Crypto Cybercrime Money Laundering OpSec Uncategorized

Clout-Chasing, Serbian Narco-IT Moron Holds Key to Performative Europol Shade in ICIJ Story

  • 30 Members of the Belivuk Clan in Serbia were arrested last February after their Sky ECC communications were cracked
  • They have been charged with 5 murders, but are suspected of as many as 20
  • Serbian authories seized 44 Sky ECC phones from the gang
  • The gang’s messages were hacked at least 4 months prior to the timeline reported by Europol for when Sky was hacked
  • Srdjan Lalic, the gang’s ‘IT wiz was in charge of procuring Sky phones for the gang and advising them on crypto-laundering OPSEC, according to Serbian media reports
  • Serbian authorities have seized €10 million in bitcoin and two USB drives with as much as €60- €70 million in crypto from the gang
  • Russian cybercrime legend Pavel Vrublevsky provides expert analysis on the Belivuk clan’s IT failure
  • Shadow Banker has obtained video of the new NFC-enabled cryptophones being used by European and Colombian drug trafficking organizations

In an interview with the ICIJ last month, Europol Executive Director Catherine De Bolle linked three recent encrypted phone network sweeps (EncroChat, Sky ECC, and Anom) to significant financial transparency gaps in the European Union. The context of this discussion was the Pandora Papers exposé, which has magnified the threat posed by financial-secrecy-enabling legal structures and arrangements globally.

By making this connection, De Bolle highlighted the evolving COMSEC technologies used by allegedly sophisticated organized crime groups (OCGs) in Europe. Specifically, Europol’s exec director said the dismantling of these crime-phone networks has exposed significant money laundering conspiracies via real estate and public corruption as well.

“It is mainly on the basis of information from these three major operations, that we find that we have a real problem in the EU. An example: when criminal groups launder money by buying real estate in certain European cities, this leads to undermining – the mixing of the legal upper world with the criminal underworld. And this undermining weakens society, the economy and the rule of law,” said De Bolle.

While it’s true the cryptophone takedowns have initiated a multitude of laundering prosecutions throughout Europe, particularly following the EncroChat sweep in the UK, most of the laundrymen who got pinched were small-time ‘flickers’ like that ‘MessyZebra’ guy in Liverpool. This particular ‘lad’ only got paid £175 a week for his cash-counting services, according to the Liverpool Echo.

There are, however, a few exceptional cases, where real estate was used by criminals to obfuscate their illicit wealth. Property is an asset class typically abused by more ‘professional’ money-laundering organizations and networks. Take the Embossed case that tripped up Liverpool property developer Jonathan Cassidy and his little brother, for example.

Also, look at the joint-Italian and German operation from last May that resulted in the arrest of 31 suspects in both countries, who were all alleged to be part of the ‘Ndrangheta mafia. This particular OCG is “suspected of having organised the trade in cocaine between Italy, the Netherlands, Germany and Spain using encrypted EncroChat and Sky ECC communication tools,” according to the Eurojust press release. Eurojust said that a “string of building and hospitality companies was allegedly used to launder the proceeds in Italy.”

But while these cases are undoubtedly pertinent to De Bolle’s point, neither of them compare to recent Homeric-epic-scaled fucktARDery out of Serbia that cuts right to the heart (and head) of what she was alluding to in terms of premiere-league laundering and corruption unearthed by the cryptophone sweeps.

It’s a story of hubris really. But unlike Odysseus, none of these hooligan morons were resourceful, despite their use of the ‘zero-trust’ Sky ECC mobile app.

‘Look Baby, Mexico in the Center of Belgrade’

Veljko Belivuk
Marko “the Butcher” Miljković and Veljko “the Trouble” Belivuk sipping sangria poolside, source:

I mean, we all have that one impulsive and incorrigibly ‘joie de vivre’ friend, who despite EncroChat getting REKT six months earlier, still feels totally invincible texting people “55 pictures of mutilated victims ‘for remembrance’” through an ‘unhackable,’ 512-bit-Elliptic-curve-Diffie-Hellman-encrypted mobile messaging app, right?


Well, unless your friends with “idiots like Albanian drug dealers who just yesterday came down from the mountain,” as the wiseguys who’ve actually custom-built GrapheneOS-based cryptophones for Balkan hoods say, the answer is probably a disconcerting “no.”

