On November 8, 2021, the United States Department of the Treasury sanctioned cryptocurrency exchange Chatex and its associated support network — IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd — for facilitating financial transactions for ransomware actors.
This announcement is the latest in a series of steps taken by the U.S. government to counter a recent wave of disruptive ransomware attacks. In the official press release detailing the actions taken by U.S. regulators to counter ransomware, the U.S. Department of Treasury noted that reported ransomware payments in the United States so far have reached $590 million in the first half of 2021, compared to a total of $416 million in 2020. On 21 September 2021, the Department of Treasury’s Office of Foreign Assets Control (OFAC) also issued the Updated Advisory on potential sanctions risks for facilitating ransomware payments in efforts to counter ransomware. The guidance strongly discourages private companies and citizens from paying ransom or extortion demands. The OFAC further stated that U.S. entities that facilitate ransomware payments to attackers on behalf of ransomware victims such as financial institutions and crypto exchanges are violative of OFAC regulations and will be held accountable under strict liability.
Sanctions Issued Against Chatex
The U.S. Department of Treasury brought actions against Chatex for facilitating ransomware payouts. According to the Department of Treasury, Chatex claims to have a presence in multiple countries and has facilitated transactions for multiple ransomware payments. Further, the Treasury Department noted that “unprincipled virtual currency exchanges like Chatex are critical to the profitability of ransomware activities, especially by laundering and cashing out the proceeds for criminals.”
Over half of Chatex’s transactions can be directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, coin mixers, and ransomware. In fact, Chatex had direct ties with SUEX OTC; it utilized SUEX’s function as a nested exchange to perform transactions. Amongst other wrongdoings, Chatex is also being sanctioned for providing material support to SUEX. Nesting exchanges are those exchanges that operate by setting up accounts on major cryptocurrency exchanges, then act as a middleman of sorts in facilitating transactions. On Sept 21, 2021 the U.S. Department of Treasury brought sanctions against SUEX OTC for facilitating transactions involving illicit proceeds from at least eight variants. Analysis of known transactions depicted that over 40% of SUEX known transaction history was associated with illicit actors.
Additionally, three companies IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd that set up the infrastructure of Chatex and enabled its operations are also being designated by OFAC. Chatex and its associates have been added to the list of Specially Designated Nationals (SDN). Therefore, as per International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. citizens and entities are prohibited from engaging in transactions, directly or indirectly, with SUEX. Additionally, Chatex no longer has access to its property and interests in property that are covered by the U.S. jurisdiction. This block also extends to any entity where Chatex owns a controlling stake (50% or more).
Latvia and Estonia Join the Global Fight Against Ransomware
Latvia has taken a definitive step towards ensuring international co-operation for fighting ransomware. Alongside investigations in the U.S., Latvia also conducted its own investigations. Following an inspection by Latvia’s State Revenue Service, Latvian government authorities have suspended with immediate effect the operations of Chatex, assessed a fine for breaches of company registration business conduct laws and regulations; and will identify current and former Chatextech board members, who are all non-Latvian nationals, in Latvia’s registry of high-risk individuals. Further, Estonian Financial Intelligence Unit also worked closely with the U.S. to identify the activities of entities being designated. The U.S. Department of Treasury commended the support given by Latvian and Estonian governments and stated it has benefited greatly from their information sharing and swift actions.
U.S. Regulators Double Down on Ransomware Attackers
The U.S. Department of State has also announced a $10 million reward for information leading to leaders of the Sodinokibi/REvil ransomware-as-a-service gangs. Some of REvil’s highest-profile hacks include those of JBS, a major U.S. meat supplier; Quanta, a Taiwanese manufacturer that supplies Apple computers; and Kaseya, a software company. In fact, the Kaseya hack allowed REvil to gain access to hundreds of companies.
