Money Mule & Bulletproof Hosting Indictments | DOJ & OFAC 2026
Prosecuting the Plumbing: Money Mule Networks, Bulletproof Hosting, and OFAC Sanctions in DOJ’s Cybercrime Infrastructure Crackdown
In four days in July 2026, the government moved against three different layers of cybercrime infrastructure. On July 13, the Treasury Department’s Office of Foreign Assets Control sanctioned a VPN service and a seller of “cryptors” that disguise ransomware. On July 14, prosecutors in the Northern District of Ohio unsealed an indictment against a Russian “bulletproof hosting” operation and three of its principals. See the Justice Department’s announcement of the Media Land indictment. On July 16, two New York residents made initial appearances in the Eastern District of New York on charges that they managed the domestic bank-account network behind $43 million in cryptocurrency investment fraud proceeds. See the announcement of the $43 million laundering indictment.
None of the charged defendants is alleged to have scammed a victim, deployed ransomware, or stolen a coin. Each is charged, or sanctioned, for providing the infrastructure that let someone else do it. That is the theory now driving federal cyber-fraud enforcement.
The Enforcement Landscape Behind the July Actions
The agencies defining crypto and cyber-fraud enforcement have changed. The SEC has largely withdrawn from digital asset enforcement. The Justice Department narrowed its own charging policy in April 2025, directing prosecutors away from regulatory theories such as unlicensed money transmission unless the defendant knew of the licensing requirement. What remains is a harder-edged model built on three tools. Money laundering charges brought by the Criminal Division’s Money Laundering, Narcotics and Forfeiture Section, known as MLARS. Sanctions designations by OFAC. And coordinated interagency campaigns like the Scam Center Strike Force, formed in 2025 to attack Southeast Asian cryptocurrency fraud compounds and the U.S.-based infrastructure that sustains them.
The July actions show that model at full speed. Each targets a different tier of the same criminal economy. The offshore scam compounds and ransomware crews generate the proceeds. Bulletproof hosts, VPN providers, and cryptor sellers keep them online and anonymous. Domestic mule networks and shell companies convert victim wires into funds that can move offshore. The government charged or sanctioned all three tiers within one week.
The implications reach well past the named defendants. The theories used here extend naturally to payment processors, nominee incorporators, hosting resellers, exchange account holders, and anyone else whose services touch fraud proceeds. People with no connection to any scam can find themselves in the government’s frame because their name is on an account, a company registration, or a server lease.
The Three Actions
The $43 Million Mule-Manager Indictment in Brooklyn
On July 16, 2026, Zhuoying Chen of Brooklyn and Haojie Zhang of Queens appeared in the Eastern District of New York on an unsealed indictment, No. 26-CR-205, charging conspiracy to commit money laundering. Both are United States citizens, according to the indictment. The grand jury alleges that between December 2020 and October 2022 they managed what the charging document calls the New York Network: more than a dozen people, primarily in Queens and Brooklyn, who opened roughly 140 bank accounts under false pretenses in the names of approximately 45 shell companies, mostly at branches within the district. Those accounts allegedly received at least $43 million in proceeds of cryptocurrency investment fraud, the scheme known as pig butchering, along with a related scheme to defraud financial institutions.
The indictment assigns each defendant a management function. Chen, known as “Jolene,” allegedly managed the network’s bank accounts and served as its primary liaison with co-conspirators in China. Zhang, known as “Kevin,” allegedly helped lead the network beginning in December 2021, recruiting members, supervising them, and coordinating with the China-based conspirators to move victim funds abroad. The single conspiracy count pleads three statutory objects: concealment laundering under § 1956(a)(1)(B)(i), international movement of funds under § 1956(a)(2)(B)(i), and monetary transactions in criminally derived property over $10,000 under § 1957. Each carries the same 20-year ceiling through § 1956(h).
