Mexican Cartels Turn to Tether

Hey there. When I wrote my book about the FBI's secret encrypted phone company, I read a lot of drug traffickers' encrypted messages. After years of only really seeing Bitcoin in the context of cybercriminals and hackers, I was shocked at how many of those smugglers used Bitcoin. Now, Mexican and Colombian cartels are heavily using another cryptocurrency called Tether, according to multiple court cases I dug through. I also got an internal DEA presentation talking about the benefits of cryptocurrencies to traffickers. Check those out below.

This article was produced in collaboration with Court Watch, an independent outlet that unearths overlooked court records. Subscribe to Court Watch here.

A money laundering organization allegedly connected to large seizures of cocaine inside the United States and works with cartels in Mexico and Colombia has moved at least tens of millions of dollars using a string of front businesses, cash drop-offs, and massive transfers of cryptocurrency, according to recently unsealed court records reviewed by 404 Media.

The court records provide deep insight into how alleged drug traffickers have turned to cryptocurrency, and in particular Tether (USDT), as a way to quickly move wealth across borders in recent years. 404 Media also reviewed other recently unsealed court documents which appear to describe another money laundering organization doing much the same thing for Mexican drug cartels including the Sinaloa, showing that cryptocurrencies have become a normal part of large scale drug trafficking in the 21st century. One of the documents even highlights that Tether is sold for cheaper in Mexico because it is known to be from drug proceeds.

This segment is a paid ad. If you’re interested in advertising, let's talk.

Generative AI (GenAI) is rapidly evolving and introducing new threats all the time. How do you protect your AI systems from these emerging risks, biases, and vulnerabilities? One answer is red teaming—nothing new to the cybersecurity world, but a strategy that has been adopted quickly to help strengthen the safety of GenAI models.

ActiveFence’s on-demand webinar—5 Red Teaming Tactics to Ensure GenAI Safety—shows you how to apply Safety By Design principles to your GenAI models so they stay secure and resilient. Our expert panel discusses red teaming tactics for different company sizes and use cases, and shares insights from ActiveFence’s work with top LLM developers and GenAI startups. Besides sharing best practices for building secure AI systems, we cover practical ways to reduce bias in your models and offer tips on measuring the effectiveness of red teaming to keep your systems safe over time.

Want to make your GenAI projects safer and more reliable? Watch the webinar now and learn how to build secure, trusted AI systems.

One confidential source told investigators “the current trend was to purchase USDT from Mexico-based groups at a cheaper rate than the market price, and then sell the USDT in Colombia at Casa de Cambios [currency exchanges], virtual currency exchanges, over-the-counter (OTC) transactions, or peer-to-peer transactions (P2P). The USDT was sold at a cheaper rate in Mexico because it was known to be drug proceeds.” 

Tether is a stablecoin that is designed to keep a stable value at all times. In Tether’s case, the idea is to match the value of the US dollar, and it is allegedly backed up by an equal reserve of fiat currency. Sometimes stablecoins, including Tether, have not been all that stable, and have lost their “peg” to the US dollar. It has repeatedly been linked to the type of scam known as pig butchering, in which fraudsters target a victim and repeatedly trick them into sending them money.

One document filed last week is a complaint for civil forfeiture, with the government seeking access to more than $5 million worth of Tether stored across three cryptocurrency accounts that are allegedly linked to drug trafficking. But the total amount of cryptocurrency pushed through at least one account suspected of being linked to drug proceeds is much higher than the amount being seized: it says records for a Binance account indicate that between May 29, 2020 and September 27, 2023, a user had deposited $15,617,784.71 worth of cryptocurrency across 452 deposits and withdrawn 15,664,456.29 through 567 withdrawals. In other words, more than $15 million worth of funds moved through that single account.

A screenshot from one of the documents.

