US Dept. of Treasury Office of Foreign Assets Control (they control foreign assets) has identified two very bad Bitcoin addresses which were allegedly used in a recent ransomware scam. This marks the first time sanctions are being officially placed against specific Bitcoin addresses. At the same time, Dept. of Justice has unsealed its indictments against the two individuals it claims are responsible.
Excerpt from US Treasury press release:
Treasury Designates Iran-Based Financial Facilitators of Malicious Cyber Activity and for First Time Identifies Associated Digital Currency Addresses
“Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims. As Iran becomes increasingly isolated and desperate for access to U.S. dollars, it is vital that virtual currency exchanges, peer-to-peer exchangers, and other providers of digital currency services harden their networks against these illicit schemes,” said Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker. “We are publishing digital currency addresses to identify illicit actors operating in the digital currency space. Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and AML/CFT safeguards to further their nefarious objectives.”
...today’s action marks the first time OFAC is publicly attributing digital currency addresses to designated individuals. Like traditional identifiers, these digital currency addresses should assist those in the compliance and digital currency communities in identifying transactions and funds that must be blocked and investigating any connections to these addresses. As a result of today’s action, persons that engage in transactions with Khorashadizadeh and Ghorbaniyan could be subject to secondary sanctions.
Of the referenced Bitcoin addresses, one has been empty since 2017, the other was drained over two weeks ago:
Meanwhile the US Dept. of Justice also held a press conference today to announce the unsealing of indictments against the two Iranians.
Excerpt from Rod Rosenstein's remarks:
Deputy Attorney General Rod J. Rosenstein Delivers Remarks at the “SamSam” Ransomware Press Conference
The indictment alleges that the defendants demanded payment from their victims in the form of the virtual currency known as Bitcoin. Bitcoin contributes to the increasing sophistication of criminal schemes. It is a common currency for criminal schemes, including websites that distribute child pornography and deadly opioid drugs, and ransomware and other tools of extortion.
The defendants allegedly communicated with victims using Tor, an encrypted computer network designed to facilitate anonymous communication over the Internet.
We support the use of encryption to safeguard private information and strengthen cybersecurity. But **this case highlights another example of the challenges posed to law enforcement by encryption designed to resist law enforcement. **
Sophisticated encryption technologies like the Tor network are used by cybercriminals to commit serious offenses. These sophisticated technologies pose a real threat to the government’s ability to keep people safe and ensure that criminals and terrorists are caught and brought to justice.
Excerpt from Brian Benczkowski remarks:
Assistant Attorney General Brian A. Benczkowski Delivers Remarks at the “SamSam” Ransomware Press Conference
Most importantly—as you will hear in more detail from my colleagues on the stage—we want to get the word out that every sector of our economy is a potential target of malicious cyber activity. The events described in this indictment highlight the need for businesses, healthcare institutions, universities, and other entities to emphasize cyber security, increase threat awareness, and harden their computer networks.
Excerpt from Fox News article:
Justice Department indicts Iranian nationals for extorting more than $6M from victims across North America
An indictment unsealed in New Jersey on Wednesday alleges Mohammad Mehdi Shah Mansouri and Faramarz Shahi Savandi hijacked victims’ computer systems and shut them down until the victims paid a ransom. The indictment further says the defendants collected “more than $6 million in extortion payments and caused more than $30 million in losses.”
The six-count indictment alleges that, while in Iran, Savandi and Mansouri used a malware known as “SamSam Ransomware,” which is capable of forcibly encrypting data on the computers of victims. The indictment alleges that, beginning in December 2015, Savandi and Mansouri hacked into the computers of victims through security weaknesses.