A significant data breach linked to companies associated with Ilan Shor, a Moldovan fugitive currently residing in Russia, has unveiled extensive use of cryptocurrency for evading sanctions and meddling in Moldova’s forthcoming parliamentary elections. A recent analysis by Elliptic, published on September 26, illustrates that wallets connected to Shor’s A7 group and affiliated enterprises processed transactions totaling $8 billion in stablecoins over the last 18 months.
The funds funneled through these wallets were reportedly utilized to develop infrastructure for Shor’s political initiatives, including creating an application that compensated a network of political activists within Moldova. Shor, who was convicted in 2017 for his involvement in a monumental $1 billion fraud from Moldovan banks, gained Russian citizenship upon fleeing the country. In 2022, the U.S. imposed sanctions on him for contributing to Moscow’s electoral interference. He subsequently launched A7 in 2024 to discreetly transfer Russian capital overseas. A7, which is nearly 50% owned by state-run Promsvyazbank—already under sanctions for its contributions to the defense sector—was itself blacklisted by Washington in August 2025.
Elliptic’s investigation into the leaked files reveals that at least $8 billion in stablecoin transactions were executed via wallets tied to A7 since early 2024, primarily using Tether’s USDT alongside A7’s own ruble-backed token, A7A5. An internal settlement scheme document leaked from the organization indicates that transactions were routed through companies in Kyrgyzstan, highlighting Shor’s connections to Kyrgyz President Sadyr Japarov, including the reported gifting of a luxury jet. Chat logs further detail how USDT transfers were managed, with a notable $2 million request linked to Maria Albot, an ally of Shor who is also sanctioned by the EU.
The investigation traced multiple wallets associated with A7, noting some had been restructured following a breach in August 2025, and identified at least $2 billion in USDT that was sent to exchanges aimed at bolstering A7A5’s uptake. The leaks also implicate cryptocurrency transactions in direct attempts to influence political landscapes in Moldova. Certain applications like Taito reportedly facilitated payments to activists, while another called Callcenter was linked to illegal polling activities. A Telegram bot managed payments in Toncoin after basic Know Your Customer (KYC) checks, with the foundational infrastructure for these initiatives financed in USDT, allowing operations to persist despite existing sanctions.
Elliptic concludes that these revelations elucidate the methods by which Shor’s enterprises blend cryptocurrency and intermediary structures to fuel Kremlin-backed interference and sanctions evasion, equipping authorities with new strategies to enforce restrictions against both Shor and A7.
Previously, Moldovan President Maia Sandu has voiced concerns regarding Russia’s efforts to expand its interference in the nation’s upcoming parliamentary elections, set for September 28, particularly targeting voters residing abroad. These allegations were discussed in a recent interview with the Financial Times conducted on September 14.