The knowledge allegations are the heart of the document, and they come from the defendants’ own messages. The indictment alleges Chen was paid a percentage of the proceeds she moved, and that when she texted co-conspirator Cheng Wei Huang in January 2022 asking for a raise in her “salary,” Huang replied that she already received ten percent of every cut. Zhang allegedly texted weeks later that he deserved a larger cut of the profits because he was doing a lot of work for the network. In March 2022, after a dentist wired more than $55,000 into a network account, Chen allegedly texted Huang mocking the bank’s due diligence questions and rehearsing her cover story, and Huang replied that this particular bank was the most ruthless toward them. The indictment also alleges Huang sent Zhang a photograph of a victim’s letter threatening to sue a network member for defrauding him. Percentage compensation, rehearsed answers to bank inquiries, and awareness of victim complaints are how prosecutors plead knowledge without a confession. Each is also a fact a defense can contest, contextualize, or attribute to someone else.
The case was brought by MLARS and the U.S. Attorney’s Office for the Eastern District of New York, with the FBI, Homeland Security Investigations, IRS Criminal Investigation, and the U.S. Postal Inspection Service investigating. Four agencies on a two-defendant laundering case signals institutional priority. The structural point is target selection. The scammers sit in Southeast Asia, largely beyond arrest. The accounts sit in New York. The indictment names two managers, but it describes a network of more than a dozen account openers, each an identified, chargeable person in the government’s files. Expect the next indictments to reach downward from the managers to the openers, and outward to the registered agents behind the 45 shell companies.
The Media Land Bulletproof Hosting Indictment in Ohio
On July 14, 2026, the Northern District of Ohio unsealed a 13-count indictment against Russian nationals Alexander Volosovik, Kirill Zatolokin, and Yulia Pankova, along with two St. Petersburg companies, Medialand LLC and ML.Cloud LLC. A grand jury returned the indictment in December 2024, and it stayed sealed while a seven-year investigation ran its course. The counts include conspiracy to commit and aid and abet computer fraud under 18 U.S.C. § 371, wire fraud conspiracy under § 1349, ten substantive wire fraud counts under § 1343 and § 2, and money laundering conspiracy under § 1956(h), plus a rarely invoked sentencing enhancement under § 3559(g)(1) for falsely registering domain names used in the offenses. The indictment attributes more than $62 million in losses to 44 victims, most of them commercial businesses across 21 states and abroad, along with a Massachusetts municipality.
The charging document describes the product in the defendants’ own advertising. Beginning in 2016, Volosovik and Zatolokin allegedly marketed Media Land’s bulletproof hosting on cybercrime forums under monikers including “Yalishanda,” promising in one post to keep any project except child sexual abuse material. The service allegedly bundled fast-flux hosting, which rotated domains across pools of IP addresses and automatically swapped in new name servers whenever a domain was blacklisted, with self-service panels, bulk domain registration through front companies, and proxy servers installed in encrypted containers so that not even the data center’s administrators could identify a client’s real server address. Ransomware groups allegedly ran command-and-control infrastructure and leak sites on it. So did carding marketplaces selling stolen credit card data, including Briansclub and Bidencash.
The knowledge evidence mirrors the marketing. The indictment alleges the defendants routed abuse reports and security alerts to email accounts they controlled, then ignored them or sent false replies. When a security firm reported that a Media Land IP address was serving as command-and-control for a banking trojan, the defendants allegedly responded that the client was blocked while the client kept distributing malware through the same infrastructure. Payment flowed in cryptocurrency. The indictment traces one transaction to the wallet level: a Bitcoin cluster the government attributes to Volosovik allegedly received roughly $4,665 from a ransomware client weeks after that client’s August 2022 attack on a victim, tying a specific hosting fee to a specific extortion. Blockchain attribution of that kind is powerful and contestable in equal measure.
