Wednesday, December 11, 2024
banner


On March 14, the Financial Action Task Force (FATF) released a landmark report – “Tackling Ransomware Financing” – which aims to equip the private and public sector with insight into preventing financial crime related to ransomware attacks. On the back of that report, last week we described how blockchain analytics can help identify and disrupt the money laundering techniques ransomware attackers use to hide the proceeds of their crimes.

This week, we look at another aspect of financial crime risk related to ransomware: the growing implications of sanctions involving ransomware attackers and their support networks.

It is critical that compliance teams at cryptoasset exchanges and financial institutions implement robust screening solutions and practices to ensure they can detect ransomware-related sanctions risks.

Ransomware: the link to sanctions

The link between ransomware and financial and economic sanctions first became apparent in May 2017 with the launch of the WannaCry ransomware attack, which infected hundreds of thousands of computers worldwide and caused billions of dollars in damage to affected businesses and organizations.

The breach was soon attributed to the Lazarus Group – a North Korean cybercrime gang – that used cybercrime as a way to raise funds for North Korea’s cash-starved regime. The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) later sanctioned the Lazarus group, prohibiting US persons from making or facilitating payments to the group.

In November 2018, OFAC took significant action when it sanctioned two Iranian nationals accused by the US of laundering Bitcoin on behalf of ransomware perpetrators. As part of that action, OFAC included two Bitcoin addresses belonging to Iranian money launderers on its list of Specially Designated Nationals and Blocked Persons (SDN list). It was the first time OFAC had ever included crypto addresses on the SDN list and sent a clear message that the US would seek to disrupt the crypto activities that enabled crimes like ransomware.

In October 2020, OFAC issued guidance titled “Potential Risks of Ransomware Payment Facilitation Sanctions,” which it later updated in September 2021. The guidance was intended to clarify for the private sector and individuals the potential implications of sanctions they may face when making or facilitating ransomware payments.

The guidance clarifies that US persons are prohibited from making or facilitating ransomware payments to sanctioned entities or individuals, or ransomware campaigns undertaken by individuals in sanctioned jurisdictions. OFAC also warned that ransomware payments could lead to sanctions violations if those payments ultimately benefit the sanctioned person or jurisdiction, even if that connection is not apparent at the time the payment is made.

As the volume of ransomware attacks grew throughout 2021 and 2022, so did OFAC’s response. Between September 2021 and April 2022, the agency sanctioned three cryptoasset exchanges registered in Eastern Europe – SUEX, Chatex and Garantex – which it accused of laundering cryptocurrencies on behalf of ransomware gangs. In April 2022, OFAC also sanctioned the Hydra darknet marketplace, which played a key role in facilitating activity on behalf of ransomware gangs and their affiliates before being taken down by German law enforcement.

In February 2023, OFAC took a coordinated, joint action together with the United Kingdom’s Office of Financial Sanctions Enforcement (OFSI) to target ransomware perpetrators. OFAC and OFSI have sanctioned seven Russian nationals allegedly linked to the Trickbot malware, which are also linked to the Conti and Ryuk ransomware campaigns. Although neither OFAC nor OFSI included crypto addresses belonging to individuals on their sanction lists, we identified 53 addresses in Elliptic belonging to six of the seven sanctioned cybercriminals.

Key red flags and risk indicators

As sanctions like OFAC and OFSI increasingly target ransomware gangs and their support networks, it is critical that compliance teams can identify related transaction typologies and red flags. Some key red flags include:

  • direct transactions with crypto wallets of sanctioned cybercriminals;
  • transactions sent through intermediary unhosted wallets that have significant exposure to the wallets of sanctioned cybercriminals;
  • using “peeling chain” techniques to transfer funds through numerous intermediary wallets in order to break the link back to the original source of funds;
  • transactions involving the exchange of cryptoassets sanctioned by OFAC for supporting ransomware gangs;
  • transactions involving the exchange of cryptoassets in high-risk ransomware-related jurisdictions, such as Russia and Iran;
  • transactions involving the exchange of cryptoassets with weak or no SPN/FT controls;
  • frequent use of anonymization services – such as mixers and privacy wallets – known to facilitate transfers with ransomware attackers such as ChipMixer service recently dismantled by law enforcement;
  • made transfers coin exchange services which allow users to exchange Bitcoin for privacy-enhanced cryptocurrencies such as Monero; and
  • transfers made through one or more cross-services or cross-asset services, which may indicate “chain of jumps” money laundering typologies.

Compliance of Sanctions with Holistic Screening

Detecting sanctions-linked ransomware activity requires access to block analysis solutions that can identify these and other risk indicators. It is especially important that compliance teams can identify instances where funds are exchanged between funds and blocks with the involvement of sanctioned actors.

Elliptic’s unique Holistic Screening capabilities can enable detection of these risks, ensuring compliance teams can identify exposures to sanctioned entities among their clients’ transactions. Ransomware attackers can use services such as decentralized exchanges (DEX), which allow them to seamlessly exchange funds, and cross-bridges, which allow the movement of funds across different blockchains, to mask the connection to sanctions for their activity.

To understand the importance of holistic screening in detecting the risk of ransomware-related sanctions, consider the following scenario:

A client of a cryptoasset exchange withdrew Bitcoin to a private wallet. When verifying a private Bitcoin wallet using blockchain analytics that only allows the display of sanctions risk from a single asset, the exchange determines that there are no risks associated with the transaction. This is illustrated in the image below.

ransomware1

However, when we use Elliptic’s unique Holistic Screening capabilities, we can go deeper.

In this case, it turns out that the funds did not stop at the Bitcoin wallet, but were transferred further and exchanged for Ether on the cross-chain bridge service. After the conversion to Ether, the funds were exchanged again for Dai and Tether stablecoins on the DEX. From there, the funds were sent to the OFAC-approved crypto-asset exchange Garantex. This transfer sequence is illustrated in the figure below.

ransomware2

This is an increasingly common typology of money laundering used by ransomware attackers, as we highlighted in more detail in our briefing note on the Conti gang. With Elliptic’s Holistic Screening solutions, compliance teams can gain insight into these activities seamlessly through a single check, enabling them to respond to transactions efficiently and at scale, for example by closing or blocking accounts associated with sanctions-related activity.

ransomware3

This picture from Elliptical Navigator shows the flow of funds from the ransomware attacker’s Ethereum address (black circle on the left) and the subsequent trace after the funds were converted to DAI and Tether, before being deposited into Garantex, an OFAC-approved exchange (represented by the green circle on the right ).

Achieving scalable, efficient sanctions compliance

Identifying ransomware activity is an essential part of ensuring comprehensive compliance with sanctions requirements.

Contact us to learn more about how Elliptic’s blockchain analytics solutions can enable you to meet your sanctions compliance obligations.

Do you find this interesting? Share on your network.



banner
crypto & nft lover

Johnathan DoeCoin

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar.

Follow Me

Top Selling Multipurpose WP Theme

Newsletter

banner

Leave a Comment

crypto & nft lover

John DoeCoin

Learn all about cryptocurrency and NFT, we publish news and interesting fauths from the world of crypto.

@2022 u2013 All Right Reserved. Designed and Developed by Evegal.com