Treasury sanctions cryptocurrency platform for working with ransomware payments

The Treasury Department on Tuesday announced sanctions against a cryptocurrency exchange for facilitating transactions involving money illegally gained via ransomware hacking, the first action of its kind.

The sanctions against Russia-based exchange Suex are a significant step by the Biden administration in making it harder for cybercriminals to access payments, with the ultimate goal of disrupting the rapid rise of ransomware attacks. (The government did not disclose which hacking groups allegedly laundered their funds through the service.)

“Exchanges like Suex are critical to attackers’ ability to extract profits from ransomware attacks. This action is a signal of our intention to expose and disrupt illicit infrastructure using these attacks,” said Wally Adeyemo, deputy secretary of the Treasury Department.

Over 40% of Suex’s transactions are associated with illegal activity, according to the Treasury Department. The new sanctions block all of Suex’s property and business interests in the U.S. and threaten additional sanctions for any individuals who engage with the platform.

The exchange has received over $160 million from ransomware actors and other cybercriminals, according to cryptocurrency analysis firm Chainalysis. An analysis of Suex’s activity shows that multiple deposit addresses belonging to the exchange were included in a group of just 273 addresses identified by Chainalysis as receiving 55 percent of all funds sent from illicit addresses in 2020.

The firm could not immediately be reached for comment.

The Treasury Department’s Office of Foreign Assets Control has sanctioned organizations associated with supporting ransomware before. In 2019 the U.S. government sanctioned Evil Corp., a Russia-based cybercriminal organization behind the Dridex malware that was used to steal more than $100 million across 40 countries.

Treasury will prioritize going after the narrow subset of cryptocurrency exchanges that make up a disproportionate amount of illegal activity, Adeyemo said. By laundering cryptocurrency through specific exchanges, hackers aim to hide their activity and disguise any digital evidence trail.

“We’re going to continue to look within this ecosystem…and look for other actions we can take to deter those who facilitate these types of payments, given the importance to protecting our national security and our economy,” said Adeyemo.

Treasury will also investigate cryptocurrency mixers, a technology that mixes cryptocurrency with multiple funds in order to mask its source. The Justice Department in April arrested a Russian-Swedish national, for allegedly laundering $335 million in cryptocurrency through “Bitcoin Fog” mixer, a cryptocurrency service notorious for laundering money for cybercriminals. The Financial Crimes Enforcement Network, an investigative arm of the Treasury Department, has also fined mixers for violating banking regulations designed to protect against money laundering.

OFAC also Tuesday issued an update on its 2020 ransomware guidance, strongly discouraging the payment of ransom attacks or extortion. The advisory encourages victims to report incidents to law enforcement and cooperate with investigations. Early reporting and cooperation will be considered by OFAC in deciding whether to pursue sanctions against victims who decide to pay ransom, said Adeyemo.

Ransomware attacks, which have more than doubled in recent years, pose a significant national security threat to America’s critical infrastructure, U.S. national security officials have concluded.

A ransomware gang thought to be based in Russia attacked an Iowa grain cooperative, the company said Monday, in the latest potential threat to the American supply chain brought by cybercriminals. In two separate attacks earlier this year, hackers brought down major fuel provider Colonial Pipeline as well as meat-supplier JBS.

Anne Neuberger, deputy national security advisor for cyber and emerging technology at the National Security Council, told reporters that the White House is monitoring the latest attack on the Iowa grain cooperative, but has not attributed the attack or found any major impact.

The new sanctions follow a flurry of actions from the Biden administration aimed at disrupting a ransomware crisis that threatens America’s critical infrastructure. That includes ongoing conversations with Russia, a known harbor for cybercriminal activity, and discussions with other global leaders.

The White House will next month host a meeting with international partners next month to discuss ransomware and holding jurisdictions harboring cybercriminals accountable, according to Neuberger. Officials have said that global cooperation is essential in reining in cybercrime.

Sanctioning platforms like Suex could put pressure on cryptocurrency exchanges who operate in a gray legal to finally invest in compliance to guard against the illicit activity, said Michael Phillips, chief claims officer at cybersecurity insurance firm Resilience.

“The cryptocurrency financial system is extraordinarily networked,” said Phillips. “So sanctioning those bad actors puts pressure on actors who may be operating in a grayer space, who may be inclined to start to invest in compliance if they know they have to do it.”

Updated 9/21/21: to include additional analysis.