The U.S. nexus is concrete. Until June 2024, the network’s core fast-flux server sat physically in New Jersey, leased from an American provider; only after that did the defendants allegedly migrate it to Russia. The defendants themselves remain in Russia, beyond extradition, so the government layered its tools. OFAC designated the Media Land network and all three individuals in November 2025, joined by the United Kingdom and Australia. The State Department’s Rewards for Justice program offers up to $10 million for information on foreign government links to the defendants and their infrastructure. The indictment, part of the FBI’s Operation Riptide, adds criminal exposure and the risk of arrest the moment any defendant travels to a country that extradites to the United States.
The legal theory deserves attention. Media Land is not alleged to have written ransomware or extorted a victim. It sold hosting. The indictment treats that service, provided with knowledge of its criminal use and coupled with acts that protected it, as a conspiracy to commit the customers’ crimes. That theory does not stop at hosting. It extends to mixers, RPC and node providers, domain registrars, and every other layer of crypto and internet plumbing. The 2023 mixer prosecutions started down this road. Media Land shows the government running on it.
The OFAC Designations of a VPN Service and Cryptor Sellers
On July 13, 2026, OFAC designated First VPN Service, known as 1VPNS, and its administrator Dmytro Rashevskyi, along with Yegeniy Silayev, a seller of cryptors. A cryptor wraps malware in encryption so antivirus tools cannot detect it. The designations, coordinated with the United Kingdom, followed a May 2026 infrastructure takedown and targeted the anonymization layer behind cryptocurrency ransom payments extracted from U.S. businesses.
No criminal charges accompanied these designations. That is the point. Sanctions require no indictment, no grand jury, and no proof beyond a reasonable doubt. A designation freezes all U.S.-touching assets immediately and cuts the target off from the dollar system. It also creates exposure for everyone else. U.S. persons who transact with a designated party face civil penalties on a strict liability basis under the International Emergency Economic Powers Act, and willful violations carry up to 20 years. For tool-makers and service providers, OFAC has become the leading edge of enforcement. The criminal case, if it ever comes, arrives second.
The government did not charge a single scammer or ransomware operator this week. It charged and sanctioned the service layer: the accounts, the servers, and the anonymization tools. Liability now attaches to infrastructure, and the dividing line is what the provider knew about how the infrastructure was used.
The Legal Theory: Knowledge Converts a Service Into a Crime
Every one of the criminal theories in these cases runs through a knowledge element. That is where these cases are won and lost.
A conviction for money laundering conspiracy under 18 U.S.C. § 1956(h) requires three things: an agreement between two or more people to commit a substantive laundering offense under § 1956 or § 1957, the defendant’s knowledge that the funds involved were the proceeds of some form of unlawful activity, and the defendant’s knowing and voluntary decision to join the agreement. United States v. Iossifov, 45 F.4th 899 (6th Cir. 2022); United States v. Green, 599 F.3d 360 (5th Cir. 2010). No overt act is required. Whitfield v. United States, 543 U.S. 209 (2005); United States v. Matthews, 31 F.4th 436 (4th Cir. 2022). The knowledge element is broad in one respect and demanding in another. The defendant need not know which felony generated the funds. Knowledge that the money was criminally derived from some felony, under state, federal, or foreign law, is enough. United States v. Feldman, 936 F.3d 1288 (11th Cir. 2019). But that knowledge must exist, and it must be proven for each defendant. Opening bank accounts is legal. Forming shell companies is legal. Recruiting people to open accounts is legal. The crime begins only where the government can prove the defendant knew the accounts were moving criminal proceeds.
The charged object of the conspiracy defines what else must be proven. Promotional laundering requires intent to promote the underlying crime. Concealment laundering under § 1956(a)(1)(B)(i), the theory at the center of the July indictments, requires that concealment be a purpose of the transaction and not merely its effect. Cuellar v. United States, 553 U.S. 550 (2008); United States v. Huezo, 546 F.3d 174 (2d Cir. 2008). A § 1957 object requires a monetary transaction in criminally derived property worth more than $10,000, though the government need not prove the defendant knew the source crime was a “specified” unlawful activity. And the statute travels. Section 1956(f) grants extraterritorial jurisdiction over conduct by U.S. citizens abroad, and over foreign nationals whose conduct occurs in part inside the United States, where the transactions exceed $10,000. That provision is what puts the China-based coordinators of the Brooklyn network, and foreign infrastructure providers running U.S. servers, within reach of a federal indictment.
