addresses just got published in a US sanction announcement have been stealing from Prigozhin, in which case the US Treasury just provided Prigozhin a lot of hints about how to prove it.

19 replies
  1. vicks says:

    I’m sorry to by-pass the point of this post by nit-picking on the behavior described in the complaint but
    “law enforcement located “Order Confirmation” emails received from an online criminal marketplace that sells fraudulent passports”?
    Do they send customers tracking info when their passport ships as well?
    Seriously, why would a criminal enterprise deliberately provide a digital trail that connects and confirms both sides of an illegal transaction?

    • P J Evans says:

      I doubt that the order confirmation says “digital passports” – it may just say “your order has been received”.
      It’s good business to give your customer a receipt for their purchase.

      • vicks says:

        “It’s good business to give your customer a receipt for their purchase”
        You have a point, competition is everywhere, I have to start thinking more out of the box, it pays to be savvy, even in “online criminal marketplaces”
        A more serious question, I am not seeing anything indicating what sort of money is in these accounts or being moved around, can they not see the amounts or it it by choice or protocol to exclude these details in an announcement?

        • P J Evans says:

          They seem to prefer Bitcoin or something similar. (A friend and I have both gotten spam emails trying to extort money in the form of payments to Bitcoin accounts.)

  2. Pam in CT says:

    Trolling the trolls, lol.

    I was interested/ puzzled that the warrant was prepared by a US Secret Service agent, rather than FBI. How common, as a general matter, is their leadership on a law enforcement issue like this?

    And what might the USSS interest be in this particular matter, which would seem (?) to be pretty far afield from the protective services business I think of as their principal function.

    • ThoughtMail says:

      Hope this helps you. It’s not authoritative, but accessible:

      “Primary Missions
      “The Secret Service is mandated by Congress with two distinct and critical national security missions: protecting the nation’s leaders and safeguarding the financial and critical infrastructure of the United States.”


      Seems squarely within their mandate in re currency (printed money or crypto).

      • P J Evans says:

        We’re so used to think of Secret Service in connection with the president that we forget they started with the Treasury department, looking for counterfeiters.

      • Pam in CT says:

        That is fascinating – thanks.

        At face value, “safeguarding the financial and critical infrastructure” would seem to give USSS a pretty wide door into investigatory functions.

    • Franktoo says:

      Still surprised to hear that no one remembers that Acting AG Rosenstein took the unusual step of appointing a special consul to prevent the executive branch from further interfering in this investigation. Now that Mueller has efficiently completed his task (he gained at least some cooperation from many of those involved) in a relatively short period of time and closed his shop, the DoJ is abandoning guilty pleas obtained by Mueller – and probably can’t justify doing so if Sullivan can force it to defend its decision. Rosenstein’s actions indicate that the standard assumption that the DoJ has acted properly in dismissing the case clearly shouldn’t apply.

  3. Savage Librarian says:

    ew says:
    “After some introductory matter, the affidavit:
    * Describes the Lakhta disinformation project generally, …including three paragraphs on use, starting in July 2019 of a cover company located in Accra, Ghana.”

    The last time I remember reading something about Ghana, it was this (part 3 of a 3 part series):

    “Death of a Banker: Did Laundered Russian Billions Play a Role? Part 3” – WhoWhatWhy, 11/29/19
    “When Aleksei had mentioned Danske Bank, the fellow said he had known Rehe all the way back to the 1990s, when they had both worked together at another bank, one he described as “dodgy.” He said that in the last few months Rehe had been exploring opening a bank in Ghana.”

    “That was the first I’d heard of this. It didn’t sound like a man who had given up hope. It was also a controversial choice of destination for a man fleeing a scandal that had damaged his reputation for probity — given the chaotic state of Ghana’s own banking industry and its reputation as a hub for the international narcotics trade. (A web search then turned up the intriguing fact Estonia is the drug overdose capital of Europe. A higher proportion of its citizens die from drug overdoses than in any other European country.)”