The document also includes the contours of the investigation that led authorities to these and other funds. It started in August 2020, when investigators received a tip that someone the court record calls “D.C.” was involved in drug trafficking. D.C. had previously been imprisoned for federal drug charges, and was “living a lavish lifestyle, clearly beyond D.C.’s means,” according to the court record. D.C. ran a business called S&C Trucking LLC in Milwaukee, Wisconsin, which was based out of a residential address, it says. “Agents conducted surveillance at the Tower Avenue residence on several occasions and never saw a person or vehicle come or go from the residence. Agents also observed that cameras were mounted on the exterior of the Tower Avenue residence, and that all of the window blinds of the residence were closed,” the document says, before insinuating that this is what a drug safe house might look like.

In August 2020, investigators surveilled D.C. and watched him park a black Dodge Ram 2500 pickup before loading it up with a pallet and driving off. The exact connection is unclear, but the document says authorities in Texas separately found 60 kilos of cocaine inside a truck that the bill of landing said should have contained 492 pounds of optical cable. The pallet D.C. picked up looked like the same type in the Texas seizure, the document says.

Investigators got a tracking warrant for another vehicle they believed D.C. drove. In November authorities followed D.C. from the S&C Trucking LLC address to a vacant parking lot, and eventually to a JP Morgan Chase Bank. Here, a passenger in D.C.’s car got out with a small rolling suitcase and duffel bag, and deposited $169,650 to an account owned by a Florida company called Redzien LLC, the document continues.

Redzien, it turned out, had also opened accounts at Bank of America, Wells Fargo Bank, and Regions Bank, the document says. Those in turn had handled more than $21 million of "suspicious transactions” in less than a year with transactions across at least 21 different states. Agents spoke to a representative from Bank of America’s Global Financial Crimes Investigations Anti-Money Laundering department, and were told the bank closed some accounts due to suspicions they were being used for money laundering, the document says.

“Records show that soon after these deposits were made, money was wired out of the accounts to brokerage accounts of companies in Mexico and the British Virgin Islands. The brokerage firms that received these wires had previously been identified as being involved in money laundering in numerous drug trafficking and money laundering investigations being conducted by the Drug Enforcement Administration (‘DEA’). Furthermore, agents had identified a large amount of cryptocurrency deposits and subsequent transactions made by H.M.T.V. on the cryptocurrency exchange Binance,” the document says, referring to one of the many alleged members of the money laundering group mentioned in the document.

From there, investigators found H.M.T.V. was in frequent contact with a Mexican phone number allegedly belonging to someone with the initials L.E.O.T. Investigators found this in part because L.E.O.T had published their phone number on Facebook in a post about a lost cat, the document says.

L.E.O.T was associated with Grupo Gueratti, an investment management company based in Guadalajara, Jalisco, Mexico, and also had a Twitter account where they often promoted cryptocurrency, it adds. A confidential source told investigators L.E.O.T had been laundering drug proceeds since at least June 2020, and that included Colombian and Mexican based organizations. The source was then able to insert themselves as someone who could pick up money on L.E.O.T’s behalf in the United States, convert that cash into cryptocurrency, and then send the cryptocurrency to where L.E.O.T wanted it. By April 2024, the source had conducted more than 20 money laundering contracts resulting in cryptocurrency transfers for L.E.O.T, the document says. For these, L.E.O.T provided cryptocurrency addresses to send the Tether to, it adds.

That Binance account which saw transfers of more than $15 million belonged to L.E.O.T, the document says. The transactions followed a common pattern: normally it took less than 24 hours for the owner to move funds after receiving them, and the user crossed the funds across different blockchain networks, withdrawing them in different cryptocurrencies such as Ethereum. The cryptocurrency coming in flowed from users in Mexico and Colombia too. Binance “off-boarded” some of these users, the document says.

“Given this suspicious transaction activity, the high cryptocurrency amounts managed with unknown sources of wealth, the risky connections (users) by funds flow, the similar pattern observed in other Mexican users investigated, and the diverse law-enforcement requests focused on user’s transactions, there was a high probability that the user’s activities were related to money laundering, and the user was using Binance to obfuscate the origin of the funds by swapping the assets between networks,” the document reads.

At one point, a second confidential source entered the investigation, who described how Tether’s connection to drug proceeds has dictated the price of the cryptocurrency in Mexico. This second source said they would buy cryptocurrency in one market before selling it in another to make a profit, and is the one who told investigators about the difference in USDT price between Mexico and Colombia. The source added that there are large amounts of USDT in Culiacan, Guadalajara, and Mexico City, Mexico, according to the document.