The infrastructure theories carry the same requirement. Hosting servers is legal. Selling a VPN is legal. To convict a provider as a conspirator or an aider and abettor, the government must prove the provider knew of the customers’ crimes and intended to facilitate them. Under Rosemond v. United States, 572 U.S. 65 (2014), aiding and abetting requires an affirmative act taken with advance knowledge of the offense’s essential features. The Media Land indictment is a template for how that knowledge gets pleaded: forum advertising aimed at criminal customers, abuse reports funneled to controlled inboxes and answered with false assurances, anonymity engineered into the product itself, and crypto payments traced from ransom proceeds to the provider’s own wallets. The case law already supports convictions on this model. In Iossifov, the Sixth Circuit affirmed a § 1956(h) conviction of a Bulgarian cryptocurrency exchanger who knowingly converted fraud-derived Bitcoin for a criminal enterprise; the service was currency exchange rather than hosting, but the theory was identical. A provider with a real abuse-response record and terms of service it actually enforced looks very different on each of those axes.
The Brooklyn indictment shows the mule-network version of the same playbook. There the pleaded knowledge evidence is compensation structured as a percentage of the funds moved, texts rehearsing answers to bank due diligence questions, and awareness of victim complaints. The case law gives the government real help on scope: it need not prove a defendant knew every detail of the scheme or the identities of the other conspirators, only the venture’s general unlawful nature. Huezo, 546 F.3d at 180. What it cannot outsource is the knowledge element itself. Prosecutors also reach for willful blindness. A defendant who deliberately avoided confirming what he strongly suspected can be treated as knowing. But willful blindness demands deliberate avoidance. Suspicion is not knowledge. Negligence is not knowledge. A recruited account opener who was told a cover story and believed it, or a reseller who leased rack space without visibility into customer traffic, has a defense the government must overcome with proof, not inference. Not every member of a 14-person network saw the texts the indictment quotes.
Who Faces Exposure Now
The July actions map the categories of people likely to receive the next round of subpoenas, target letters, and account freezes.
Account openers and their recruiters come first. The Brooklyn indictment names two managers, but the alleged network included more than a dozen account openers. Each of them is an identified, chargeable person in the government’s files. Some were paid a few hundred dollars per account. Some may not have known what the accounts were for. The government will not assume innocence. Registered agents and nominee officers of the roughly 45 shell companies face the same scrutiny.
U.S. businesses in the infrastructure chain come next. The Scam Center Strike Force has publicly stated that many fraudulent investment sites are hosted by U.S. companies, and it has convened hosting providers, cloud platforms, and exchanges to identify scam infrastructure on their networks. A company that receives such a referral and continues service acquires exactly the knowledge that converts a service into a conspiracy. And anyone whose counterparty has been designated by OFAC must stop transacting immediately. Continued dealings violate sanctions law even without any fraud knowledge at all. The OFAC sanctions list is public, and screening against it is now baseline diligence for any business touching crypto payments or offshore hosting.
Where the Defense Begins
An indictment is an accusation. A designation is an executive action. Each can be fought, and the fights are different.
In the criminal cases, the defense starts with the knowledge element. The government must prove what each defendant actually knew, defendant by defendant and transaction by transaction. Mass-mule cases are built on financial records, and financial records show movement, not state of mind. The gap is filled with cooperator testimony and chat messages, both of which can be attacked. The quoted texts in the Brooklyn indictment involve three people. The network allegedly had more than a dozen. For everyone outside those exchanges, the government still has to build knowledge from scratch. Wallet clustering and moniker attribution in the Media Land case face the same scrutiny: an alias on a forum and a label on a Bitcoin cluster are the government’s inferences, not self-proving facts. In infrastructure cases, attribution adds a second front. Corporate conduct is not personal conduct. What Media Land the company did must still be tied to what each named individual knew and did. And in every laundering case, Cuellar gives the defense a concealment argument: a fee-for-service transaction is commerce unless the government proves concealment was its purpose.
