The crypto Robin Hood sends seized bitcoins to Ukrainian aid organizations.

Using a specific feature in the Bitcoin network called the OP_RETURN field, a mysterious user has publicly exposed that Russia’s Foreign Military Intelligence Agency (GRU), Foreign Intelligence Service (SVR), and Federal Security Service (FSB) are active crypto traders and sponsor or operate ransomware cyber-attacks.

Chainalysis, a crypto tracing and research firm working with the US Government, said in a Coindesk post that the unknown individual or individuals found a total of 986 digital wallets owned by GRU, SVR and FSB. 

The anonymous hacker(s) took control of a number of addresses in January or early February and left messages in Russian to accuse the wallets’ owners of involvement in cyber-crimes.

Chainalysis suspects that the vigilante(s) are insider(s) in one of the above-mentioned agencies.

Chainalysis’ investigation later confirmed that at least three of the allegedly Russian wallet addresses have been linked to Russia by third parties before, and two of them were involved in the Solarwinds attack on American energy infrastructure and a third paid for servers used in Russia’s 2016 election disinformation campaign. 

The hacker(s) stopped posting alerts and destroying funds after Russia invaded Ukraine. Instead they starting sending seized bitcoins to Ukrainian aid organizations.

Chainalysis later deleted its post with its findings from its Twitter accounts, without explanation.