Treasury places digital currency addresses on sanctions list

The Treasury Department has publicly flagged two cryptocurrency addresses associated with two Iranian individuals indicted for their role in a worldwide, multimillion dollar ransomware campaign dubbed "SamSam."

The move was announced in conjunction with a criminal indictment unsealed the same day and represents the first time the Office of Foreign Assets Control has ever publicly attributed a digital currency address to individuals in a criminal scheme. It also represents a new step in the federal government's efforts to track money laundering and other criminal activity conducted via anonymous cryptocurrencies.

According to a Treasury release, two Iranian individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan, used a pair of Bitcoin addresses to conduct 7,000 transactions worth millions of dollars and helped two other Iranian individuals indicted by the Department of Justice convert digital coins derived from the SamSam ransomware attacks into Iranian rial.

The department also released updated guidance around how businesses should treat and block digital currencies subject to OFAC sanctions and how and when to notify affected customers.

For the past year, Treasury, DOJ and the IRS have all expressed interest in stepping up regulation and monitoring of cryptocurrencies, with officials arguing that they are playing an increasing role in a range of cyber and financial crimes and make it more difficult to track financial transactions. Earlier this year, the IRS partnered with Canada, the United Kingdom, Australia and the Netherlands to tackle the growing use of cryptocurrencies to launder money, purchase illegal products and evade taxes.

"To prevent virtual currency from being abused by criminals, terrorist financiers, or sanctions evaders, all of us must implement policies that mitigate the risks posed by the new technology," Deputy Attorney General Rod Rosenstein said in a Nov. 18 speech to the Interpol General Assembly.

While the action represents a new step for the federal government's treatment of digital currencies associated with cyber and financial crimes, it's not clear whether flagging the addresses will meaningfully impede any potential future criminal operations by Khorashadizadeh and Ghorbaniyan or other groups who face similar action.

Kimberly Goody, manager for cyber crime analysis at threat intel firm FireEye, told FCW in an email that outing the addresses "might not have much impact, particularly in the long run."

"If they choose to continue operations, the actors could just obtain and use other wallets," said Goody. "Further, public outing of operations generally leads to changes in actor tactics, techniques, and procedures to make attribution of intrusions to them more difficult."