Sanctions have their own remedy. A designated person or company can petition OFAC for delisting under 31 C.F.R. § 501.807, presenting evidence that the basis for designation was wrong or that circumstances have changed. Denials can be challenged in federal court under the Administrative Procedure Act. The evidentiary record supporting a designation is often thinner than the record supporting an indictment. Delisting petitions succeed more often than most people assume, particularly for parties designated by association rather than conduct.
Timing controls outcomes in these cases. The people at the edges of these networks, account openers, nominee officers, resellers, exchange customers, are often approached by agents before any charge is filed. What happens in those first interviews frequently determines whether a person becomes a witness or a defendant. As former DOJ Fraud Section and U.S. Attorney’s Office prosecutors, Scott Armstrong and Drew Bradylyons built and supervised the laundering and cyber-fraud cases that follow this exact sequence, and the firm’s cryptocurrency fraud and money laundering practice defends clients at every stage of it.
Frequently Asked Questions
What are the penalties for federal money laundering conspiracy under 18 U.S.C. § 1956(h)?
Money laundering conspiracy under 18 U.S.C. § 1956(h) carries up to 20 years in prison per count and a fine of up to $500,000 or twice the value of the funds involved, whichever is greater. Forfeiture of property involved in the offense follows under 18 U.S.C. § 982. Under the Federal Sentencing Guidelines, the advisory range is driven principally by the value of the laundered funds, so a $43 million case produces severe exposure even for a first offender.
The elements are settled across the circuits: an agreement between two or more people to commit a substantive laundering offense, the defendant’s knowledge that the funds were proceeds of some form of unlawful activity, and the defendant’s knowing and voluntary decision to join. United States v. Iossifov, 45 F.4th 899 (6th Cir. 2022); United States v. Green, 599 F.3d 360 (5th Cir. 2010). No overt act is required. Whitfield v. United States, 543 U.S. 209 (2005); United States v. Matthews, 31 F.4th 436 (4th Cir. 2022). A single conspiracy count can plead multiple objects. The July 2026 Brooklyn mule-network indictment charges one § 1956(h) conspiracy with three: concealment laundering, international movement of funds, and monetary transactions over $10,000 under § 1957. The attorneys at Armstrong & Bradylyons PLLC charged and tried money laundering counts at DOJ’s Fraud Section and the U.S. Attorney’s Office for the Eastern District of Virginia, and now defend these charges through the firm’s cryptocurrency fraud and money laundering defense practice.
Can a person who opens bank accounts for someone else be charged as a money mule in a federal money laundering case?
Yes, if the government can prove knowledge. A money mule receives and forwards funds on another’s behalf. Opening accounts, forming companies, and wiring money are legal acts. They become money laundering under 18 U.S.C. § 1956 or § 1957 only when the person knows the funds are criminal proceeds. The knowledge standard is broad: the person need not know which felony generated the funds, only that they were criminally derived from some felony. United States v. Feldman, 936 F.3d 1288 (11th Cir. 2019). Prosecutors also argue willful blindness: that the defendant deliberately avoided confirming what the circumstances made obvious. Suspicion alone is not knowledge, and negligence is not a crime under these statutes.
The July 2026 Brooklyn indictment shows how knowledge gets pleaded against mule-network members: compensation calculated as a percentage of the funds moved, text messages rehearsing answers to bank due diligence questions, accounts opened under shell company names with no real business, rapid transfers offshore, and awareness of victim complaints. It also shows the limits of that proof. The quoted messages involve three people; the alleged network had more than a dozen. Recruited account openers who were told a cover story and paid modest sums have a defense the government must overcome person by person. Armstrong & Bradylyons defends account holders and alleged network participants by reconstructing what each person actually knew, when, and from what source.