And yet, this is precisely what Serbian gangster Marko “the Butcher” Miljković, the right-hand man to Principi “soccer hooligan” capo Veljko “the Trouble” Belivuk, did. The Principi are a hooligan sect that roots for Partizan, one of Belgrade’s two premiere soccer clubs.

Anyways, sometime at the end of December 2020, according to Serbian news reports, the Butcher used the Sky ECC app to text some unidentified Sky user photos of him and his fellow Principi goons at their ‘slaughterhouse’ in Ritopek posing next to five of their captive rivals in various states of bondage, torture, and anatomical ‘integrity.’

“Let me send you pictures of the murders so that we have them with you, so that they are not deleted, because only I have them,” read the text, according to a preliminary indictment of the gang obtained by investigative Serbian news outlet KRIK last July.

The Belivuk clan’s ‘beef’ with their dearly departed, snuff-film victims stems largely from a broader underworld conflict that has broken out between the Kavač and Škaljari clans, two feuding cocaine mafias that both hail from Kotor, a small and otherwise idyllic town on Montenegro’s Adriatic coast.

Once allied under the Kotor mafia umbrella, the group split in 2014 when Škaljari traffickers commandeered 200 keys of blow that the Kavačs had stashed in their Valencia warehouse without previously informing them, according to Serbian intelligence reports.

The Kavačs, as one might imagine, were none too pleased with the Škaljari’s cocaine grab. A wave of bloodshed has ensued in the wake of this feud, with at least 41 bodies piling up all over Europe, according to KRIK – and this was prior to evidence revealed from the Sky hack last February.

Back in Serbia, the resulting arrests and High Court of Belgrade indictment of the Trouble, the Butcher, and 28 of their alleged co-conspirators for five murders, one rape, and a host of other drugs and weapons charges are testament that the Principi were not all that tech-savvy (despite the supposedly impenetrable, super-secret-agent encro-phones they used).

This assessment is also notwithstanding the rumored €60- €70 million in crypto that the Trouble and the Butcher reportedly stashed away on two USB drives. After arresting “somebody close” to the two Principi capos, according to Serbian tabloid Alo, Serbian authorities have reportedly seized the flash drives loaded with this financial evidence.

The Trouble also paid his cocaine suppliers in South America with bitcoin, according to Alo. Colombia’s ‘Clan del Golfo’, a neo-paramilitary group that originated in the country’s Antioquian region – and the largest cocaine-trafficking organization in the world – are said to be the biggest plug for all the Balkan cartels, according to Colombian news reports in El Espectador.

But the CDG’s not-ascendantly handsome leader, Dairo Antonio Úsuga, AKA ‘Otoniel’, who authorities say used his drug money primarily as a means to rape, with impunity, underage campesina girls from rural pueblos that the CDG had taken over, was arrested by Colombian authorities last October.

Dairo Antonio Usuga, alias ‘Otoniel’, the leader of the Gulf Clan, poses for a photo while escorted by Colombian military soldiers [Handout via Reuters]

Curiously, Serbian prosecutors did not bother to build a substantive case on how the Belivuk clan “was involved in drug trafficking, nor was a serious amount of narcotics seized,” according to KRIK.

To wit, the guy who has made GrapheneOS phones for Serbian crime groups remarked, “if you were to read the indictment, without knowing anything about the clan, there is nothing that could make you think this is the indictment against a drug gang and protection racket. You would have the impression that a group of Partizan hooligans have made their own version of the Manson family, like an indictment against a group of serial killers.”

Nevertheless, when some unidentified Western European law enforcement agency told President Alexsandr Vučić and his administration that they had cracked the Sky ECC network, or at least the Belivuk clan’s private communications, and had eyes on all of the Z-40-style snuff content that the Trouble and his clan of ‘creators’ were producing and LoLing about over text, the Serbian state had to act.

Despite allegations of collusion between Vučić’s regime and Belivuk’s gang spanning years, and scandals even entangling the president’s son, Danilo, who has been snapped in public with various Principi members on multiple occasions (including at the 2018 World Cup in Russia) Vučić’s instinct for self-preservation inevitably kicked in.

After all, it’s not a good look to dither after Western partners confront you with smoking-gun evidence that shows your allegedly favored underworld proxies posing for selfies with beheaded gang rivals, captioned with texts like “Look, baby. Mexico in the center of Belgrade, haha,” as the Trouble reportedly mused to one of his associates. News reports in Kurir also say the Trouble’s Sky ECC handle was “Soprano”, in reference to the undisputed greatest TV show of all time.

