Bitcoin Addresses Linked to Two Criminals by U.S. Department of Treasury: Exchanges Face Potential “Secondary Sanctions”

In a press release today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) took action against two Iranian-based criminals who were using Bitcoin to transfer—and seemingly launder—ransom-related funds. As a result of today’s actions, people who have engaged with these two addresses, and who may have consequently assisted these criminals, “could be subject to secondary sanctions,” according to the Treasury.

The scandal related to these Bitcoin addresses starts with a malicious computer virus. Similar to the WannaCry ransomware attacks of 2017, these cybercriminals used the malicious computer software ‘SamSam’ to hold people’s data for ransom.

By exploiting vulnerabilities in computer networks, these hackers were able to copy the malicious SamSam crypto-worm into a network. Once inside, this computer worm would grant the hackers administrator privileges over that network, consequently allowing the hackers to hold a victim’s servers and files hostage. These assets would be held until a ransom in Bitcoin was paid.

The cybercriminals used the ransomware to target over 200 known victims, including hospitals, universities, and government agencies.

Bitcoin Used for Apparent Money Laundering

Ali Khorashadizadeh and Mohammad Ghorbaniyan are two Iranians who helped these cybercriminals exchange Bitcoin into Iranian rials—Bitcoin which was received from ransoms.

Due to the decentralized nature of Bitcoin, criminals can use cryptocurrencies to obscure the source of funds and circumvent international transfer controls. However, because of the publicly visible status of the Bitcoin ledger, it is possible to link anonymous aliases and determine the owner of particular wallets. This enables regulators to crack down on criminal activity and tax evasion.

7,000 Bitcoin—worth $29 million at today’s prices—were processed through the two following wallet addresses:

149w62rY42aZBox8fGcmqNsXUzSStKeq8C and 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V.

According to OFAC, 7,000 transactions with over 40 exchangers, including U.S. based exchanges, were able to convert and send roughly 6,000 Bitcoin through these addresses. The Treasury stated that some of these Bitcoin were derived from the SamSam ransomware.

Those Who Transact with Criminals at Risk

This historic action is the first time OFAC has publicly attributed Bitcoin addresses to specific individuals. Moreover, according to the report, exchanges and other parties who assisted these criminal actors may also be at risk of penalties.

As stated by OFAC, “[we are] targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims.”

Sigal Mandelker, the Treasury Under Secretary for Terrorism and Financial Intelligence had harsh words directed at investors:

“… it is vital that virtual currency exchanges, peer-to-peer exchangers, and other providers of digital currency services harden their networks against these illicit schemes.”

Furthermore, Mandelker indicates that more Bitcoin addresses related to criminal activity will be published in the future:

“We are publishing digital currency addresses to identify illicit actors operating in the digital currency space.”

Additionally, those who interact with these criminal addresses and attempt to circumvent anti-money laundering laws may be pursued by the Treasury:

“[OFAC] Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and AML/CFT safeguards to further their nefarious objectives.”

The message is clear: those who use Bitcoin for conducting transactions must be vigilant.

“Like traditional identifiers, these digital currency addresses should assist those in compliance and digital currency communities in identifying transactions and funds that must be blocked and investigating any connections to these addresses,” as stated in the report.

Those who interact with the above two addresses (and other wallet addresses) will be engaging in money laundering and other criminal activity and could be subject to secondary sanctions, according to the statements in the report by OFAC:

“Regardless of whether those transactions are conducted in fiat or cryptocurrency, the compliance obligations remain the same.”

For more information see OFAC’s FAQ related to compliance requirements for digital and crypto currencies.

How Things May Evolve

These actions could result in additional regulations. Before accepting funds, exchanges, vendors, and even individuals may need to check the origin of that cryptocurrency.

However, as technology improves, it may also become increasingly difficult for enforcement agencies to track and stop illicit activity through privacy-oriented cryptocurrencies, such as Zcash and Monero. Criminals will continue to find clever ways to obscure illegal funds, and enforcement agencies will need to remain vigilant to stop this activity.