Does the government have to prove a defendant knew which crime generated the laundered funds?
No. Under 18 U.S.C. § 1956(c)(1), the government must prove the defendant knew the property represented the proceeds of “some form of unlawful activity,” meaning some activity constituting a felony under state, federal, or foreign law. It does not have to prove the defendant knew the specific underlying felony. United States v. Iossifov, 45 F.4th 899 (6th Cir. 2022); United States v. Feldman, 936 F.3d 1288 (11th Cir. 2019). A defendant who knew funds came from crime cannot escape liability by showing he thought the crime was drug trafficking rather than wire fraud. For a § 1957 object, the government likewise need not prove the defendant knew the source crime was a “specified” unlawful activity, only that the transaction involved criminally derived property over $10,000.
What the standard does not do is eliminate the knowledge element. The government must still prove the defendant knew the funds were criminally derived at all, and in cryptocurrency cases that means knowledge that the specific coins or transfers were dirty. Iossifov affirmed a conviction on exactly that proof against a crypto exchanger who knowingly converted fraud-derived Bitcoin. The dividing line in mule and infrastructure prosecutions is between a defendant who knew the money was criminal and one who suspected something was off. Suspicion is not knowledge, and the gap between them is where these cases are tried.
How does the government trace cryptocurrency in money laundering and pig butchering prosecutions?
Federal agents combine blockchain analytics with traditional financial records. Analytics firms such as Chainalysis, TRM Labs, and CipherTrace cluster wallet addresses, tag them to exchanges and illicit services, and map the flow of funds from victim deposits through mixers, peer-to-peer platforms, and OTC desks to cash-out points. Prosecutors then subpoena exchange know-your-customer records, bank records, and device data to attribute wallets to named individuals. The Media Land indictment shows the technique’s precision: the government traced a single hosting fee of roughly $4,665 from a ransomware client to a Bitcoin cluster it attributes to one defendant, tying the payment to a specific attack.
Tracing evidence is built on clustering heuristics and attribution inferences, and both can be challenged. Commingled funds, shared wallets, and mislabeled address tags produce overstated proceeds figures, and attributing a cluster to a person is an inference, not a self-proving fact. Scott Armstrong served as lead trial counsel in the first cryptocurrency market manipulation case charged under Title 15, a multi-week federal jury trial built on blockchain tracing and exchange data involving over $300 million in trades. The firm uses that prosecution-side experience, along with retained blockchain forensics experts, to test the government’s tracing methodology, wallet attribution, and proceeds analysis in every crypto money laundering case it defends.
What is bulletproof hosting, and can an infrastructure provider be charged with its customers’ crimes?
Bulletproof hosting is server infrastructure marketed to withstand abuse complaints, takedowns, and law enforcement inquiries. The Media Land indictment in the Northern District of Ohio, announced by the Justice Department on July 14, 2026, charges a hosting operation and its principals with computer fraud conspiracy, wire fraud, and money laundering conspiracy for servicing ransomware and malware operators that caused more than $62 million in losses.
Selling a service that criminals misuse is not a crime. Liability requires proof that the provider knew of the criminal use and intended to facilitate it. For aiding and abetting under 18 U.S.C. § 2, Rosemond v. United States, 572 U.S. 65 (2014), requires an affirmative act taken with advance knowledge of the offense’s essential features. The Media Land indictment pleads that knowledge through the defendants’ own conduct: forum advertising promising to host any project, abuse reports answered with false assurances that the offending client was blocked, and payment accepted in cryptocurrency traced to ransom proceeds. Providers with functioning compliance programs, enforced terms of service, and documented abuse responses have a structural defense on each of those points.
What is fast-flux hosting, and why does it appear in federal cybercrime indictments?
Fast-flux is a technique that associates a single domain name with a rotating pool of IP addresses, sometimes hundreds or thousands, that change rapidly. The Media Land indictment describes the criminal application: keeping ransomware sites, command-and-control servers, and leak sites online while hiding their true origin and defeating IP blacklisting. The charged service allegedly automated the evasion, checking client domains for blocking every minute and swapping in new name servers the moment a domain was blacklisted, all through self-service panels that required no human support.
