On 21 September 2021, the United States Department of the Treasury announced that it will sanction Czech Republic and Russia-based virtual currency exchange SUEX OTC for its part in facilitating financial transactions for ransomware attacks. Further, the Department of Treasury’s Office of Foreign Assets Control (OFAC) also issued the Updated Advisory on potential sanctions risks for facilitating ransomware payments in efforts to counter ransomware.
This announcement is the latest in a series of steps taken by the U.S. government to counter a recent wave of disruptive ransomware attacks. In the official press release detailing the actions taken by U.S. regulators to counter ransomware, the U.S. Department of Treasury noted that roughly $400 million in ransom was paid to malicious cyber actors in 2020, more than four times the 2019 amount. In fact, on 30 June 2021, The United States Financial Crime Enforcement Network (FinCEN) issued its first National Aml/CFT Priority list, wherein virtual currency considerations was listed as one of the top priorities. Within the section ‘Cybercrime, including relevant Cybersecurity and Virtual Currency Considerations,’ FinCEN noted that the Department of Treasury is particularly concerned about ransomware attacks as criminals are targeting different sectors using new, innovative, and sophisticated methods.
During his speech at the Aspen Security Forum, SEC Chairman Gary Gensler observed that crypto is most often used as a means of exchange in the context of illegal transactions and “has also enabled extortion via ransomware as we’ve seen recently in Colonial Pipeline and elsewhere.” He urged Congress to dedicate more resources to prevent crypto-related transactions, products, and platforms from falling through the regulatory gap. In July, the U.S. Department of State released an official statement offering a reward of up to $10 million to any person who will provide information that will lead to the identification or location of any person who is engaged in a foreign government-sanctioned malicious cyber activity including ransomware attacks against U.S. critical infrastructure which is in violation of the Computer Fraud and Abuse Act (CFAA).”
Sanctions Issued Against SUEX
As per the official press release, the Treasury’s enforcement action against SUEX advances “the U.S. government’s broader counter ransomware strategy, which emphasizes the need for a collaborative approach to counter ransomware attacks, including the partnership between the public and private and close relationships with partners.”
According to the Treasury, SUEX has facilitated transactions involving illicit proceeds from at least eight variants. Analysis of known transactions shows that over 40% of SUEX known transaction history is associated with illicit actors.
As per Merkle Science’s analysis, the funds received in the sanctioned wallets were zeroed out and the funds were moved out to various other wallets in a short amount of time, usually in the same month. This type of activity is typical for bad actors as they do not want to keep the funds in the same wallet for too long. Nowadays, blockchain analytics companies have the ability to de-anonymize wallets and trace the funds back to the bad actors, so they may get caught or they may simply lose access to the funds.
SUEX has been added to the list of Specially Designated Nationals (SDN), disallowing U.S. entities and citizens from doing business with the exchange. Therefore, as per International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. citizens and entities are prohibited from engaging in transactions, directly or indirectly, with SUEX. Additionally, SUEX no longer access to its property and interests in property that are covered by the U.S. jurisdiction. This block also extends to any entity where the SUEX owns a controlling stake (50% or more).
While the treasury acknowledged that most virtual currency activity is licit and some exchanges are exploited by malicious actors, in this case; however, SUEX aided the ransomware actors for its own illicit gains in this instance.
The OFAC Releases Updated Advisory to Combat Ransomware
The OFAC issued the updated advisory to “highlight the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities and the proactive steps companies can take to mitigate such risks, including actions that OFAC would consider to be mitigating factors in any related enforcement action.” The guidance strongly discourages private companies and citizens from paying ransom or extortion demands.
The OFAC further stated that U.S. entities that facilitate ransomware payments to attackers on behalf of ransomware victims such as financial institutions and crypto exchanges are violative of OFAC regulations and will be held accountable under strict liability.
Merkle Science’s On-Chain Analysis
In total, only 12 Bitcoin addresses are sanctioned. Ten out of the 12 addresses are the user deposit addresses from two prominent exchanges. The sanctioned addresses received more than $489 Million worth of BTC.
The graph below shows monthly deposits (green) and withdrawals (red) from the 12 sanctioned BTC addresses. The first transaction made to the sanctioned addresses happened in January 2018 and the most recent transaction happened in August 2021.
Analysis of the sanctioned addresses showed that most of them received funds from varying illicit entities such as the darknet, coin mixers, sanctioned addresses, etc.
Out of total funds that the sanctioned address are receiving from illicit entities, more than 86% of those funds came from Russian-based Hydra Market — one of the largest darknet marketplaces. In addition, funds were indeed transferred from ransomware entities to SUEX’s sanctioned addresses to launder the ransom funds. Merkle Science’s analysis also confirmed interactions between coin mixers and the sanctioned addresses, indicating that the actors behind these sanctioned addresses are well aware of coin mixing services and have been using them extensively to hide and obfuscate the flow of funds that they have been laundering.
Ethereum Addresses Analysis
In total, the Treasury sanctioned four unique Ethereum addresses. Three out of the four sanctioned addresses are user deposit addresses of a prominent crypto exchange.
The sanctioned Ethereum addresses have received more than $24 Million worth of ETH and $261 Million worth of USDT. The first transaction to the addresses was made in November 2017 while the most recent transaction happened in May 2021.
The sanctioned addresses have received more than $3,000 of funds from Scam entities. These addresses also received funds from multiple well-known exchanges.
Monthly deposits (green) and withdrawals (red) of ETH in USD for the four Ethereum addresses:
Monthly Incoming Volume (ETH+USDT) for the mentioned Ethereum addresses.
Why Merkle Science
Merkle Science’s source of funds transaction monitoring tool can accurately identify the proceeds of ransomware payments. This makes it harder for ransomware actors to launder the proceeds of their illegal activity, Merkle Science’s block monitor tool can be used to detect ransomware transactions. For example, if an address receives payments of similar amounts from many different counterparties, the address is immediately flagged and escalated to compliance teams. Further, any rule created can be combined with other rules — such as range-bound transactions — to identify if the address is receiving many payments of similar size, which may indicate a scam. Ultimately, putting more conditions into a rule will make it difficult for an attacker to satisfy all of them, thereby reducing the chance of him engaging in criminal activity.