For the first time, the Treasury Department has added digital currency identifiers on its sanctions blacklist. It has also crafted new guidance on how those connections and transactions should be identified and reported.

On Nov. 28, the Treasury Department’s Office of Foreign Assets Control acted against two Iran-based individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan. They allegedly helped exchange digital currency ransom payments, from Bitcoin into Iranian rial, on behalf of Iranian cyber-criminals involved with the so-called SamSam ransomware scheme that targeted more than 200 known victims.

“Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims,” Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker said in a statement. “As Iran becomes increasingly isolated and desperate for access to U.S. dollars, it is vital that virtual currency exchanges, peer-to-peer exchangers, and other providers of digital currency services harden their networks against these illicit schemes. We are publishing digital currency addresses to identify illicit actors operating in the digital currency space.”

The Treasury Department, he added, “will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber-security and AML/CFT safeguards to further their nefarious objectives.”

To execute the SamSam ransomware attack, cyber actors exploit computer network vulnerabilities to gain access and copy the illicit software into the network. Once in the network, these cyber-criminals use the ransomware to gain administrator rights and take control of a victim’s servers and files. The hackers would then demand that a ransom be paid, in bitcoin, for regaining access and control of the network.

Since 2013, the two men have allegedly used these two digital currency addresses to process over 7,000 transactions and interact with over 40 exchangers—including some based in the U.S.—for approximately 6,000 bitcoin, worth millions in U.S. currency.

In a related action, the Department of Justice indicted two other Iranians on charges that they were part of “a 34-month-long international computer hacking and extortion scheme involving the deployment of sophisticated ransomware.”

Victims included hospitals, municipalities, and public institutions, according to the indictment, including: the cities of Atlanta and Newark; the Port of San Diego; the Colorado Department of Transportation; the University of Calgary; Hollywood Presbyterian Medical Center in Los Angeles; Laboratory Corporation of America Holdings (more commonly known as global diagnostics company LabCorp); MedStar Health, headquartered in Maryland; and Allscripts Healthcare Solutions Inc., headquartered in Chicago.

The indictment alleges that, as a result of their conduct, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri collected more than $6 million in ransom payments to date, causing more than $30 million in losses to victims.

According to the indictment, Savandi and Mansouri created the first version of the SamSam Ransomware in December 2015. The Justice Department alleges they used “sophisticated online reconnaissance techniques,” and conducted online research to select and target potential victims.

The perpetrators allegedly maximized the damage caused to victims by launching attacks outside regular business hours and by encrypting backups of the victims’ computers. “This was intended to—and often did—cripple the regular business operations of the victims,” a Justice Department statement says.

New sanctions compliance screens

While OFAC routinely provides identifiers for designated persons, its actions this week mark the first time it has publicly attributed digital currency addresses to designated individuals.

Like traditional identifiers, “these digital currency addresses should assist those in the compliance and digital currency communities in identifying transactions and funds that must be blocked and investigating any connections to these addresses,” it wrote.

OFAC identified two digital currency addresses associated with Khorashadizadeh and Ghorbaniyan. To help convert the digital currency ransom payments into rial, the two financial facilitators used the following addresses: 149w62rY42aZBox8fGcmqNsXUzSStKeq8C and 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V.

As a result of recent actions, persons that engage in transactions with Khorashadizadeh and Ghorbaniyan could be subject to secondary sanctions. “Regardless of whether a transaction is denominated in a digital currency or traditional fiat currency, OFAC compliance obligations are the same,” the agency added.

“Treasury has been looking carefully at the risks that digital currency trading pose in general, and certainly evasion of economic sanctions laws is one of them,” said Greta Lichtenbaum, a partner in law firm O’Melveny & Myers’ international trade practice. “U.S.-based individuals and corporations have to be careful about violating those rules no matter what kind of economic activity they are involved in, and digital currency trading is particularly risky given that it is often viewed as an alternative to more conventional means of creating value.”

“The action by OFAC in listing the specific digital currency addresses of two individuals is a fulfillment of its warning back in March that it intended to treat digital currency, and those that transact in it, in the same way that it treats fiat currency,” adds Laurel Loomis Rimon, senior counsel in O’Melveny’s FinTech practice, former general counsel for the Office of the Inspector General at the Department of Homeland Security. “[OFAC’s] action highlights the need for financial institutions engaged in digital currency transactions to review their anti-money laundering and sanctions screening programs to ensure they, and any vendors they use, are capturing financial transactions of all kinds and utilizing strong customer identification procedures to connect financial transactions with their true owners.”

Updated information on compliance requirements for digital currencies was included by OFAC in a list of “frequently asked questions.”

How do I block digital currency?

Once it has been determined that your institution is holding digital currency that is required to be blocked pursuant to OFAC’s regulations, you must ensure that access to that digital currency is denied to the blocked person and that your institution complies with OFAC regulations related to blocked assets.

Institutions may choose, for example, to block each digital currency wallet associated with the digital currency addresses that OFAC has identified as being associated with blocked persons, or opt to use its own wallet to consolidate wallets that contain the blocked digital currency (similar to an omnibus account) titled, for example, “Blocked SDN Digital Currency.”

Each of these methods is satisfactory, so long as there is an audit trail that will allow the digital currency to be unblocked only when the legal prohibition requiring the blocking of the digital currency ceases to apply.

The institution is not obligated to convert the blocked digital currency into traditional fiat currency (e.g., U.S. dollars). Blocked digital currency must be reported to OFAC within 10 business days.

Questions about whether a transaction should be blocked should be directed to OFAC at (202) 622-2490 or ofac_feedback@treasury.gov.

Should an institution tell its customer that it blocked access to their digital currency and, if so, how does the institution explain it to the customer?

An institution may notify its customer that it has blocked digital currency pursuant to OFAC regulations. The customer has the right to apply for the unblocking and release of the digital currency. To apply online to have the virtual currency released, visit OFAC’s online application page.