The EU Fight Against Child Pornography Stokes Fears of Widespread Online Surveillance

“The privacy advocates sound very loud. But someone must also speak for the children.” Just a few months before launching her initiative against online child pornography, in November 2021, Ylva Johansson had already prepared the debate over what would become one of the most contentious legislative proposals Brussels had seen in years. Did the EU Commissioner for Home Affairs sense that this apparently universally agreeable policy would provoke such heavy backlash from among civil society and across the political spectrum?

The Child Sexual Abuse Regulation (CSAR) plans to introduce a complex technical architecture called client-side scanning to combat the proliferation of child sexual abuse material (CSAM).

This approach relies on artificial intelligence systems for detecting images, videos and speech containing sexual abuse against minors, and attempts at grooming kids. It would require all digital platforms at risk of being used for malicious purposes – from Facebook to Telegram, Signal to Snapchat or TikTok, to data clouds and online gaming websites – to use this technology to detect and report traces of CSAM on their systems and users’ private chats. This is impossible without weakening end-to-end encryption, currently the ultimate way to secure digital communications.

‘Chat control’

Technology specialists and online rights groups were quick to warn that, behind a veil of good intentions (equipping the authorities to effectively combat the proliferation of CSAM), this “chat control” could lead to the disproportionate infringement of fundamental rights and online privacy for all EU citizens. This has fed an important opposition movement among EU legislators, both in the Parliament – where the text will pass a key test during a vote at the Civil Liberties Committee in October – and in the Council – where discussions are stalling due to opposition from a few key Member States.

Johansson, though, has not blinked once, dubbing the project as her “number one priority”. The Commissioner can boast the support of numerous child protection organisations loudly urging for the adoption of the text.

Far from a spontaneous movement, the campaign in favour of CSAR has been largely orchestrated and bankrolled by a network of entities with ties to the tech industry and security services, whose interests go far beyond child protection. Amidst the Commission’s efforts to keep a tight lid on details of the campaign, our investigation – based on dozens of interviews, leaks of internal records and documents obtained through freedom of information laws – has uncovered a coordinated communication e ort between Johansson’s cabinet and these lobby groups. Johansson has not responded to several requests for an interview.

One of the first hints at this behind-closed-doors pact lies in a letter sent by Johansson in early May 2022, a few days before launching her legislative proposal on CSAM. “We have shared many moments on the journey to this proposal. We have had extensive consultations. You have helped provide evidence that has served as the basis to draft this proposal”, wrote the Commissioner.

The previously undisclosed letter was not sent to a classic child protection organisation but to the executive director of Thorn. Despite its non-profit status, this American organisation also has a for-profit operation, selling artificial intelligence (AI) technologies which can identify child sexual abuse images online.

Thorn’s tools, such as Safer, are already used by companies such as Vimeo, Flickr and OpenAI – the creator of ChatGPT. Its clients also include law enforcement agencies across the globe, like the US Department of Homeland Security, which has spent $4.3 million for their software licences since 2018. Should “client-side scanning” for CSAM be imposed on all major platforms in the EU, Thorn could come out as one of the main beneficiaries of the new regulation – along with other tech companies which it has already partnered with, such as Amazon or Microsoft.

Hollywood celebrity lobbyist

Thorn has pushed for this regulation long before it was put down on paper. The company has hired high-profile lobbyists, including FGS Global, a major lobby rm with considerable access to the Brussels powerbrokers, to which it has paid more than €600,000 in representation costs for the year 2022 alone.

But Thorn has also relied on its own resources. Its board has long been chaired by Hollywood star Ashton Kutcher, who co-founded the company with Demi Moore in 2012, and whose multiple invesments in AI companies could stand to benefit from the development of a market for CSAM surveillance. The actor was forced to step down from his position at Thorn on September 14th, amid indignation over his support for a fellow actor accused – and now convicted – of raping two women. For years though, access to the top echelons in Brussels has never been an issue, both for Kutcher and for Thorn, thanks to the actor’s star power and tear-jerking speeches.

Kutcher and Johansson were the key speakers at a summit organised and moderated by an enthusiastic Eva Kaili, then the Vice President of the European Parliament, in November 2022; before she was removed from her position following corruption charges against her in December. The actor also addressed lawmakers in Brussels in March 2023, attempting to appease concerns about the possible misuse and failures of existing technology – his speech was “highly misleading in terms of what the technology can do”, according to an internal document from European Digital Rights, an association of civil and human rights organisations.

Throughout the preparation process, Thorn was also granted close access to EU legislators behind the doors. The organisation, listed as a charity in EU transparency registers, met with cabinet members of every top Commission official with any say on security or digital policy, including Margrethe Vestager, Margaritis Schinas, and Thierry Breton. Ursula Von der Leyen, the President of the European Commission, was one of the first to be briefed about the plans for fighting child sexual abuse in a video conference attended by Ashton Kutcher, as early as November 2020.

