Contact us
En
Русский English
Services Company Blog
En
Русский English

Review of the current practice and problems in the implementation of arrest and subsequent implementation of cryptography in the Russian Federation

Note:
Paranoid Security specialists quite often act as experts in criminal cases involving cryptocurrencies. For this reason, we want to highlight the problem areas and provide an overview of Western practice.
Please note that the recommendations below reflect solely the professional opinion of information security specialists and do not constitute a legal opinion or legal advice.

The process begins when an investigator hands an expert one or more devices that may store crypto assets—such as mobile phones, flash drives, or dedicated hardware wallets. After receiving the devices, the expert analyzes them to identify traces of digital wallets, restore access to the assets, and confirm that a specific person controls the cryptocurrency.

Mobile wallets are simply an app on a phone—for example, Trust Wallet.

A flash drive—using Bitcoin Core as an example—is a file with the .dat extension that is used to restore a wallet. It may be protected with a password or left unprotected.

A hardware wallet is a small dedicated device (similar to a USB stick) used to store cryptocurrency securely. Unlike online wallets that are constantly connected to the internet, a hardware wallet keeps private keys offline. To send cryptocurrency from such a wallet, you must physically confirm the transaction by pressing buttons on the device—for example, Ledger, SafePal, Trezor, etc.

One of the first—and most common—problems when working with mobile wallets is the lack of internet access. Mobile devices typically arrive at investigative authorities with “airplane mode” enabled and may remain in that state for months. Because cryptocurrencies are highly volatile, this makes it difficult to determine an accurate exchange rate at the moment the device is examined and the report is drafted. In such cases, experts have to look for a compromise: either disable “airplane mode” and record the current rate, risking interference with the device’s original state, or record only the amount of crypto assets in the report without converting it to rubles or U.S. dollars. As of today, there is no clear and uniform practice on this issue, and investigative authorities’ requirements often differ from one another.

Next, the investigator goes to court to obtain a seizure order. The seizure procedure for cryptocurrency does not look like what we are used to: cryptocurrency seized from defendants is transferred to another wallet. In the first criminal case, a dilemma arose—could this fall under Article 303 of the Criminal Code of the Russian Federation? Does it alter the physical evidence? We leave this question to the competent authorities.

After the court issues a positive decision, the expert and the investigator create a new crypto wallet, carefully documenting every step in the official record. Sometimes this is done on the investigator’s computer; sometimes on the expert’s personal laptop. However, both approaches have obvious and very serious drawbacks.

First scenario:

When a wallet is created on the investigator’s work computer, the investigator gains full access to the wallet, including the seed phrase—a unique set of 12–24 random words that acts as the key to the crypto assets. Even though the professionalism of law‑enforcement staff is not in doubt, it is impossible to rule out compromise of the work computer due to malware infection, unauthorized access, or even something as simple as the dismissal of an employee who had access to the seed phrases.

Second scenario:

Creating a wallet on the expert’s personal computer also does not guarantee full security. Even if the expert demonstratively steps away from the laptop and allows the investigator to record the seed phrases independently, this does not eliminate the potential for the expert to regain access later. For example, using a keylogger, hidden screen recording, or a script that takes an invisible screenshot containing confidential information, the expert could theoretically retain control over the created wallet—despite publicly deleting all data in the presence of law‑enforcement personnel.

Obviously, both scenarios are insufficiently secure. They require careful handling and the development of dedicated procedures to minimize the risk of compromising crypto assets seized in criminal cases.

Solutions: Russia needs either custodial or non‑custodial storage of crypto wallets.

Custodial storage of crypto wallets is a way of storing cryptocurrency where a third party controls access to your coins (for example, a crypto exchange, a bank, or a specialized service). In essence, you entrust the safekeeping of your funds to someone else.

Think of it like a bank holding your money. You don’t carry cash with you—you trust the bank to keep it safe and available. A custodial wallet works similarly: you create an account with a service, and the service is responsible for storing and protecting your cryptocurrency.

Non‑custodial storage of crypto wallets is a way of storing cryptocurrency where you fully control your funds and the wallet keys. In other words, no one but you has access to your coins or manages them.

Think of it like keeping cash at home in a safe. You are personally responsible for its security, and only you know the access code. Likewise, with a non‑custodial wallet you store and protect the wallet keys yourself.

Option one is to make a government contractor the provider of storage and wallet‑management services, having passed all required certification procedures and using so‑called “orthodox” cryptography.

Option two is for the state itself to fully assume the provider’s role.

What does this look like in practice?

Regardless of which option is chosen, the general algorithm remains the same. Investigative authorities are provided with a centralized platform and user interface, where each unit or department has its own account. Inside the account there is a registry of wallets that have already been created. Working in the interface, an investigator selects an available wallet from the registry, fills out a simple form (for example, the criminal case number), and the wallet becomes assigned specifically to that investigator and becomes unavailable to other users of the system. This approach ensures transparency, eliminates the risk of unauthorized access, and makes it easy to control and audit actions involving crypto assets during an investigation. While mechanisms and established practice already exist for examining crypto assets and placing them under seizure, the issue of their subsequent sale and crediting to state revenue remains far more complex and ambiguous today.

1. Through which platform or exchange should seized cryptocurrency be sold?

Reliable and legally transparent mechanisms for selling crypto assets must be defined, taking into account the risks of interacting with foreign platforms, security considerations, and the requirements of Russian legislation—which, unfortunately, is still lacking.

