Tag Archives: U.S Department of Treasury

U.S. Department of Treasury Sanctions Russian Ransomware Actor



The U.S. Department of the Treasury posted a press release titled: “Treasury Sanctions Russian Ransomware Actor Complicit in Attacks on Police and U.S. Critical Infrastructure”. From the press release:

Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), designated Mikhail Matveev (Matveev) for his role in launching cyberattacks against U.S. law enforcement, businesses, and critical infrastructure. Concurrently, the U.S. District Courts for the District of New Jersey and the District of Columbia unsealed indictments against Matveev. Additionally, the U.S. Department of State announced an award of up to $10 million for information that leads to the arrest and/or conviction of Matveev under its Transnational Organized Crime Rewards Program.

“The United States will not tolerate ransomware attacks against our people and our institutions,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Ransomware actors like Matveev will be held accountable for their crimes, and we will continue to use all available authorities and tools to defend against cyber threats.”

The press release continued: The impacts of ransomware attacks are far-reaching, with victims experiencing the loss and disclosure of sensitive information and disruption of critical services. Russia is a haven for ransomware actors, enabling cybercriminals like Matveev to engage openly in ransomware attacks against U.S. organizations.

According to analysis conducted by Treasury’s Financial Crimes Enforcement Network (FinCEN), 75 percent of ransomware-related incidents reported between July and December 2021 were linked to Russia, its proxies, or persons acting on its behalf. Russia-linked ransomware variants such as Hive, LockBit, and Baby, which Matveev helped to develop and deploy, have been responsible for millions of dollars in losses to victims in the United States and around the world. The Hive ransomware group alone has targeted more than 1,500 victims in over 80 countries, including hospitals, school districts, financial firms, and other critical infrastructure.

The U.S Department of Justice released news titled: “Russian National Charged with Ransomware Attacks Against Critical Infrastructure” From the news:

The Justice Department today unsealed two indictments charging a Russian national and resident with using three different ransomware variants to attack numerous victims throughout the United States, including law enforcement agencies in Washington D.C. and New Jersey, as well as victims in healthcare and other sectors nationwide…

…On or about June 25, 2020, Matveev and his LockBit coconspirators allegedly deployed LockBit ransomware against a law enforcement agency in Passaic County, New Jersey. Additionally, on or about May 27, 2022, Matveev and his Hive coconspirators allegedly deployed Hive against a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. On April 26, Matveev and his Babuk coconspirators allegedly deployed Babuk against the Metropolitan Police Department in Washington, D.C…

…Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces over 20 years in prison…

Engadget reported: In April of 2021, for instance, [Matveev] was linked to a Babuk ransomware attack that saw the computers of the Metropolitan Police Department in Washington DC locked out. Last May, Matveev, whose online pseudonyms include Wazawaka, Uhodiransomwar, m1x, and Boriselcin, was allegedly involved in a Hive ransomware attack that targeted a healthcare NGO in New Jersey.

Engadget also reported that the Department of Justice is offering a reward of up to $10 million for information that leads to the arrest of Matveev.

I always find it interesting when more than one official U.S. Department works together on fighting crime, especially when the crime involves ransomware attacks. Ideally, this coordination should make ransomware thieves think twice before (potentially) ending up in prison.


U.S. Department of Treasury Took Actions Against Bittrex



The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) announced settlements for over $24 million and $29 million, respectively, with Bittrex, Inc. (Bittrex), a virtual currency exchange based in Bellevue, Washington. This is OFAC’s largest virtual currency enforcement action to date.

It also represents the first parallel enforcement actions by FinCEN and OFAC in this space. Investigations by OFAC and FinCEN found apparent violations of multiple sanctions programs and willful violations of the Bank Secrecy Act’s (BSA’s) anti-money laundering (AML) and suspicious activity report (SAR) reporting requirements. These enforcement actions emphasize to the virtual currency industry the importance of implementing appropriate risk-based sanctions compliance controls and meeting obligations under the BSA. The failure to take action can result in violations of OFAC and FinCEN regulations and expose exchanges and others in the virtual currency industry to potential abuse by illicit actors.

“When virtual currency firms fail to implement effective sanctions compliance controls, including screening customers located in sanctioned jurisdictions, they can become a vehicle for illicit actors that threaten U.S. national security,” said OFAC Director Andrea Gacki. “Virtual currency exchanges operating worldwide should understand both who – and where – their customers are. OFAC will continue to hold accountable firms, in the virtual currency industry and elsewhere, whose failure to implement appropriate controls leads to sanctions violations.”