Author: Galateia_Iatraki_SOLOMON

A generous offer

Thorn’s main point of contact was, however, Johansson’s team. Emails released by the Commission after a long struggle reveal a close and continuous working relationship between the two parties in the months following the rollout of the CSAR proposal, with the Commission repeatedly facilitating Thorn’s access to crucial decision-making venues attended by member states’ ministers and representatives.

A few days following the presentation of Johansson’s proposal, Thorn representatives sat down with one of the Commissioner’s cabinet members and expressed a “willingness to collaborate closely”. Not only did they o er help to prepare “communication material on online child sexual abuse”, but they also made an o er of service to “provide expertise” for “the creation of the database of indicators” to be hosted by the future EU Centre to Prevent and Combat Child Sexual Abuse.

Thorn is among the most vocal stakeholders advocating for the creation of this new body which would vet and approve scanning technologies, as well as then purchase and offer them to small and medium companies. Thorn’s offer to support building its database reads as a generous pro bono offer, and it would be – if major commercial interests were not at stake.

Abdication of corporate responsibility and ‘false positives’

“What I don’t think governments understand is just how expensive and fallible these systems are”, warned Meredith Whittaker, the president of the Signal Technology Foundation, a US non-profit which runs an encrypted chat application which prevents anyone from collecting or reviewing user data, which has no interest in seeing encryption techniques weakened. “We’re looking at [a cost of] hundreds of millions of dollars indefinitely due to the scale that this is being proposed at”, added Whittaker, who compared this policy to offering tech companies a “get out of responsibility free card”, by saying “you pay us and we will do whatever it is to magically clean up this problem”.

This scepticism has been shared by a growing number of stakeholders. “Current technologies lead to a high number of false positives”, said a spokesperson for the Dutch government, suggesting that many users might be needlessly reported to the authorities, overburdening law enforcement agencies. In a severe blow to the advocates of this solution, Apple announced in Summer 2023 that it is impossible to implement CSAM scanning while preserving the privacy and security of digital communications. A few weeks later, UK officials privately admitted that there is no existing technology able to scan end-to-end encrypted messages without undermining user privacy.

Matthew Daniel Green, a security technologist at John Hopkins University, also warned that AI-driven scanning technology could expose digital platforms to malicious attacks: “If you touch upon built-in encryption models, then you introduce vulnerabilities. This could endanger the kids themselves, by opening the way for predators to hack accounts in searching for images.”

Suspicions of mixing interests

While Thorn played a central role in framing the Commission’s proposal, a tight and intricate network of players has stepped into Brussels’ offices to build consensus around it. Among them is a discrete but highly influential organisation called WeProtect Global Alliance. Registered as a “foundation” at an unassuming residential address in the tiny Dutch town of Lisse, the Alliance aims to “develop policies and solutions to protect children from sexual exploitation and abuse online”. However, it is no ordinary civil society group.

Launched as a government initiative by EU, UK and US authorities, WeProtect was transformed into a supposedly independent organisation in the spring of 2020, as efforts to push for legislative initiatives to tackle CSAM with client-side scanning technology were picking up. Its membership includes not only NGOs, including Thorn, but also tech companies, like Snap or Palantir, and dozens of governments.

The EU Commission has endorsed WeProtect as “the central organisation for coordinating and streamlining global e orts and regulatory improvements” in the fight against online child sexual abuse. Johansson’s Directorate-General for Migration and Home Affairs (DG Home) granted the organisation almost €1 million to organise a summit in Brussels dedicated to the fight against CSAM, as well as activities to enhance law enforcement collaboration.

One of DG Home’s most senior officials, Antonio Labrador Jimenez, who has played a central role in drafting and promoting the CSAR proposal, has officially been part of WeProtect’s board since July 2020, though documents suggest that his involvement dates as far back as 2019. Although Mr. Labrador Jimenez “does not receive any kind of compensation”, his holding this position raises serious questions about how the Commission uses WeProtect to promote Johannson’s proposal. When Labrador Jimenez briefed his fellow board members about the proposed regulation in July 2022, notes from the meeting show that “the Board discussed the media strategy of the legislation”.

WeProtect has not answered questions regarding its funding arrangements with the Commission nor to what extent its advocacy strategies are shaped by stakeholders sitting on its policy board. This question is all the more important as WeProtect’s board also includes representatives of powerful security agencies, such as Stephen Kavanagh, the Executive Director for Police Services of INTERPOL, or Lt. Colonel Dana Humaid Al Marzouqi, a high-ranking United Arab Emirates’ Interior Ministry official who chairs or participates in numerous international police task forces.

Trojan horse hypothesis

Ross Anderson, professor of Security Engineering at Cambridge University, says the missing picture in the current debate is precisely the role of law enforcement agencies, who he suspects expect to undermine encryption by letting child protection organisations lead the charge in Brussels.