Although cryptocurrency exchanges in Russia effectively already exist, their legal status remains unclear. This significantly complicates work with seized crypto assets and creates additional legal and organizational risks. We therefore strongly recommend that the Government of the Russian Federation pay special attention to this issue and, as a priority, develop an appropriate regulatory framework to ensure transparency and security of cryptocurrency operations, including the sale of assets seized in criminal cases.

2. What should be done with cryptocurrency flagged (“marked”) by analytics systems of “unfriendly countries”?

Such labels can significantly complicate—or even completely block—the sale of cryptocurrency on major international exchanges, which requires alternative solutions or the creation of a national infrastructure independent of external restrictions.

In practice, the state does not formally “clean” bitcoins or other cryptocurrencies, because the immutability of the blockchain does not allow the traces of previous owners or transactions to be erased. In reality, this is about selling assets lawfully confiscated by a court decision.

For example, when a buyer purchases confiscated coins at an auction run by the U.S. Marshals Service (a specially established agency in the United States), they receive official documentary proof of ownership—a contract, receipt, or payment document confirming that the crypto assets were transferred to them legitimately. This documented chain of ownership removes questions about the legality of the coins’ origin, because government authorities (a federal court and the Department of Justice) recognized these assets as lawfully confiscated and officially offered them at a public auction.

In addition, leading analytics services such as Chainalysis or Elliptic typically update the status of such crypto assets promptly—usually after the first successful KYC procedure on reputable exchanges.

However, in the current geopolitical situation these major AML providers have stopped cooperating with Russia. Given that they are integrated into many large international crypto exchanges, participants in Russian auctions who purchase confiscated cryptocurrency may face serious risks—up to and including account freezes and the complete loss of acquired crypto assets. This again underscores the need to quickly develop a reliable domestic mechanism for selling and accounting for crypto assets within Russia.

3. How can the value of seized crypto assets be determined correctly given their volatility?

The lack of a stable exchange rate and sharp price swings—even within a few hours—create significant difficulties for valuation.

As a practical solution, the following mechanism for selling confiscated cryptocurrency can be proposed:

Rosimushchestvo is the federal agency that, by law (Regulations on Rosimushchestvo approved by Government Decree of the Russian Federation No. 432 dated 05.06.2008), manages property transferred to state ownership and organizes its sale.

Announcing the auction

Rosimushchestvo, or a government‑authorized custodian, publishes information about the upcoming auction in advance on the official website and in press releases. The announcement specifies:

  • the volume and type of cryptocurrency being sold;
  • the exact date and time of the auction;
  • participation terms, including the minimum deposit and the participant registration procedure.

Participant registration and deposit

To ensure that participants have serious intent and to prevent fraud or “joke” bids, Rosimushchestvo (or the custodian) requires a cash deposit. The deposit amount can vary significantly—from hundreds of thousands of rubles to several million—depending on the size and importance of the lot being sold. All participants must confirm their identity and complete a KYC/AML procedure in accordance with Federal Law No. 115‑FZ.

Conducting the auction

The auction itself may be conducted in a sealed‑bid format, where participants submit their offers in a closed form. After the bid‑submission deadline, Rosimushchestvo or the appointed custodian opens the bids and selects the winner(s) based on the highest offers. An open bidding format is used less often, where volumes or specific conditions allow.

Determining and notifying winners

After the winner is determined (or several winners, if the lot was split), Rosimushchestvo officially notifies them of the result. The winner must, within the prescribed period, transfer the remaining amount—minus the previously paid deposit—to the specified official account.

Transfer of crypto assets

After full payment is confirmed, Rosimushchestvo or the custodian transfers the cryptocurrency to the wallet specified by the winner of the auction. The transfer of crypto assets is strictly documented, which eliminates the risk of double‑spending and other errors and ensures full transparency and reliability of the entire process.

Key features of the auction mechanism

It is important to emphasize that an auction for selling confiscated cryptocurrency is fundamentally different from ordinary exchange trading. There is no classic exchange mechanism with instant bids and strict market quotes. Instead, each participant independently determines their price offer based on their own market assessment and personal expectations regarding the cryptocurrency’s value.

Price volatility between the court decision and the auction date

The state does not try to guess the perfect moment to sell crypto assets and does not adjust the auction date to changes in the bitcoin (or other cryptocurrency) exchange rate. The main goal of Rosimushchestvo (or the appointed custodian) is a fast and transparent conversion of confiscated assets into fiat funds. Thus, if at the time of the court decision bitcoin was valued at $50,000, and by the time of the auction the price fell to $45,000, the auction will not be postponed in the hope that prices return to previous levels. The sale will take place on the conditions and at the bids offered by participants on the auction date.

No official minimum price and the right to reject bids

Although no strict minimum price threshold is set, Rosimushchestvo (or the authorized custodian) has the right to reject individual offers if they are deemed unreasonably low or contrary to the interests of the state. There is also an option to reject all submitted bids if none of the offers meets the established criteria of economic reasonableness.

Paranoid Security How Attackers Abuse Signed Drivers to Take Over Infrastructure. Using BYOVD to Bypass PPL Protection Mechanisms in Windows. February 5
Vulnerability Research How Attackers Abuse Signed Drivers to Take Over Infrastructure. Using BYOVD to Bypass PPL Protection Mechanisms in Windows.
Paranoid Security Microsoft Patch Tuesday Analysis – January 2026 January 13
MS Patch Tuesday Microsoft Patch Tuesday Analysis – January 2026
Paranoid Security FortiOS 8.0 firmware analysis & rootfs decryption January 12
FortiOS 8.0 firmware analysis & rootfs decryption