Two Iranians who reportedly helped exchange Bitcoin ransom payments into Iranian rial on behalf of Iranian malicious cyber actors were caught as their Bitcoin addresses were identified by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC). This serves as an important reminder that Bitcoin is not anonymous, but pseudonymous, and that this can be used to track transactions.
The money comes from the SamSam ransomware scheme, which targeted over 200 known victims, including corporations, hospitals, universities, and government agencies, in the United States, United Kingdom, and Canada since 2015. The malicious actors held their victims’ data hostage in order to collect ransom, paid in bitcoin. The two identified bitcoin addresses (149w62rY42aZBox8fGcmqNsXUzSStKeq8C and 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V) connected to this scheme have reportedly seen over 7,000 bitcoin transactions through various cryptocurrency exchanges to exchange around 6,000 BTC into Iranian rial. The OFAC clarifies, however, that not all of those funds stem from the SamSam scheme.
Supposedly, the two addresses belong to Ali Khorashadizadeh and Mohammad Ghorbaniyan, who were “central to the SamSam ransomware scheme’s success,” according to OFAC. This is also the first time that the Office publicly attributed crypto addresses to individuals, and they warn, “Regardless of whether a transaction is denominated in a digital currency or traditional fiat currency, OFAC compliance obligations are the same.” The release also adds, “As a result of today’s action, persons that engage in transactions with Khorashadizadeh and Ghorbaniyan could be subject to secondary sanctions.”
Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker said, “Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims […] We are publishing digital currency addresses to identify illicit actors operating in the digital currency space.”
The term “pseudonymity,” often used to describe Bitcoin’s modus operandi, derives from pseudonym, meaning “false name.” This means that you are simply using a fake name that can be traced back to you, as you’re not completely anonymous (“nameless”). In the original Bitcoin whitepaper, it was recommended that Bitcoin users use a new address for each transaction to avoid the transactions being linked to a common owner. However, there are still ways to trace these transactions as well. Many cryptocurrencies (so-called privacy coins) exist for the sole reason of “correcting” pseudonymity, as it is often seen as a weakness of Bitcoin, with the most popular example being Monero.
This is also not the first time that the US has cracked down on crypto criminals: only recently, a crypto trader has received 15 months of prison time for misappropriating more than USD 1.1 million worth of Bitcoin and Litecoin.