“The security and intelligence community have always used issues that scare lawmakers, like children and terrorism, to undermine online privacy.” They have, Anderson said, “told EU policymakers that once the machinery has been built to target CSAM, it is entirely a policy decision to target terrorism too. We all know how this works, and come the next terrorist attack, no lawmaker will oppose the extension of scanning from child abuse to serious violent and political crimes.

This concern is shared by Wojciech Wiewiórowski, the EU’s Data Protection Supervisor, who told Le Monde and its partners that the proposal would amount to “crossing the Rubicon” towards the mass surveillance of EU citizens if this technology were to be used in wider contexts.

These warnings are not mere speculations. In July 2022, the head of DG Home met Europol’s Executive Director, Catherine de Bolle, to discuss Johansson’s proposal and the EU law enforcement agency’s contribution to the fight against CSAM. According to the minutes of the meeting Europol oated the idea of using the proposed EU Centre to scan for more than just CSAM. “There are other crime areas that would benefit from detection,” Europol told the Commission official, who “signalled understanding for the additional wishes” but ” flagged the need to be realistic in terms of what could be expected, given the many sensitivities around the proposal.”

Research by Imperial College academics Ana-Maria Cretu and Shubham Jain showed how client-side scanning systems could be discreetly tweaked to perform facial recognition from the devices of unaware users, cautioning that there might be more vulnerabilities that we don’t know of yet. “Once this technology is rolled out to billions of devices across the world, you can’t take it back”, they warned.

Intense lobbying by ‘survivors’

When the regulation proposal came under attack by privacy experts, a nearly unknown group came to the rescue. The Brave Movement, “a survivor-centred global movement campaigning to end childhood sexual violence”, emerged only a few weeks before the text rolled out, and soon became a key ally for Johansson.

In April 2022, the organisation hosted the Commissioner in an online “Global Survivors Summit”. A year later, she joined a photo-op in front of the European Parliament during the “Brave Movement Action Day”, along with a group of survivors gathered to “demand EU leaders be brave and act to protect millions of children at risk from the violence and trauma they faced”. During that period, Brave recruited its new Europe Campaign Manager, Jessica Airey, from Johansson’s department, where Ms Airey had worked as an intern to promote the CSAR proposal for ve months.

An internal strategy note during the course of this investigation leaves no doubts about the Brave Movement’s central role as an advocacy instrument to advance consensus around Johansson’s proposal. “The main objective of the (.) mobilisation around this proposed legislation is to see it passed” and to “create a positive precedent for other countries which we will invite to follow through with similar legislation”, wrote the organisation.

This November 2022 note suggests that Brave has played a key role in lobbying officials both in Brussels and in EU member-states. The organisation has, for instance, built a strong relationship with Conservative MEP Javier Zarzalejos, a supporter of Johansson’s proposal who leads negotiations at the Parliament level. The document reveals that Zarzalejos “asked for strong survivors’ mobilisation in key countries like Germany”, one of the “potential blockers in the negotiations”. Brave has also met with the French Junior Minister for Child Protection, Charlotte Caubel, in an effort to turn France – already in favour of the text – into “a Champion for the legislation.”

A generous American sponsor

Obviously, preventing the circulation of CSAM is a common goal for all child protection organisations. Not all, however, approve of the approach proposed by Johansson. For instance, the German Child Protection Association argues that “relying on purely technical solutions to protect children from sexualized violence online is a fatal mistake with devastating consequences for the fundamental democratic rights of all people”. Scanning private communications would “deeply interfere with the fundamental rights of children and young people”, added the association.

Dissenting voices like this one have struggled to make themselves heard in the face of the powerful coalition of pro-CSAR organisations grouped together under the banner of the European Child Sexual buse Legislation Advocacy Group (ECLAG). This coordination platform, launched immediately after Johansson’s proposal, brings together renowned children’s rights organisations (Terre des hommes, Missing Children) with Thorn, the Brave Movement or the Internet Watch Foundation (a UK non-profit which produces technology to identify CSAM and is funded by some of the biggest players of the internet industry).

In addition to close access to Johansson’s team, ECLAG members have received financial support from an American charity called the Oak Foundation. Headed by an ex-US State Department official, the foundation has granted them at least €24 million since 2019. In addition to supporting Thorn ($5.3 million), the foundation donated $10.3 million for the creation of the Brave Movement, and $1.5 million to Purpose Europe, a UK-based consultancy controlled by French giant Capgemini, which has worked with multiple ECLAG organisations and held meetings with Johansson’s cabinet.

A spokesperson for the Oak Foundation, who has a long-term commitment to helping NGOs that fight child abuse throughout the world, said that the foundation supports organisations that “advocate for new policies, with a specific focus in the EU, US, and UK, where opportunities exist to establish a precedent for other governments”. However, it did not address privacy concerns raised by the CSAR proposal.

