November 30, 2018 | Policy Brief

Treasury Designates Iran-based Digital Currency Exchangers Involved in Ransomware Scheme

November 30, 2018 | Policy Brief

Treasury Designates Iran-based Digital Currency Exchangers Involved in Ransomware Scheme

On Wednesday, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) took action against two Iran-based individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan, for their role in facilitating ransom payments related to the SamSam ransomware campaign. OFAC provided identifying information about these two individuals that included the two cryptocurrency addresses they used to launder over 7,000 bitcoins, worth millions of dollars. This is the first example of Treasury Department including information on digital currency wallets for individuals on its Specially Designated Nationals and Blocked Persons (SDN) list. It also demonstrates that Treasury will enforce sanctions policy against actors who use digital currency to harm U.S. interests.

The SamSam campaign employs highly sophisticated ransomware that has targeted over 200 known victims and extorted millions of U.S. dollars in the form of Bitcoin payments since December 2015. Most notably, it targeted the city of Atlanta, the Colorado Department of Transportation, and the Port of San Diego, causing over $30 million in total losses to victims and generating $6 million in ransom payments. Also on Wednesday, the Department of Justice indicted two additional Iranians involved with orchestrating the multi-year extortion campaign. The indictment alleges that the hackers communicated with two Bitcoin exchangers in Iran (presumably Khorashadizadeh and Ghorbaniyan) to cash out their bitcoins into Iranian rial.

Although neither Treasury nor the Department of Justice’s statements on the SamSam campaign mention if the hackers and exchangers were associated with the regime in Iran, the U.S. government had previously signaled that it would target Iranian use of digital currencies. The Iranian government previously has relied on proxies with no state affiliation to carry out operations on behalf of the state, such as the Shamoon attacks against Saudi Arabian government targets in 2012 and 2016. In October, Treasury advised financial institutions to watch out for Iranian state actors exploiting digital currencies “to evade sanctions and gain access to the international financial system and to conceal their nefarious actions.” Tehran has stated outright that it planned to use digital currency to resist U.S. sanctions pressure, even announcing plans to create a national Iranian cryptocurrency. Treasury appears to be taking seriously any steps Iran may take to gain capital through alternative financial platforms.

Designating Khorashadizadeh and Ghorbaniyan’s Bitcoin addresses shows that digital currencies are not outside Treasury’s reach, but it has some technical constraints that will limit its impact. Whereas banks can freeze an account designated by Treasury, there is no outside party that can freeze a digital currency wallet (which may contain multiple digital currency addresses) and stop it from exchanging funds unless one possesses the wallet’s private key. While the designation raises the public profile of the addresses and is likely to deter incoming transactions, it is relatively easy to create new addresses with freely available software.

Treasury’s listing of these addresses is most relevant for cryptocurrency exchange websites that buy and sell various digital currencies. OFAC’s designation calls for secondary sanctions, so even exchanges that might not fall under U.S. jurisdiction could be targeted with Treasury action for providing financial services to the two designated Iranian individuals. CSIF analysis of the digital addresses listed by Treasury shows that the wallets listed in the SDN announcement are largely inactive; however, it is possible to follow the flow of illicit funds from those wallets into other addresses. By listing the addresses, OFAC has provided exchanges with the information necessary to flag transactions involving these addresses on their exchange platform.

In addition to watching out for customer transactions with the listed addresses, exchanges will likely need to conduct analysis to identify any additional wallets that may be controlled by the Iranian exchangers. Treasury’s move makes it clear that malevolent actors hiding behind digital currency transactions, and those that support these activities, may also find themselves in Treasury’s crosshairs.

Yaya J. Fanusie is director of analysis at the Foundation for Defense of Democracies’ Center on Sanctions and Illicit Finance. Follow him on Twitter at @SignCurve. Trevor Logan is a cyber research associate at the Foundation for Defense of Democracies’ project on Cyber-Enabled Economic Warfare. Follow him on Twitter at @TrevorLoganFDD.

Follow FDD on Twitter @FDD and follow FDD’s Center on Sanctions and Illicit Finance @FDD_CSIF. FDD is a Washington-based, nonpartisan research institute focusing on national security and foreign policy.


Cyber Cyber-Enabled Economic Warfare Iran Iran Sanctions Sanctions and Illicit Finance