Blockchain investigator ZachXBT publicly identified Russian over-the-counter broker Aleksandr Khinkis on Tuesday as allegedly assisting a ransomware group in laundering more than $4.7 million through a single cryptocurrency exchange account. The funds stem from three suspected ransom payments totaling 796 BTC routed since July 2025. Khinkis, who operates as an intermediary converting crypto to fiat, provided his Avalanche deposit address during an undercover Telegram conversation last month when contacted by someone posing as a legitimate client. The exposure has drawn immediate attention across the crypto community, highlighting ongoing challenges in tracing and disrupting ransomware proceeds.
OTC Broker Linked to Ransom Flows
The allegations center on Khinkis’s role in handling illicit cryptocurrency transfers for a ransomware operation. ZachXBT’s investigation claims the broker’s exchange account received portions of three separate ransom payments via Bitcoin-to-Avalanche bridges, spread across 75 transfers from July 2025 through March 2026. An additional roughly $16.6 million in connected funds reportedly remains deposited in Aave and continues to be periodically withdrawn. The investigator reached out to Khinkis in Russian via a fake client account, after which the broker quickly shared his deposit address for potential business. This direct interaction formed a key part of the public disclosure, raising questions about operational security among OTC intermediaries dealing with high-volume crypto conversions.
International Travel and Enforcement Hurdles
Khinkis frequently travels outside Russia to destinations in Southeast Asia and Australia, with his personal details appearing in multiple data breaches and his movements documented openly on social media. ZachXBT described this level of public visibility as unusual for someone allegedly processing millions in ransomware-related funds. The investigator expressed hope that law enforcement agencies will pursue prosecution, while noting that involvement of multiple jurisdictions significantly complicates any case. A separate cluster of 73 BTC linked to the activity remains dormant and is expected to be moved and laundered in the future. When the research began in early October 2025, few related addresses had been flagged by third-party compliance providers.
Update to the story: We reached out via Telegram for comment on the media/screenshots ZachXBT posted. Shortly after, he removed his profile pics and hiked the pay-to-message from 1 Star to 35K Stars.