Struggling for transparency

Throughout this investigation, our reporters have found it very difficult to obtain internal European Commission documents related to the proposed CSAR regulation, in spite of the EU’s freedom of information law. While the Commission’s failure to deal with document access requests within statutory deadlines is not uncommon, requests fled as early as December 2022 have gone unanswered for months.

It ended up being necessary to ask the European Ombudsman to intervene in order to get the frst series of documents released. But several requests about email exchanges and the minutes of meetings between senior Commission officials from Ylva Johannson’s cabinet and private lobby groups like Thorn and WeProtect were rejected. For example, the Commission refused to disclose Cordua’s email in reply to Johannson’s message in May 2022, as well as a “policy one pager” Thorn shared, after Thorn, despite its charity status, argued that “the disclosure of the information contained therein would undermine the organization’s commercial interest”.

The European Ombudsman is currently investigating four separate complaints filed by the reporting team regarding the Commission’s failure to fulfill its transparency obligations. The Commission has thus far failed to respond to the Ombudsman’s request for information regarding two of the complaints that were submitted in July.

‘A commercial interest’

Ylva Johansson’s close dialogue with this network of organisations and tech companies is all the more remarkable in light of her silence shown to other stakeholders. The European Digital Rights has repeatedly complained about the lack of consideration from Johansson, who has never received them. The same frustration is shown by O imits. Hosted in a bright office room at the edge of Amsterdam’s famous red light district hosts, this organisation is Europe’s oldest hotline for kids and adults wanting to report abuse, whether happening behind closed doors or seen on a video circulating online. Every day, its seven analysts view thousands of reports and images, to assess whether they are abusive or illegal.

While Off limits’ legitimacy is unquestioned, Arda Gerkens, its former director (2015-September 2023), has found herself in front of a wall of silence since Ylva Johansson launched her proposal. “In the past years, Commissioner Johansson and her sta visited the Silicon Valley and big North American groups”, explained Gerkens: “I invited her here, but she never came.”

“Who will benefit from the legislation?”, Gerkens asked rhetorically. “Not the children”.

Instead, she believes that Johansson’s proposal is excessively “influenced by companies pretending to be NGOs, but acting more like tech companies”. “Groups like Thorn”, she added, “use everything they can to put this legislation forward, not just because they feel that this is the way forward to combat sexual child abuse, but also because they have a commercial interest in doing so.”

Struggling for transparency

It ended up being necessary to ask the European Ombudsman to intervene in order to get a first series of documents released. But several requests about email exchanges and the minutes of meetings between senior Commission officials from Ylva Johannson’s cabinet and private lobby groups like Thorn and WeProtect were rejected. For example, the Commission refused to disclose Cordua’s email in reply to Johannson’s message in May 2022, as well as a “policy one pager” Thorn shared, after Thorn, despite its charity status, argued that “the disclosure of the information contained therein would undermine the organization’s commercial interest”.

Credits:

Maxime Vaudano – Investigations editor
Dusica Tomovic – Managing Editor
Ivana Nikolic – Program Manager
Matt Robinson – Copy Editor
Ivana Jeremic – Fact Checker
Igor Vujcic – Illustrator
Ilianna Papangeli – Managing Director
Stavros Malichudis – Chief Editor
Galatia Iatraki – Illustrator
Kai Bierman – Investigations editor
Andrés Gil – Foreign desk editor
Mariangela Paone – Special envoy
Evert De Vos – Editor
Xandra Schutte – Director
Olivia Ettema – Illustration
Lorenzo Bagnoli – Editor-in-chief
Antonella Napolitano – Impact editor
Francesca De Benedetti – Foreign news editor
Andre Meister – Editor

Funding partner:
European Journalism Center
Zlatina Siderova – Project leader
Juliette Gerbais – Project assistant

The Rotenberg Files

The original publication of the project is embedded below. Underneath, find the full text.

Growing up in Leningrad, two brothers named Arkady and Boris Rotenberg took martial arts classes alongside Russia’s future president, Vladimir Putin.

The relationship endured, and as Putin’s political clout grew, so did the Rotenbergs’ wealth. Thanks in part to lucrative state contracts, their riches grew into the billions during their childhood friend’s rule.

But when Russia invaded Ukraine in 2014, the Rotenbergs’ close ties to their old sparring partner drew unwelcome attention. Hit with sanctions, their vast foreign assets at risk, the brothers scrambled to shift them out of reach of Western regulators.

They had a lot to protect and, almost a decade later, they remain incredibly wealthy: Forbes magazine estimated their combined wealth at $4.9 billion this year.

As Putin’s renewed invasion of Ukraine racks up ever more murdered civilians and ruined cities, and the world’s most powerful countries continue to target the interests of those that are helping the Russian president, the question of how two members of Putin’s inner circle managed to escape serious consequences becomes more pressing than ever.

Now, a new email leak offers unprecedented insight into just that — highlighting, above all, the essential role that Western lawyers, bankers, and corporate service providers have played in helping the Rotenbergs safeguard their vast collection of assets.