Screenshot from Sky Global's webpage. The Vancouver-based company, which claims to sell the world's most secure messaging app, is at the centre of a global investigation.

44 Sky Phones Seized

So just like any sensible politician would, the president threw the state’s preferred thugs to the wolves, coldly disregarding the reported broship built up from all those times the Trouble sicced his goons on drunk and disorderly fans chanting “Vučić is a f*ggot” during soccer matches, or when they assaulted adversarial journalists at his 2017 inauguration.

Ahhhhhh, the memories. But in the end, the goons had served their purpose; their utility to the state expired. The Trouble and the Butcher were arrested along with 14 other people on February 3rd, according to Serbian media reports. Raids were initially conducted at the Partizan and Red Star stadiums, the headquarters for the biggest soccer clubs in Belgrade, and 28 other locations. Partizan and Red Star are archrivals.

Following the Principi takedown, Ninoslav Čmolić, the Deputy Chief of Police of Belgrade, said “the criminal group that was disbanded this morning is responsible for the most monstrous crimes committed in the last ten years. This group was constantly hiding behind the Partizan fan group, but they are not fans, but ordinary criminals and we will not tolerate that.”

Serbian authorities also seized 44 Sky ECC-enabled phones from the gang, according to news reports. Please note that this was over a month before Belgian and Dutch-led operations, codenamed A-Limit and Argus, respectively, dismantled the Sky network and arrested over 80 people in the Low Countries. The vast majority of users in these countries were Moroccan, according to a report in Le Monde.

Europol said cops in Belgium and the Netherlands had been able to monitor the messages of some 70,000 users since mid-February, roughly two weeks after the Belivuk clan got popped – and with Sky messages from late December too. Overall, Serbian authorities suspect the gang could have participated in as many as 20 murders.

At a press conference following a Serbian National Security Council meeting a month after the arrests, President Vučić called Belivuk and his underlings “monsters,” and said they filmed the torture and murder of their enemies.

President Alexsandr Vučić discusses Belivuk evidence at a March 2021 Serbian National Security Council press conference, source:

“If we wanted to publish the recordings, we would publish them tonight. We will not do that,” Vučić said. The NSC did, however, display some of the gang’s photos.

Vučić also said that Serbia had borrowed new digital forensics equipment to unlock the gangsters’ Sky devices and mine even more evidence. Since Sky was just an app, handsets equipped with the software are easier to unlock than hard-encrypted phones like EncroChat, for example.

Thus, from Cellebrite to Magnet Axiom, any digital forensic and incident response (DFIR) vendor could have added the support Vučić was describing, so long as they had access to an active Sky application, Shadow Banker’s in-the-know sources say.

In a follow-up press conference last April, Serbia’s Interior Minister Aleksandar Vulin gave an update on the Belivuk case and described the evidence that his investigators had found inside the Ritopek slaughterhouse. “In that house, the ‘house of horrors’, people were brought in who were killed in the most cruel and monstrous way,” said Vulin.

“A secret room was found inside that house, very skilfully and efficiently hidden, which we might not have reached if it were not for those who were willing to share this information with us and in which we found a frighteningly large amount of weapons, more than 10 kilograms of various type of explosives, prepared and ready to be activated. In that room, we also found industrial machines for grinding meat, for grinding bones,” said Vulin.

Timeline Anomalies

Barbaric body-disposal methods aside, the timeline of the Belivuk clan arrests is significant because their capture in early February contradicts prevailing law enforcement narratives of when European authorities cracked the Sky network.

The party line still getting reeled out by Belgium, which led the operation (with significant assistance from the French), the Netherlands, Europol, and the Drug Enforcement Administration – to still-credulous Wall Street Journal reporters (who are actually based in Belgium) – is that Sky was first cracked in mid-February. The DEA did not respond to a request for comment on why they omitted this Serbian fairy tale from their WSJ briefings.

So, the question that is emerges then is how did some anonymous Western European LEA – at some point between late December and the start of February – obtain some, if not all, of those Eli-Roth-Hostel-like pics that the Butcher texted to an unnamed associate, which were then used to pressure the Vučić administration?

To read the rest of this story, sign up for the Shadow Banker substack.