US Government Sanctions Bitcoin Addresses Involved in Ransomware Attacks

• The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is moving forward with sanctions against two Iranian men and two bitcoin addresses
• The addresses were used to exchange funds collected as ransom from victims of the SamSam ransomware scheme

In a landmark move, the US government has taken sanctions against a bitcoin address.

According to a press release by The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the sanctions were taken against two Iran-based individuals named Ali Khorashadizadeh and Mohammad Ghorbaniyan.

This is due to their changing of bitcoin for malicious cyber actors involved in the SamSam ransomware scheme. The scheme targeted over 200 individuals and the proceeds were changed by the two men to Iranian rials.

The Addresses

The steps taken by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) isn’t only against the men but also against the bitcoin addresses through which the transactions were being done.

The two addresses have handled over 7,000 bitcoin transactions and millions of dollars, some of which were proceeds from the SamSam ransomware scheme.

The two men were also indicted for spreading malicious ransomware onto data networks in the United States, United Kingdom, and Canada since 2015.  

Bold moves are being taken as a result of the scheme and for the first time, sanctions are being taken against a. Digital currency address.

“We are publishing digital currency addresses to identify illicit actors operating in the digital currency space. Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and AML/CFT safeguards to further their nefarious objectives,” said Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker.

SamSam

The SamSam ransomware, when it was active, targeted corporations, hospitals, universities, and government agencies

In total, it affected over 200 victims by holding their data ransom. It did so by exploiting vulnerabilities in the data networks and infecting it, thereby granting itself administrator power and accessing the data of its victims.

The perpetrators would then demand funds in exchange for access to their files and data.

They would demand bitcoin as a form of ransom. The bitcoin was traded through the addresses
149w62rY42aZBox8fGcmqNsXUzSStKeq8C and 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V.

These two addresses were used to conduct over 7,000 transactions with over 40 exchangers.