The leaked archive, which consists of over 50,000 documents and emails sent between 2013 and 2020, was obtained by IStories and OCCRP and shared with 15 other media outlets.

The resulting investigative series, dubbed the Rotenberg Files, reveals how these enablers made it all possible. A central figure was Maxim Viktorov, a 50-year-old Moscow-born businessman, whose Russian management company and law firm played a crucial role in coordinating the Rotenbergs’ worldwide affairs after they were sanctioned.

Viktorov does not exude the aura of a powerful operator: When he appears in the media, it’s usually in association with his passion for rare Italian violins. In 2009, he paid a reported $3.9 million — “well in excess” of any previous record, according to auction house Sotheby’s — for an 18th-century instrument.

But while this exorbitant purchase made headlines, the scope of Viktorov’s work for the Rotenbergs was unreported until now.

For example, a few months after the brothers were sanctioned in 2014, Viktorov received a direct instruction from Boris’s son Roman: “We need to discuss and prepare documents,” he wrote.

Attached to the email was a memo labeled with a clear purpose: “OBJECTIVE: CLEAR SANCTIONS.”

It went on to describe a convoluted corporate restructuring plan intended to preserve the Rotenberg brothers’ share in Helsinki Halli, a major Finnish arena that hosted concerts, ice hockey, and other sporting events.

The plan was to be conducted in absolute secrecy: “These documents should be prepared inside the family by a trusted lawyer and nobody else should know about the existence of these documents,” the memo read.

The scheme appeared to be a success: The Rotenberg family managed, for years, to hold onto their share in the arena through Roman. (It was finally frozen after Roman, too, was sanctioned in 2022.)

This early example typified the subsequent years, in which — aided by Viktorov, his colleagues, and a host of hired specialists — the Rotenberg family used a range of manipulative techniques to shift around their assets, protecting them from Western sanctions.

The archive shows companies moving around the world like chess pieces, new bank accounts opening just as others were closed, and ownership structures morphing in response to new sanctions or questions from regulators.

When regulators asked tough questions about company owners, Viktorov and his team worked with trusted corporate service providers to move Rotenberg companies to less demanding jurisdictions. In Russia, his Evocorp Management Company LLC managed some of the brothers’ valuable assets after they were put under the control of ultra-secretive investment funds, which he portrayed as his own.

Finally, the archive reveals how various third parties — including a man reported to be Boris Rotenberg’s onetime bodyguard and a 36-year-old Latvian cosmetologist who appears to be Arkady Rotenberg’s secret romantic partner — took on the ownership of some of the brothers’ valuable assets.

Viktorov said neither he nor any of his companies had ever violated any laws, “in particular, the U.S. and EU sanctions legislation.” He described reporters’ findings as “erroneous” and said the shareholders of funds managed by his company are not sanctioned individuals.

Boris and Arkady Rotenberg, and members of their family, did not respond to emailed questions.

Tom Keatinge, director of the Centre for Financial Crime and Security Studies at the U.K.-based Royal United Services Institute, said that historically weak enforcement by sanctions authorities meant that managing assets for wealthy sanctioned individuals did not carry much risk and was highly profitable.

“The paycheck is often worth it. You see very few cases of individuals being added to sanctions lists — let alone prosecuted — for facilitating sanctions evasion,” Keatinge told OCCRP. “To change people’s attitudes, we need some heads on spikes.”

Nosy Regulators

Among the situations that called for Viktorov and his colleagues’ attention was when regulators in offshore jurisdictions raised questions about Rotenberg assets. This included the British Virgin Islands (BVI), a jurisdiction not known for aggressively policing companies.

In 2016, a large section of the Rotenbergs’ financial empire was put at risk when BVI regulators started demanding that corporate service providers stop working with any companies owned by people sanctioned by the United States.

ILS Legal Services S.A., a company registered in Panama that was working with Viktorov on the Rotenbergs’ affairs, sounded the alarm.

“We have a serious issue,” wrote ILS in an email to Elena Ruzyak, a Rotenberg employee and fixer who worked closely with Viktorov.

ILS was notifying Ruzyak that BVI authorities were asking for the identities of the beneficial owners of at least 18 companies that belonged to the Rotenbergs or their intermediaries.

“Apparently the BVI Financial Services Authority obliges the BVI agents to resign from companies whose [ultimate beneficial owner] is listed in the…(US sanctions),” ILS wrote.

Referring to the brothers by their initials, the ILS email listed a series of “BR Companies” that were at issue and explained that, for “the Companies owned by AR,” there was “the additional complication of the EU sanctions.” (While both brothers were under U.S. sanctions in 2016, only Arkady had been blacklisted by the EU at that time.)

But the mention of Arkady appeared to trigger a strong response.

Seemingly alarmed, Ruzyak quickly replied: “It’s all BR!!!!!!!!!!!!”