Rotating infrastructure is not itself illegal. Content delivery networks and load balancers move traffic across servers every day. The indictment’s theory turns on purpose and knowledge: infrastructure engineered and marketed to keep criminal operations running through takedown attempts, sold on cybercrime forums, and paired with falsely registered domains. That last element carries its own consequence. Under 18 U.S.C. § 3559(g)(1), knowingly using falsely registered domain names in a felony supports a sentencing enhancement, a rarely charged provision the Media Land indictment invokes. For any provider whose infrastructure rotates addresses or registers domains at scale, the line the government draws is knowledge of criminal use, and the evidence is marketing, abuse handling, and client communications.
Can federal money laundering charges reach conduct outside the United States?
Yes. 18 U.S.C. § 1956(f) grants extraterritorial jurisdiction when two conditions are met: the conduct is by a United States citizen, or by a foreign national whose conduct occurs at least in part inside the United States, and the transactions involve more than $10,000. The July 2026 cases show both applications. In the Brooklyn indictment, the China-based coordinators of the mule network are reachable because the laundering ran through New York bank accounts. In the Media Land case, Russian nationals who never set foot in the country face U.S. charges because their core fast-flux server sat physically in New Jersey until 2024 and their clients’ ransomware hit victims in 21 states.
Jurisdiction to charge is not the same as power to arrest. Defendants in non-extradition countries face sealed or public indictments, OFAC designations, Rewards for Justice offers, and arrest exposure the moment they travel. Foreign nationals with any U.S. touchpoint, an account, a server, a business partner, a transit stop, carry real risk. The firm’s cryptocurrency fraud and money laundering practice has defended a foreign national indicted in an alleged $260 million social engineering cryptocurrency heist, and extraterritorial reach, venue, and extradition are contested issues in that posture, not conceded ones.
How do federal prosecutors prove knowledge in money laundering and cybercrime cases without a confession?
Knowledge is almost always proven circumstantially, and the July 2026 indictments catalog the current methods. In the Brooklyn mule-network case, the pleaded evidence is the defendants’ own text messages: compensation set as a percentage of every transfer, requests for a bigger cut of the profits, rehearsed answers to a bank’s due diligence questions, and a photographed victim complaint. In the Media Land case, it is the provider’s conduct: advertising on cybercrime forums, abuse reports answered with false claims that the client was blocked, anonymity engineered into the product, and hosting fees paid from ransom proceeds. Cooperator testimony then connects the documents to the defendants.
Each category of proof has limits the defense can press. The government gets help on scope: it need not prove a defendant knew every detail of the scheme or the identities of other conspirators. United States v. Huezo, 546 F.3d 174 (2d Cir. 2008). But the knowledge element itself cannot be inferred from association. Messages are excerpts; context can change their meaning. Quoted exchanges involving three people do not prove what a fourteenth person knew. Percentage compensation is also how legitimate commission work is paid. Willful blindness requires deliberate avoidance, not suspicion, and Cuellar v. United States, 553 U.S. 550 (2008), requires that concealment be a purpose of the transaction, not a byproduct. The government carries the burden on the knowledge element for every defendant, transaction by transaction, beyond a reasonable doubt.
What happens when OFAC designates a person or company?
An OFAC designation places the target on the Specially Designated Nationals list. All property and property interests of the target that are in the United States or in the possession of U.S. persons are blocked immediately. U.S. persons are prohibited from virtually all dealings with the target. Banks freeze accounts, exchanges lock assets, and counterparties terminate contracts. The SDN list is public and screened globally, so the practical effect extends far beyond U.S. borders.