A screenshot from one of the documents.

That second source led to another series of undercover money laundering contracts, with the source and DEA agents orchestrating the money pickup and conversion to USDT at the launderer’s request. That included pickups in Brooklyn, New York, the document says.

Binance told 404 Media in a statement that “While we are unable to provide details on this specific case, we work tirelessly alongside law enforcement to help combat crime, including high-impact ransomware and hack cases, scam and investment frauds, counter-terrorism finance, nation-state-sponsored attacks, and major money laundering groups. When we receive law enforcement requests for information, or to freeze funds, we take action quickly to support their efforts.”

“Blockchain has proven to be one of the most powerful tools for law enforcement’s anti-money laundering efforts. The immutable, public nature of the blockchain makes crypto a poor choice for money laundering because it allows law enforcement to uncover and trace money laundering far more easily than cash transactions,” the statement added. “The public blockchain record ensures greater transparency on source-of-funds than traditional financial institutions, making it easier to track, trace and freeze funds, when appropriate.”

A Tether spokesperson told 404 Media in an emailed statement that these alleged transactions took place on the “secondary market,” meaning the Tether wasn’t bought from one of the “limited” entities that source the USDT cryptocurrency from Tether directly.

“Tether has on-boarded various blockchain tracing, and analysis tools and partnered with blockchain tracing groups which allow the company to collaborate with law enforcement and proactively make law enforcement aware, at times, of high-risk activity. With Tether, every action is online, every transaction is traceable, every asset can be seized, and every criminal can be caught,” the statement said. “Unlike fiat currency, which remains the dominant form of funding for criminal and terrorist efforts globally, Tether has the ability to track all transactions and halt USDT whenever it is used in any illicit manner, and we work with law enforcement to do exactly that. Through its close collaboration with law enforcement across multiple continents, Tether is ensuring bad actors are held accountable while law-abiding users are protected.”

“Tether is proud to be the industry leader in combating illicit use of stablecoin technology,” the statement continued. “We have assisted more than 195 law enforcement agencies across 48 countries with criminal investigations, having blocked more than $2 billion in USDT to date. We are in constant communication with law enforcement agencies globally, including the FBI and the US Secret Service, who we have onboarded onto our platform for greater collaboration. We have worked with law enforcement on various crime typologies including freezing millions related to drug traffickers.”

A screenshot from the DEA presentation.

In the second document reviewed by 404 Media, the FBI says it investigated another money laundering organization using cryptocurrency brokers to move money for major Mexican cartels, including the Sinaloa cartel. In that case, the FBI says the organization laundered more than $52 million in drug proceeds before 2021 and 2023. That case, again, involved Tether. In May 2024, a source told investigators that a Costa Rican attorney called Jorge Carmona Madrigal “was seeking to purchase large amounts of USDT.” The document says the laundering was done on behalf of Hector Paez Garcia and David Benguiat Jimenez. A man with that second name abandoned a Lamborghini after crashing it, according to a 2021 media report from Mexico City. The report adds that the man is connected to the Sinaloa Cartel.

And drug trafficking cryptocurrency-related transactions are not limited to the U.S. and South America. In October, U.S. authorities indicted employees for a China-based chemical manufacturing company for allegedly manufacturing and distributing fentanyl. The DEA’s press release said that some of these people maintained Bitcoin wallets to facilitate payment for the synthetic opioids. 404 Media has obtained an internal DEA presentation which showed at a high level how Chinese synthetic opioid producers were being paid in Bitcoin by South America-based drug traffickers. One benefit was that Bitcoin allowed traffickers to "instantaneously send hundreds of thousands of dollars globally,” the presentation says.

While covering the law enforcement investigations into Sky, Encrochat, and Anom, three encrypted phone companies used by serious drug traffickers, I repeatedly found examples of smugglers using Bitcoin to move their funds. This was included in tens of thousands of pages of law enforcement files and text messages I read.