It’s not clear whether this meant all the companies really belonged to Boris, or whether she was seeking to cover up a paper trail. In any event, the ILS response was swift and contrite: “Sorry, yes BR. It’s all about BR. We are already spinning like a snake on a pitchfork.”

Boris also would have had reason to be alarmed: Leaked documents and company records obtained by reporters show these companies held some of his most prized assets, including the Rahil, a luxury yacht with five guest suites and a nine-person crew, plus interests in at least six properties in southeast France.

“We have been dealing with the matter for the past 10 days trying to find a solution,” ILS wrote to Ruzyak.

To deal with the new regulations, ILS suggested a familiar solution: Replace the Rotenbergs with proxies who would sign deeds of trust, allowing them to appear as the companies’ ultimate owners, and then give authorities those names.

“We can name some trusted person as a nominal [beneficial owner] and issue a trust declaration in favor of Rotenberg,” ILS wrote.

After Ruzyak forwarded the exchange to Viktorov, he signed off on the idea: “I agree,” he wrote. “Let them prepare it.”

The scramble to find proxies began.

In an email to Viktorov, Ruzyak suggested a man named Aleksandr Kozlov, who has worked as Rotenberg’s bodyguard, as one possibility, but noted that his ties to the oligarch’s other companies — including, her email implies, a company called Frasgo Holding Corp. — would make him a less-than-ideal candidate.

“I am racking my brains, I thought of Sashka [Aleksandr] Kozlov but all those frasgos make it awkward (((((((((((((,” Ruzyak wrote, punctuating her email with 13 sad faces.

Nevertheless, registry data indicate Kozlov was indeed made the beneficial owner of at least one of the BVI firms: Medexlite Limited, which owned another luxury yacht also called the Rahil.

Two other assets — apartments in the heart of Riga, Latvia — were transferred away from one of the Rotenbergs’ BVI firm Narcius Investments Limited and registered in Ruzyak’s name, according to Latvian property records.

Eight of the 18 BVI companies mentioned in the ILS email were ultimately dissolved, and two relocated to Cyprus.

ILS, Ruzyak, and Kozlov all failed to respond to emailed questions.

Irene Kenyon, a former U.S. Treasury officer, describes Cyprus as “another BVI” for the Russians. It was “their little black box,” she said, “where they can register stuff and hide assets. … It was considered a secrecy jurisdiction.”

The leaked records don’t show what was done with the remaining problematic BVI companies.

But they do reveal another issue raised by U.S. sanctions against Boris Rotenberg: His ability to conduct banking transactions with his own wife.

Placating Bankers

In 1997, the French bank Société Générale set up a branch in the super-wealthy principality of Monaco. This office is not shy about its customer base, dedicating itself to “High Net Worth” clients and offering a range of services from Monaco legal experts, “wealth engineers,” and other specialists.

Such a bank would seem like the perfect place for a Rotenberg to hold assets. And indeed, leaked emails show Boris Rotenberg, his wife Karina, and ten of his companies held accounts with Société Générale in Monaco.

But in October 2015 — over a year after Rotenberg was sanctioned by the U.S. — the head of the Russia desk at the bank’s Monaco unit noted in an email to Viktorov that Rotenberg’s wife Karina was a U.S. citizen — and that it was “forbidden” for “U.S. persons [to engage] in transactions that involve a person subject to sanctions measures.”

In effect, the bank officer was asking whether the sanctions against Boris Rotenberg forbid him from sending money to his own wife.

“What is your interpretation of OFAC rules with regard to the US citizenship of Mrs K. ROT?” she asked Viktorov, referring to the U.S. Treasury office responsible for sanctions implementation. “Have you taken steps towards OFAC? What is the intended purpose of this approach?”

“We would appreciate that you answer us with detailed responses, argued and documented,” she wrote.

In fact, the bank had already frozen Rotenberg’s accounts. “We are waiting for your reply,” the bank officer wrote a couple of days later. “Your response will allow us to consider a position concerning the accounts bloqued [sic] by the bank.”

By the first few days of the following month, Viktorov and Sergey Markov, a former Soviet diplomat-turned-businessman who was also helping the Rotenbergs, were already corresponding with a wealth management company willing to help “the client” find alternative banking services.

This firm, LJ Partnership, based in London at the time, advertised itself as a “leading international, privately-held family office” that is “responsible for discreetly serving the needs of a select group of families.”

In addition to offering tailored investment advice and help building “onshore and offshore” corporate structures, it offers services including “yacht and aviation charter,” “close protection services,” and “lifestyle and travel administration.”

What Viktorov and Markov really needed, however, was help getting Rotenberg’s money out of the frozen Société Générale accounts as soon as possible. “The client is keen that work should begin soonest,” Markov wrote to an LJ Partnership executive.

