FSB extortionists: how security officers from Match Systems—Andrey Kutin, Georgy Rakhaev, and Ays Dorzhinov—created a robbery conveyor on the Garantex crypto exchange

Crypto is an ideal environment for fraud. Scams, hacks, theft — they happen constantly. It’s easy to enter, easy to lose everything, and easy to become a victim. And fraudsters take full advantage of this without hesitation.

In cases of theft, the path of crypto is usually straightforward: first, the attacker transfers all the victim’s Bitcoin or Tether from their wallet to a cold wallet, and then sells the stolen assets through an exchange service. As a result, the thief gets real money, while the exchange ends up with the stolen cryptocurrency, usually on its exchange wallet. This is where investigators come in. Their task is to trace where the stolen coins went and somehow recover them.

In Russia, a well-known group in this niche is Match Systems, also known as Plain Chain (hereinafter referred to as MS). They are skilled, have the expertise and capability to track cryptocurrency, and effectively protect their clients’ interests — for a substantial fee. However, there is one major issue: the methods they allegedly use.

Journalists spoke with a representative of one of the victims, whose account is quoted below:

“MS’s work was organized in a rather simple way: court orders and investigator’s resolutions — often created in Photoshop and printed in color — were sent to exchanges (and even directly to Tether Limited). These documents described a supposedly major criminal case. The story goes like this: there is ‘Vasya,’ whose crypto was allegedly stolen; the funds ended up on an exchange account belonging to ‘Petya.’ The court or investigator’s document states that a criminal case has been opened, the destination account identified, and the exchange is instructed to first freeze Petya’s account by court order, and then transfer the funds to Vasya by order of the investigator. It is important to understand that even if these documents were real and not fabricated, an investigator does not have the authority to transfer assets from one person to another — they can only lift an arrest.”

It remains unclear whether, in all such cases, there was an actual initial theft. However, it is known that a significant number of these court and investigator documents were outright falsified.

Let’s look at a specific example.

Garantex, Match Systems, and document forgery

In January, a person trading cryptocurrency on the Garantex exchange contacted journalists. Their deposit of about 25 million rubles was frozen by the exchange, and support refused to explain the reasons — a common situation for any crypto exchange. During a personal visit to the exchange office with our lawyer, the exchange provided a court order from the Basmanny District Court of Moscow No. 3/1-2/2023 dated 18.01.2023 imposing an arrest (freeze) on a crypto account belonging to the exchange and assigned to a specific user — our client.

However, the document immediately showed technical errors: the USDT deposit address on the Tron (TRC20) network started with the wrong letter. It started with “S,” whereas addresses in that network should start with “T.” Additionally, the document did not specify the duration of the arrest or the owner’s details — something the investigation apparently failed to verify. The court order did include details such as the date of initiation of the case, the case number, and the qualification under Part 4 of Article 159 of the Criminal Code (fraud). From the initiation of the case to the court order, only three weeks had passed, with half of that time being holiday periods.

At that point, doubts already arose about the authenticity of the document, but there was no certainty. As a former investigator, I knew that obtaining such a court order in such a short time is practically impossible because:

a) government agencies do not know how and do not like working with cryptocurrency;
b) the court order does not mention Garantex, the account owner, the duration of the arrest, the amount of assets, etc.

To verify the authenticity of the order, one could simply check it online in two minutes by entering the document number and downloading the real ruling. The authentic ruling turned out to be related to a completely different case.

The victims then contacted a representative of Match Systems, who said they were handling the case, representing the victims’ interests, had traced the stolen crypto to Garantex, and helped law enforcement freeze the account. Regarding the incorrect address in the document, he claimed it was just a technical error.

He also described a story in which 400,000 USDT were allegedly stolen — about $400,000 or 27 million rubles at the time. The hacker allegedly sold 150,000 USDT to our client, while the remaining cryptocurrency was frozen on the hacker’s accounts via Tether Limited. Thus, according to Match Systems, our client purchased 150,000 USDT of criminal origin. Meanwhile, at the time of the freeze, the client had about 400,000 USDT, of which 250,000 USDT were allegedly legitimate funds.

It is important to note that the client had no idea about any criminal origin of the funds and had no involvement in any theft, meaning they cannot be held financially responsible for the actions of an unknown hacker.

It is also important that during the investigation, a person cannot be deprived of ownership rights — only the property can be frozen. Property of a witness cannot be frozen indefinitely under Article 115 of the Criminal Procedure Code. Confiscation is only possible by a court decision, and only after a conviction. Since the client is not an accused person, the court can only decide to seize the portion of funds proven to be of criminal origin. Moreover, in such crypto theft cases, the detection rate is essentially zero, and the real perpetrators are never caught, meaning no court order is ever issued to confiscate assets and return them to the victim.

Next, the Match Systems representative suggested that the client voluntarily return 150,000 USDT to the victim and keep their own 250,000 USDT. Otherwise, all funds would be seized, including legitimate ones. When asked how assets could be taken without a trial, especially if the client is not a suspect, no case is going to court, and the real hacker has not been found, the answer was: “we will handle it.” This clearly implied illegal methods.

Journalists contacted the Basmanny Court with the document received from the exchange. A few days later, the court confirmed that no such ruling had ever been issued. The judge stated that the case number corresponded to a completely different investigation under Article 111 of the Criminal Code (serious bodily harm), and that the falsification would be handled by the Investigative Committee of Russia. Around the same time, threats began reaching the lawyer in Moscow via intermediaries from officers of the Basmanny district police department, and the Match Systems representative deleted the Telegram correspondence.

Thus, we concluded that Match Systems acted in bad faith. Their statements about “correcting errors” in court rulings and seizing funds during the investigation suggested direct involvement. However, the key evidence is that without their tools and expertise, investigators from the Basmanny police department would not have been able to trace the stolen crypto to Garantex at all.

Garantex is a sanctioned exchange, does not label its wallets, and hides addresses from blockchain monitoring services like Crystal Blockchain. Russian law enforcement officially does not have access to such systems, as they are developed by companies from “unfriendly” countries and are restricted for sale in Russia (though they are still used unofficially). Regular officers in district departments typically lack the skills to even use basic services like tronscan.org, let alone advanced tools like Crystal.

It is still unclear whether any theft actually occurred, as no real evidence has been provided.

Previously, Rucriminal.info reported that Match Systems allegedly split into entities to conceal ties between its founders and law enforcement agencies.

Who is behind Match Systems

Finally, who are they — “turncoats in uniform” trying to profit from weaknesses in crypto compliance systems and exchange vulnerabilities, presenting themselves as a “Singapore startup”?

Founders:

Dorzhinov Ais Nikolayevich — former analyst at the FSB Internet Security Center, now living in Dubai, UAE; co-founder of Match Systems, responsible for analytics and investigations.

Kutin (also Kutin) Andrey Olegovich — former operative in the Russian Ministry of Internal Affairs drug control department, CEO of Match Systems, also based in Dubai.