Binance CEO Changpeng “CZ” Zhao said that earlier this year the world’s biggest crypto exchange deactivated accounts associated with Suex, which was designated as a money laundering vehicle by the Office of Assets Control (OFAC) on Tuesday.

The U.S. government blacklisted 25 blockchain addresses for bitcoin, ether and tether that the regulator said Russia-based Suex used for its operations.

“We de-platformed these accounts based on internal safeguards,” Zhao said in a blog post on Wednesday. “Information regarding the addresses in the announcement, as well as other information from our internal investigation was shared with the appropriate authorities and we continue to collaborate with law enforcement to cast sunlight on those threat actors that seek to abuse our platforms, such as Suex.”

Some of the addresses listed by OFAC were last active in 2019 or 2020, but some were used as recently as August. Binance didn’t immediately respond to questions about when it deactivated the accouts.

Earlier, crypto sleuthing firm Chainalysis said it helped OFAC identify the Suex’s crypto wallets, adding that the OTC firm helped launder money coming from major scams, hacker groups and drug traffickers. Elliptic, another blockchain analytics firm, wrote in a blog post the addresses received about $934 million worth of crypto in total.

Particular pattern of use

Analysis of the 25 addresses listed by the OFAC shows all but two are exchange deposit addresses that had apparently been used by Suex to buy and sell crypto on behalf of its clients.

The addresses have a particular pattern of use: Identical amounts of crypto hit the addresses and leave immediately without accumulating or getting split. That most often indicates an address designated by an exchange for users to deposit money. Crypto flows from such wallets to the exchange’s hot wallets. The pattern can be seen, for example, on this BTC address, ETH address and USDT address.

Further research on the addresses indicated that most belong to two exchanges: Binance and Huobi. When contacted, Huobi declined to comment on whether the listed addresses belonged to it.

It’s also possible that Suex used other addresses, which OFAC has yet to identify, Elliptic co-founder Tom Robinson told CoinDesk by email.

According to Chainalysis, Suex processed almost $13 million of crypto from ransomware operators, including Conti, Maze, Ryuk and others; over $24 million from scams, including Finiko, a major crypto Ponzi scheme that operated in Russia and Ukraine; more than $20 million from darknet markets, especially the Russia-based Hydra; and over $50 million from BTC-e, the now-defunct crypto exchange whose alleged operator, Alexander Vinnik, recently went to jail for money laundering in France.

The Finiko scam heavily relied on Suex’s services, said Scott Pounder, head of investigations at the blockchain analytics firm Crystal Blockchain.

“We noticed that most of the USDC fund flows, $11.5 million out of $14 million, came directly from the Finiko Ponzi scheme, more than $9 million in bitcoin came from Finiko, as well as $2.7 million in ERC20 tether,” Pounder said. “Over $155 million of the overall flow of more than $930 million funds received by Suex OTC could be deemed as high risk,” he added.

Suex founder Egor Petukhovsky declined to comment by press time.

UPDATE (SEPT. 23, 12:13 UTC) Adds Huobi declined to comment in the eighth paragraph.

UPDATE (SEPT. 23, 12:45 UTC) Adds details from Chainalysis research, quote from Crystal Blockchain in last four paragraphs.