LJ Partnership then sent Markov a plan proposal. For 70,000 British pounds ($100,000) in fees and expenses — plus an additional 50,000-pound ($70,000) bonus if everything went well — the company offered representation in “discussions with Société Générale Monaco to achieve a release of certain assets” and introductions “to a new banking relationship … to achieve the transferral of assets from Société Générale.”

As its “client” for this project, LJ Partnership took on Viktorov’s U.K. company, Legal Intelligence Group Ltd, rather than Rotenberg himself, creating a buffer between the wealth management firm and the sanctioned Russian billionaire.

The operation, later dubbed “Project Sun,” soon got underway.

To lead the charge against Société Générale, LJ Partnership recommended an international law firm, Charles Russell Speechlys LLP. In an initial memo, the firm’s legal team offered a possible argument: “It would appear likely that SOCGEN’s actions in freezing accounts without the knowledge or consent of your client may amount to a breach of [its] contracts [with him].”

Soon, a pair of draft letters from one of the firm’s lawyers in its Paris office were forwarded to Société Générale. The letters set out “our understanding of the legal position,” the LJ Partnership executive said. “I am sending these to you in draft so that we have the chance to discuss the matter again informally to attempt to find a solution,” he added.

The letters acknowledged that “in October 2015, my clients learned that their assets had been frozen by the bank … [as a] consequence of an individual measure taken against Mr Boris ROTENBERG by the American administration.”

However, they continued, “the bank’s decision [to freeze the accounts] … violates the binding conventions signed between the bank and my clients.”

Furthermore, they pointed out, no action had been taken against his clients — Boris and Karina Rotenberg and five of their companies — by France, Monaco, or any EU member state. According to the laws of both France and Monaco, the lawyer argued, “assets’ freezing measures can be undertaken only pursuant to a ministerial decision. There is none in the present case.”

Meanwhile, LJ Partnership continued to hunt for a new bank for Rotenberg. They suggested a range of options, including lenders in Singapore, the Bahamas, Switzerland, and Liechtenstein.

A deal was eventually struck with the Luxembourg-headquartered Banque Havilland S.A., a controversial elite lender owned by the well-connected Rowland family.

The leaked emails detail how LJ Partnership helped set up a meeting between Rotenberg and the Rowlands in Geneva. The meeting was scrapped, however, after the Russian oligarch — referred to by Markov as “the client” — had to cancel, leaving Markov apologizing for the “very embarrassing” situation.

A new meeting was then proposed in Monaco in April 2016. LJ Partnership relayed an invitation from the Rowland family to meet on their yacht in the city’s harbor.

“This is perfect,” Markov replied. “The client also has a yacht in Monaco Harbour, so small talk at the outset will be smooth.” Markov added that he and Maxim Viktorov would also arrive for the meeting “on Sunday evening.”

The meeting appears to have gone well. LJ Partnership soon confirmed that Banque Havilland was ready to take Rotenberg on: “The plan with the bank will be first to open the corporate account and then to open the personal accounts,” the company’s executive wrote. “It will be a two stage process.”

The leaked records show that Banque Havilland opened an account for Karina and requested documentation to open accounts for two Rotenberg companies registered in the BVI. Discussions around the account opening process continued for nearly a year. However, there is no evidence in the leak to show whether the accounts were ultimately opened.

Payment instructions found in the email leak confirm that, in 2017, Karina Rotenberg sent 500,000 euros, in two payments, to her Banque Havilland Monaco account from an account in Moscow.

In a statement sent by a representative, Banque Havilland said it had had “always complied with all relevant sanctions in the countries we operate,” including in the U.S. and EU, and that it rejected “any suggestion of wrongdoing or suggestion that banking services have been provided to sanctioned individuals.”

Markov told OCCRP he was not “an associate of Boris Rotenberg” and had “never received any money from him nor done any business with him.” He said he had long been “friends and business partners” with Viktorov and said their interactions and activities were lawful.

The Rowlands could not be reached for comment and Banque Havilland said it could not comment on their behalf.

Meanwhile, the issue with the frozen accounts at Société Générale also ended up being problematic.

While emails suggest the French bank released some of Rotenberg’s funds early in 2016, negotiations over the frozen accounts appeared to hit some snags. The law firm LJ Partnership had engaged, Charles Russell Speechlys, ended up withdrawing from the project, though it is not clear exactly why. After they failed to find new representation, LJ Partnership said it would have to withdraw as well.

LJ Partnership, which was since rebranded Alvarium, did not respond to emailed questions or phone calls. Charles Russell Speechlys did not respond to a request for comment.

Eventually, the emails show Société Générale agreed to provide Boris Rotenberg with banking services under strict conditions, including not having any accounts connected to his wife, as the bank sought repayment of outstanding multimillion dollar loans to the Russian oligarch.

Société Générale said it could not comment on the case due to banking secrecy rules.

Secret Funds

The sanctions against the Rotenberg brothers did not only have an impact abroad: They also prompted them to restructure at least some of their Russian holdings for greater secrecy.