    “Of note, Putin recently announced that Russia plans to provide “significant assistance” to African countries in battling a range of security threats, including “organized crime, drug trafficking, [and, wait for it] money laundering.” [Italics added]”
    “That brought to mind another nagging angle: the baffling statement that, when Rehe went missing, the police considered the possibility that he had been placed into a witness protection program.”
    “I later learned that, about two weeks before Rehe’s death, a delegation had come from Russia to speak with the Estonian authorities about cooperation in combating money laundering. Which is interesting because of suspicions about what in banking parlance is called “the beneficiary owners.” 

    “Putin is all over it,” money laundering expert Graham Barrow had told me. “You don’t shift that much money out of Russia without Putin having a say-so. In Russian, they call a protector a ‘krysha.’ Putin is krysha of the krysha. Protector of the protectors.”

    “Meanwhile, Putin, who some speculate is now the richest person in the world, has taken to accusing a potent political opponent, the charismatic opposition leader Alexei Navalny, of…  money laundering.”
    “Nonetheless, Danske Bank Estonia, under Aivar Rehe, shut down Lantana’s accounts — as well as those of 20 other Russia-tied firms aggressively moving money among themselves and Lantana, through Rehe’s branch. 
    So there’s that — one more thing to add to the ponderables we have to keep in mind if we are to get to the bottom of this.”

    “Just as Danske Bank was being investigated in part regarding transactions relating to Russian President Vladimir Putin, Deutsche Bank was being investigated in part regarding transactions relating to US President Donald Trump, some of whose own loans were approved by the latest victim.”

  4. Rugger9 says:

    Apparently Nora Dannehy just resigned from the Durham investigation citing pressure to produce a report on a political timeline instead of an investigational one.

    Some things to keep in mind here IMHO is that this is a confirmation of the suspicion that Durham’s investigation was a snipe hunt designed to create an October surprise, and Ms Dannehy did not want to set fire to her reputation to support it. Given her background during Bush 43 looking at the USA firing scandal I find it hard to believe she wouldn’t take on the tough but delicate jobs.

    • ThoughtMail says:

      Taking into consideration how much the Mueller SCO was circumcised (only two issues), how long it took (to date, Durham is nearly as long), and the number of pages it contained in its report (~500), it’s interesting to consider (1) how many pages a Durham Report might be, (2) how long it will take to analyze/digest, (3) how long, how much will be refuted/refutable and, (4) what, if any, effect it could/would have on the election (particularly, given that early voting is beginning).

      At this point, all of that would be mere speculation (wasted ratiocination?), and eventually parsed by historians (more wasted ratiocination and self-serving justification).

      (Why do I even bother with this???! I should drink less coffee.)

      … pours another …

  5. Vicks says:

    If anyone is keeping score, clearly the good guys win this week.
    I can’t help but wonder if we are witnessing individual acts of revenge (being served cold) and breaking news or something a bit more structured?
    Adding to the questions from this week:
    How the heck did the NY Daily News get the Trump admin to admit to “defunding FDNY’s 9/11 healthcare program” on 9 freaking 11?
    I just realized there are two questions in there, perhaps the more important one is how these reporters from the Daily News got anyone from the Trump administration to admit anything?

    • Alan Charbonneau says:

      “I can’t help but wonder if we are witnessing individual acts of revenge (being served cold) and breaking news or something a bit more structured?”

      I think there are lots of people in the government that do not want Trump around for another four years and, starting with the “Russian Bounties” story, are starting to help make sure he isn’t re-elected. Now we have the Atlantic story (granted, Sullivan was working on it for some time) and Woodward’s audiotapes, “obtained” by the press a week before the book is published.

      I’m betting that there are more things that will leak to the press. If Barr does produce an October Surprise, the reverse of the Access Hollywood tape will occur — something damning will hit Trump in short order and change the news cycle.

      As Lucian Truscott IV wrrote about the Russian Bounties:
      “Remember that old saying, ‘When they tell you it’s not about sex, it’s about sex.’ Well, when newspapers tell you who refuses to comment on a story, they’re telling you who leaked the story to them in the first place and hinting strongly at their motive.”

      Trump has pissed off lots of people, in the IC and elsewhere, and they ain’t a gonna forget. I expect the next 7 1/2 weeks to be ever more damaging to His Orangeness

Comments are closed.