US Treasury Dept

First Time in US History: ‘Publicly Attributing’ Crypto / BTC Addresses to Alleged Cybercriminals

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken action against two Iranian citizens, Ali Khorashadizadeh and Mohammad Ghorbaniyan, as they allegedly “helped exchange” bitcoin (BTC) “ransom payments” into Iran’s local exchange currency, the Rial.

The two men have been accused of facilitating the crypto-to-fiat transaction “on behalf of Iranian malicious” cybercriminals, who helped carry out the “SamSam ransomware scheme” that reportedly “targeted over 200 known victims.”

US Government: Over 7,000 Illicit BTC Transactions

The OFAC also identified two crypto addresses that have been linked to “these two financial facilitators.” Over 7k BTC transactions, “worth millions of US dollars” were found to have been conducted via both the addresses.

Notably, there were a number of transactions involving “SamSam ransomware derived bitcoin.” Moreover, the US Department of Justice has indicted two alleged Iran-based cybercriminals – as they have been charged with “infecting numerous data networks” with SamSam ransomware in the UK, Canada, and the US since 2015.

Commenting on the incidents, Sigal Mandelker, the Treasury Under Secretary for Terrorism and Financial Intelligence, said:

“Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims. As Iran becomes increasingly isolated and desperate for access to U.S. dollars, it is vital that virtual currency exchanges, peer-to-peer exchangers, and other providers of digital currency services harden their networks against these illicit schemes.”

Mandelker continued:

“We are publishing digital currency addresses to identify illicit actors operating in the digital currency space. Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and AML/CFT safeguards to further their nefarious objectives.”

The US Department of Treasury’s notice further noted that “SamSam” had victimized many “corporations, hospitals, universities, and government agencies.”

Holding Over “200 Known Victims’ Data Hostage”

The bad actors reportedly held more than “200 known victims’ data hostage” for “financial gains.” As described by the US Department of Treasury:

“To execute the SamSam ransomware attack, cyber actors exploit computer network vulnerabilities to gain access and copy the SamSam ransomware into the network. Once in the network, these cyber actors use the SamSam ransomware to gain administrator rights that allow them to take control of a victim’s servers and files, without the victim’s authorization. The cyber actors then demand a ransom be paid in bitcoin in order for a victim to regain access and control of its own network.”

According to the authority’s notice, SamSam ransomware “scheme’s success” is largely attributed to the efforits of Khorashadizadeh and Ghorbaniyan, as they helped facilitate the exchange BTC to Iranian Rials. The two men identified also helped deposit the fiat currency into local banks in Iran, the post noted.

To convert the cryptocurrency ransom payments into Iranian Rials, Khorashadizadeh and Ghorbaniyan used the following  addresses:

149w62rY42aZBox8fGcmqNsXUzSStKeq8C and 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V.

Since 2013, Khorashadizadeh and Ghorbaniyan have reportedly been using the two addresses listed above to conduct more than 7k transactions, while also engaging with with more than 40 different exchangers.

These include a few US-based exchangers. The accused allegedly used the exchange to send about 6k bitcoins worth “millions of USD”, “some of which involved bitcoin derived from SamSam ransomware.”

Notably, this marks the first time OFAC is “publicly attributing digital currency addresses to designated individuals.”

This should help “in identifying transactions and funds that must be blocked and investigating any connections to these addresses”, the Treasury Department wrote.

Those who engage in transactions with Khorashadizadeh and Ghorbaniyan may be “subject to secondary sanctions.”

More details regarding this are available at the US Dept of Treasury’s website post, here.