Readers may remember the SamSam ransomware attack, which cost everyday computer users a total of at least $6 million in BTC, as reported back in August. Today the US Treasury announced that it had uncovered the names of two Iranians who helped turn the bitcoins…
Readers may remember the SamSam ransomware attack, which cost everyday computer users a total of at least $6 million in BTC, as reported back in August.
Today the US Treasury announced that it had uncovered the names of two Iranians who helped turn the bitcoins acquired in the scam into Iranian currency for the attackers. Their names are Ali Khorashadizadeh and Mohammad Ghorbaniyan. It is now illegal for any US person or business to do business with these two individuals, even if they travel to a country outside of Iran. As a result of the re-imposition of sanctions on Iran, it is illegal to do business in Iran anyhow, but these individuals specifically have earned a place on the Treasury’s Specially Designated Nationals list, and thus even when sanctions are eventually removed, they, in particular, are off-limits for any American.
For the first time, the Treasury also designated the Bitcoin addresses used by the Iranians, which were 149w62rY42aZBox8fGcmqNsXUzSStKeq8C and 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V and were used over 7,000 times collectively since 2013. The first address noted has received more than 10,000 BTC altogether. Treasury does not apparently understand the nature and ease of creating new addresses, but the rest of the sanctions apply in any case.
Regardless of whether a transaction is denominated in a digital currency or traditional fiat currency, OFAC compliance obligations are the same.
To wit: US persons are advised not to have any coins going to or from these addresses, or any addresses owned or controlled by Ali Khorashadizadeh and Mohammad Ghorbaniyan.
Treasury is specifically concerned with US exchanges and persons transacting with Iranians now that the sanctions have been put in place. They say they will “aggressively” crack down on the efforts of Iran and other countries to acquire US dollars and subvert banking blockades through the use of digital currencies. It notes that some US-based exchanges were participant in previous actions of the scammers, but has not announced any further enforcement on those grounds.
Not much is known about the individuals in question besides their transaction histories. The fact that they were using these addresses two years before the ransomware went live in 2015 indicates that they were probably exchanging coins prior to that. Their primary involvement seems to have been the exchanging of Bitcoin for Iranian fiat, called the Rial (currently worth about $0.000024).
The government is amping up its efforts against Iran, noting in its own press release:
Today’s action marks the fourth round of U.S. sanctions targeting the Iranian regime this month. Under this Administration, in less than two years, OFAC has sanctioned more than 900 individuals, entities, aircraft, and vessels, including for a range of activities related to Iran’s support for terrorism, ballistic missile program, weapons proliferation, cyberattacks, transnational criminal activity, censorship, and human rights abuses. This marks the highest-ever level of U.S. economic pressure targeting the Iranian regime. This sanctions pressure campaign is designed to blunt the broad spectrum of the Iranian regime’s malign activities and compel the regime to change its behavior.
Ransomware activity seems to have died down in the past several months, likely due to anti-virus software catching up to the methods used to insert it.
Following the first writing of this article, the Department of Justice issued indictments of two other Iranian men, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri for having launched the ransomware attack itself, lending truth to the understanding that the men discussed in this article are merely the fence used by the actual scammers for the ill-begotten bitcoins.
Featured image from Shutterstock.
Last modified: January 24, 2020 10:54 PM UTC