For the first time, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has traced illicit bitcoin activity to the public addresses of two sanctioned individuals.
According to a November 28, 2018, press release, the department is bringing action against Ali Khorashadizadeh and Mohammad Ghorbaniyan for their alleged involvement in the SamSam ransomware scheme. The two men reportedly helped the hackers behind SamSam convert millions of dollars of ransomed bitcoin to Iranian rials.
“As a result of today’s action, all property and interests in property of the designated persons that are in the possession or control of U.S. persons or within or transiting the United States are blocked, and U.S. persons generally are prohibited from dealing with them,” the release states.
These charges coincide with the U.S. Department of Justice’s indictment of Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, the ringleaders behind the 34-month long SamSam ransomware attack. Beginning in 2015, the ransomware affected some 200 international entities, including hospitals and government departments in California, Colorado, Georgia and Kansas. The malicious actors used the ransomware to gain administrative control over the victims’ IT servers and sensitive documents, and they leveraged this control to demand bitcoin as ransom.
Khorashadizadeh and Ghorbaniyan helped Savandi and Mansour process some $6 million in extorted payments. Tracing the illicit activity back to Khorashadizadeh and Ghorbaniyan’s primary Bitcoin public addresses, the OFAC found that the two men have executed roughly 7,000 transactions across 40 exchanges since 2013. The department believes that a significant sum of the 6,000 bitcoin either man has handled is related to the SamSam ransomware scheme, indicating that they converted these funds into Iranian rials and deposited them into bank accounts on behalf of Khorashadizadeh and Ghorbaniyan.
The Bitcoin addresses in question are as follows: 149w62rY42aZBox8fGcmqNsXUzSStKeq8C and 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V.
“Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims. As Iran becomes increasingly isolated and desperate for access to U.S. dollars, it is vital that virtual currency exchanges, peer-to-peer exchangers, and other providers of digital currency services harden their networks against these illicit schemes. We are publishing digital currency addresses to identify illicit actors operating in the digital currency space. Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and AML/CFT safeguards to further their nefarious objectives,” Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker said in a statement.
The release continues to state that “persons that engage in transactions with Khorashadizadeh and Ghorbaniyan could be subject to secondary sanctions.”