Special investment vehicles called “closed mutual funds,” abbreviated in Russian as “ZPIFs,” were used to hold these assets. These structures, which are not considered legal entities under Russian law, are not obliged to reveal their shareholders, and cannot go bankrupt or have their assets confiscated, were managed by Viktorov and his team.

The secretive nature of ZPIFs and incomplete Russian corporate records means it’s often impossible to track who really owns them or what assets they hold.

But contained within the leaked emails is a rare find: Official minutes from a July 2017 meeting at the Central Bank of Russia. The document reveals that — at least as of that time — 13 ZPIFs managed by Viktorov’s company, Evocorp, were owned by or linked to the Rotenbergs.

These structures contained some high-profile assets, according to the Central Bank document, including the Moskvarium, a Moscow aquarium billed as Europe’s largest, and an imposing villa on Spain’s Mediterranean coast.

They also included shares in the Prosveshcheniye (“Enlightenment”) publishing house — a major player on the Russian market that regularly fulfilled government contracts for textbooks. (In 2017, a representative of Arkady Rotenberg told the Russian business paper Vedomosti that he had sold his share in the publisher.)

A leaked Evocorp report from 2018 shows that seven of these funds were still managed by the company a year later, while some had been transferred to a new fund manager,

Severnaya Egida LLC (“Northern Aegis”).

The leaked emails show that, in their responses to queries about the shareholders of the ZPIFs or the companies they owned, Evocorp employees represented Viktorov as the ultimate owner.

“There is a practice where the General Director of the Management Company is recognized as the ultimate beneficiary,” wrote one Evocorp employee when asked how to respond to queries about the true owners of the Moskvarium.

The same response was given to two banks — SMP Bank and Sberbank — when they asked for more information about the beneficiaries of the ZPIFs or their companies. Evocorp responded with letters saying that Viktorov himself was the “ultimate beneficial owner” of the relevant company.

The leak does not show how SMP responded, but such explanations raised eyebrows at state-owned Sberbank.

“We need to understand who the fund’s shareholders are, not the managing company,” a Sberbank official wrote in 2017 to an employee of RG-Development, a major real estate firm held by one of the ZPIFs that, according to the email leak, Evocorp appeared to have managed for the Rotenbergs.

The RG-Development employee then wrote to their colleagues, telling them that the bank “strongly suggests that [RG-Development] close all settlement accounts with Sberbank, because we, in their opinion, are a company affiliated with persons from the ‘sanctions list.’ They sent us a notice to close.”

But the emails suggest the matter may have been resolved: A few days later, the RG-Development employee wrote to Evocorp to say that the Sberbank official would see if they could “get by” with a letter from RG-Development saying it did not have information on the ZPIF’s shareholders. If that didn’t work, Evocorp would send Sberbank another letter stating no sanctioned individuals were among the fund’s shareholders.

Sberbank did not respond to a request for comment.

Even with the built-in secrecy of the ZPIF structure, Evocorp took great pains to make sure information about the Rotenbergs remained secret.

In 2017, an employee of SDK Garant LLC, a Russian investment fund management company apparently hired by Evocorp to manage some of the ZPIFs, wrote to colleagues and Evocorp staff to say they were entrusting a new employee with the administration of one of Evocorp’s funds.

Evocorp’s CEO at the time quickly wrote back, chastising the decision.

“It is critically important for us that information about the fund’s shareholders should not be shared,” he wrote. “I think that transfering management of this fund to a new young manager is a violation of our agreement with SDK Garant.”

A Romantic Partner?

Among the ZPIFs that the leaked Central Bank document revealed were managed by Evocorp was one whose owner comes as somewhat of a surprise: A 36-year-old Latvian cosmetologist named Marija Borodunova.

The document shows that, as of mid-2017, Borodunova controlled 80 percent of RG-Development, the major real estate firm, through the ZPIF called Lontano.

Reporters found that she owned several other valuable assets: A luxury Monaco apartment in a landmark building which she rented to a Rotenberg company for 260,000 euros per month in 2017 and, with her two young daughters, a 4.25-million-euro villa on the French Riviera.

According to a leak of Russian tax records seen by reporters, Borodunova earned $25.5 million in 2020 alone.

Borodunova did not respond to emailed questions.

One clue to how she ended up with such wealth is provided by two sources who spoke to reporters on condition of anonymity due to fears over their security. Both described Borodunova as Arkady Rotenberg’s “unofficial wife.”

One of them, who is acquainted with members of Arkady’s entourage, said that Arkady’s relationship with Borodunova was not public, “but people close to them have known … for a long time.”

Reporters could not independently verify the sources’ claims. But Getcontact, an app that reveals the names under which a telephone number has been saved by its contacts, provides further corroboration: In at least a dozen cases, Borodunova’s number was saved in friends’ contact lists as some variation of “Maria Rotenberg.”