A 73-bitcoin stash sitting untouched in a separate crypto wallet may be what eventually brings a Russian crypto broker to justice.
That dormant pile of digital cash, flagged by blockchain investigator ZachXBT, sits at the edge of a much larger money trail — one that reportedly spans three ransomware payments, multiple networks, and at least one undercover Telegram conversation.
Sting Operation Cracked The Case Open
ZachXBT, an anonymous on-chain investigator with a long record of tracing illicit crypto flows, identified Russian OTC broker Aleksandr Khinkis as the central figure in the alleged scheme.
According to reports, investigators posed as potential clients and contacted Khinkis directly through Telegram. He allegedly handed over an exchange deposit address — a move that gave investigators the thread they needed to pull.
1/ Meet Aleksandr (Aleks) Khinkis, a Russian OTC broker who has allegedly helped a ransomware group launder $4.7M+ via a single crypto exchange account since July 2025, across three suspected ransom payments totaling 796 BTC. pic.twitter.com/GpOjAvtaAd
— ZachXBT (@zachxbt) March 24, 2026
That single address, starting with 0xa756, became the anchor point for the entire investigation. From it, researchers tracked roughly 75 transfers funneling more than $4.7 million into the same account. The money had been moving since at least July 2025.
Three Ransoms. Three Trails. One Broker
The alleged laundering involved three separate ransomware payments totaling 796 BTC. Each left a distinct footprint across multiple blockchain networks.
The oldest case dates back to September 2023, when five Bitcoin bridge deposit addresses were tied to a 560 BTC ransom. Those funds eventually crossed into the Avalanche network sometime in 2024.
2/ Last month we reached out to Aleks via a Telegram account posing as a potential client looking to convert crypto assets on Avalanche to fiat.
He promptly provided his exchange deposit address:
0xa75666786a4e120110418ed3b4865a114d70706eThe conversation was conducted in... pic.twitter.com/zt827Du3Ow
— ZachXBT (@zachxbt) March 24, 2026
A second payment of 72 BTC, traced to September 2025, showed more than 15% overlap with known ransomware wallets across compliance screening tools. About $1.36 million from that batch moved through instant exchanges before consolidating into a Tron wallet.
The most recent and largest payment — 164 BTC — was recorded in October 2025. Based on reports, around $3.8 million in bitcoin passed through instant exchanges before reaching Tron-linked outputs.
Seven Tron addresses connected to that flow were frozen by Tether the following month. The frozen funds were later burned, confirming that enforcement action had been taken.
Meanwhile, an additional $16.6 million remains sitting in related addresses or platforms, with some of it already being cashed out.
Law Enforcement Now Has the Data
ZachXBT confirmed that compliance teams and law enforcement agencies have received detailed records of the traced addresses and fund movements. No arrests have been publicly announced.
Beyond the blockchain data, open-source intelligence painted a clearer picture of Khinkis as a person. Reports indicate he travels outside Russia regularly — including trips to Southeast Asia and Australia — and documents those trips openly on social media.
The 73 BTC still sitting dormant at a separate address hasn’t moved. If and when it does, investigators will almost certainly be watching.
Featured image from Pexels, chart from TradingView