Designation requires no criminal charge and no judicial finding. Violations by U.S. persons carry civil penalties on a strict liability basis under the International Emergency Economic Powers Act, and willful violations are felonies punishable by up to 20 years. The July 13, 2026 designations of a VPN service and cryptor sellers show OFAC acting as the leading edge of cyber enforcement, reaching tool-makers before any indictment exists. The Media Land defendants show the reverse sequence: sanctioned in November 2025 on top of a sealed indictment returned a year earlier.
How does a person or company challenge an OFAC designation?
The administrative route is a delisting petition under 31 C.F.R. § 501.807. The petitioner submits arguments and evidence that the basis for the designation was insufficient or that circumstances have changed, and may seek the administrative record and a meeting with OFAC. Petitioners can also negotiate remedial terms, such as severing ties with the conduct or persons that triggered the listing.
If OFAC denies the petition, the denial is reviewable in federal court under the Administrative Procedure Act as arbitrary and capricious agency action, with due process arguments available in appropriate cases. Designations often rest on classified or unverified reporting, and parties designated by association rather than conduct have meaningful prospects. Separately, OFAC issues specific licenses authorizing otherwise prohibited transactions, including payments for legal representation, which allows designated parties to fund a defense.
What is pig butchering fraud, and who gets charged in the United States?
Pig butchering is a long-con cryptocurrency investment fraud. The July 2026 Brooklyn indictment describes the playbook in four stages: cold contact under a fictitious identity through messaging or social media, trust built over days or months, a false investment narrative steering the victim to a fraudulent platform displaying fabricated profits, and disengagement once the funds are stolen. Much of the scamming runs from compounds in Southeast Asia staffed by trafficked workers. The Scam Center Strike Force coordinates federal enforcement against these operations and the U.S. infrastructure sustaining them.
Because the operators sit abroad, the defendants actually charged in U.S. courts are almost always downstream participants: account openers, shell company officers, mule-network managers, and crypto cash-out intermediaries. They face wire fraud, money laundering, and conspiracy charges carrying the same sentencing exposure as the scheme’s architects. Scott Armstrong supervised pig butchering and crypto investment fraud prosecutions as an Assistant Chief in the Market Integrity and Major Fraud Unit at DOJ’s Fraud Section. The firm now defends the individuals these prosecutions reach, contesting the government’s effort to extend liability across a multinational scheme through inference and cooperator testimony.
What experience does Armstrong & Bradylyons PLLC bring to money laundering and cyber-fraud infrastructure cases?
Scott Armstrong served nearly a decade at DOJ’s Fraud Section, including as an Assistant Chief in the Market Integrity and Major Fraud Unit, where he supervised prosecutions involving cryptocurrency fraud, crypto Ponzi schemes, pig butchering schemes, and digital asset investment fraud. He was lead trial counsel in the first cryptocurrency market manipulation case charged under Title 15, involving over $300 million in spoof and wash trades, and in a $650 million Ponzi prosecution tried to verdict. Drew Bradylyons served as Chief of the Financial Crimes and Public Corruption Unit at the U.S. Attorney’s Office for the Eastern District of Virginia, where he supervised parallel criminal and civil enforcement, and as an Assistant Chief in the Fraud Section.
The firm’s attorneys have over 25 years of combined DOJ experience and 25 federal jury trials. Its defense work includes representing a foreign national indicted for wire fraud and money laundering conspiracy in an alleged $260 million social engineering cryptocurrency heist, an individual in a Justice Department investigation involving ransomware and SIM-swap attacks, and an individual charged with wire fraud and computer fraud in connection with VPN services. Through its cryptocurrency fraud and money laundering defense practice, the firm defends individuals and companies in the districts where these cases concentrate, including the Eastern and Southern Districts of New York, the District of Columbia, and the Eastern District of Virginia, and in every other federal district.
Facing a Federal Money Laundering Investigation or Grand Jury Subpoena?
Armstrong & Bradylyons PLLC defends account holders, business owners, and technology providers in federal money laundering prosecutions and cyber-fraud investigations nationwide. As former DOJ prosecutors, Scott Armstrong and Drew Bradylyons built and supervised the crypto laundering and financial crimes cases the government brings today.