“For years, Bittrex’s AML program and SAR reporting failures unnecessarily exposed the U.S. financial system to threat actors,” said FinCEN Acting Director Himamauli Das. “Bittrex’s failures created exposure to high-risk counterparts including sanctioned jurisdictions, darknet markets, and ransomware attackers.Virtual asset service providers are on notice that they must implement robust risk-based compliance programs and meet their BSA reporting requirements. FinCEN will not hesitate to act when it identifies willful violations of the BSA.”

The press release states that Bittrex has agreed to remit $24,280,829.20 to OFAC to settle its potential civil liability for 116,421 apparent violations of multiple program sanctions. As a result of deficiencies related to Bittrex’s sanctions compliance procedures, Bittrex failed to prevent persons apparently located in the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria from using its platform to engage in approximately $263,451,600.13 worth or virtual currency related transactions between March 2014 and December 2017.

The press release also stated that Bittrex has agreed remit $29,280,829.20 for its willful violation of the BSA’s AML program and SAR requirements. FinCEN will credit the payment of $24,280,829.20 as part of Bittrex’s agreement to settle its potential liability with OFAC. FinCEN’s investigation found that, from February 2014 through December 2018, Bittrex failed to maintain an effective AML program. This included deploying inadequate and ineffective transaction monitoring on its platform resulting in significant exposure to illicit finance. Further, Bittrex failed to file any SARs between February 2014 and May 2017, a period of over three years.

To me, it sounds like Bittrex either intentionally chose not to do the things that would have prevented them from having to settle with both OFAC and FinCEN, or the company hoped that it wouldn’t be noticed by the U.S. Department of Treasury. Either way, it is clear that Bittrex is going to be paying a very large amount of money due to their inadequate actions.


U.S. Treasury Sanctioned Cryptocurrency Mixer Blender.io



The U.S. Department of Treasury tweeted: “For the first time ever, Treasury has sanctioned a virtual currency mixer. Blender.io is used by the DPRK to support malicious cyber activities & money-laundering of stolen virtual currency”. The tweet included an image that has been labeled as Blender.io Cryptocurrency Mixing Process. It includes a simplified graphic of the process.

The U.S. Department of Treasury website provided more detailed information (on May 6, 2022):

“Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned virtual currency mixer blender.io (Blender), which is used by the Democratic People’s Republic of Korea (DPRK) to support its malicious cyber activities and money-laundering of stolen virtual currency.

“On March 23, 2022, Lazarus Group, a DPRK state-sponsored cyber hacking group, carried out the largest virtual currency heist to date, with almost $620 million, from a blockchain project linked to the online game Axis Infinity; Blender was used in processing over $20.5 million of the elicit proceeds.

“Under the pressure of robust U.S. and UN sanctions, the DPRK has restored to elicit activities, including cyber-enabled heists from cryptocurrency exchanges and financial institutions, to generate revenue for its unlawful weapons of mass destruction (WMD) and ballistic missile programs.”

Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson said: “Today, for the first time ever, Treasury is sanctioning a virtual currency mixer. Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests. We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered.”

In addition, OFAC is identifying four additional virtual currency wallet addresses used by the Lazarus Group to launder the remainder of stolen proceeds from the March 2022 Axie Infinity heist. This builds on OFAC’s April 14, 2022, attribution of DPRK’s Lazarus Group as the perpetrators of the Axie Infinity heist and identification of the original getaway wallet address. Treasury is committed to tracing illicit virtual currency and blocking associated addresses wherever found.

The Record reported that the U.S. Department of Treasury takes a dim view of cryptocurrency mixers, with are often touted as a way for coin owners to protect their privacy.

CoinDesk reported that LootRush, a Steam-like platform for blockchain games, has raised $12 million in a seed round led by Paradigm with participation from Andreessen Horowitz.

LootRush offers a quick-start platform for blockchain games, which typically have a more complicated onboarding process than traditional video games. According to CoinDesk, Axie Infinity is currently the only game available to play LootRush. The platform plans to roll out additional titles throughout the year, including CryptoKitties and NBA Top Shot.

Based on all of this, it seems to me that cryptocurrency and the blockchain aren’t very well protected. This isn’t the first time a situation occurred that involved stealing cryptocurrency from wallets that are on the blockchain.