The U.S. Treasury Department has designated Ukrainian Yaroslav Vasinskyi (Vasinskyi) and Russian Yevgeniy Polyanin (Polyanin) for their part in perpetuating Sodinokibi/REvil ransomware incidents against the U.S. According to the official press release, Vasinskyi deployed ransomware against at least nine U.S. companies and is also responsible for the activity against Kaseya.Polyanin deployed ransomware, targeting several U.S. government entities and private-sector companies. Both Polyanin and Vasinskyi are part of a cybercriminal group that has engaged in ransomware activities and received more than $200 million in ransom payments paid in Bitcoin and Monero.
In a subsequent press briefing, Attorney General Merrick Garland unveiled an indictment against Vasinskyi, as well as his arrest in Poland and pending extradition to the U.S. He also announced the seizure of $6.1 million in bitcoin from Polyanin as well as an indictment against him. In a separate action, the U.S. Department of Treasury mentioned about 30 sanctioned crypto wallet addresses associated with Chatex. In line with the OFAC SDN list, sanctioned individuals and addresses have been flagged in our system so that we may further facilitate detection of risk originating from the wallets and transactions linked to Chatex.
Merkle Science’s On-Chain Analysis
In total, 58 addresses were sanctioned. Out of 58 addresses that were sanctioned, 38 were Bitcoin (BTC), 12 Ethereum (ETH), 3 Bitcoin Cash (BCH), XMR 1 Litecoin (LTC), and 1 Ripple (XRP). Further, 3 privacy coins — 2 Monero (XMR) and 1 Dash (DASH) were also sanctioned. Privacy coins are those coins that hide any identifying information that can link individuals to a transaction.
Four out of the 38 BTC addresses are the user deposits from three prominent crypto exchanges. Further, 1 of the 12 ETH addresses, 1 BCH address as well as 1 LTC address sanctioned are user deposits from well-known crypto exchanges. Further, barring the privacy address, all the other sanctioned addresses, have received more than $217 million of crypto.
Bitcoin Address Analysis
In total, the 38 sanctioned BTC addresses received more than $48 million worth BTC. The first transaction made to the sanctioned BTC addresses happened in March 2017 and the most recent transaction happened in November 2021. The chart below shows the monthly incoming value received by the BTC addresses in USD.
These addresses have sent funds directly to multiple VASP entities as well, out of the total funds going to VASP entities, more than 87% of the funds — $ 9.83 million -- were deposited in a prominent global exchange. Further, funds were withdrawn from these addresses and sent to Darknet, gambling services, sanctioned addresses, and coin mixers.
The sanctioned BTC addresses have received funds from multiple VASP entities, out of the total funds coming from VASP entities — more than 75% of the funds, which equates to approximately $3.86 million — came from a well-known exchange. Analysis of the sanctioned addresses also shows that some funds were deposited into sanctioned addresses from varying illicit entities such as the darknet, coin mixers, sanctioned addresses, etc.
The majority of illicit funds deposited and withdrawn from the mentioned sanctioned addresses came from Russian- based darknet market place — Hydra Market and ponzi scheme Finico.
The chart below shows withdrawals to illicit entities, including — famous coin mixer Wasabi.
The chart below shows the deposit volume by illicit entities:
Analysis of Ethereum Addresses
In total, 3,003.35 ETHETH deposits were made to the sanctioned ETH addresses is 3,003.35 ETH, which is roughly $6,268,260.23 dollars. Total Tethere (USDT) deposits made to these addresses is 163,576,451 USDT, which is around $163,697,920. The first transaction was done in February 2018 and the latest one in November 2021.
The chart below shows monthly incoming volume (ETH + USDT) from the sanctioned ETH addresses -
The sanctioned ETH addresses have received funds directly from multiple VASPs entities. Out of the funds coming from VASPs entities, more than 58% — $1.54 million — came from a prominent crypto exchange. Further, these sanctioned addresses also sent funds directly to multiple VASP entities, more that 94.6% — $2.55 million — was deposited into a well-known crypto exchange.
The sanctioned ETH addresses did not receive any deposits from the illicit entities; however, withdrawals were done from the ETH addresses and sent to other sanctioned addresses and gambling service.