Discover more about our courses.
ICA is the trusted partner for you and your organisation.
Written by Deepa Chandrasekhar on Monday October 11, 2021
“He who hunts two hares does not catch the one and let the other escape.”
- Italian proverb
It always puzzled me that while the US Department of Treasury regularly publishes the names of Specially Designated Nationals (SDNs), the cryptocurrency exchanges that were the conduit for nefarious transactions seem to have dodged this remit. That enigma ended on 21 September, when the Treasury’s Office of Foreign Assets Control (OFAC) announced its decision to sanction Suex, a cryptocurrency exchange incorporated in Prague with operations in the Czech Republic and Russia. Fourteen XBT bitcoin addresses, four ETH Ethereum addresses and seven USDT tether addresses associated with Suex were also added to the SDN list.
The sanctions are part of the US Government’s crackdown on criminal syndicates who extort ransomware payments through cryptocurrency, thereby obfuscating the money trail. Suex was charged with having “facilitated transactions from at least eight ransomware variants … as much as 40% of its transaction volume was associated with digital addresses linked to known malicious actors.” The OFAC’s enforcement will make it harder for Suex to access the US financial system, as financial institutions are prohibited from processing transactions for sanctioned entities.
Ransomware is a variant of software (malware) released by criminals, which embeds itself in vulnerable computer systems and encrypts data or programmes. The hapless victims are then contacted by perpetrators who demand ransoms in exchange for a key that decrypts the files and restores access to the systems and data. At times, criminals have also threatened to publicly disclose sensitive information.
Institutions that have fallen prey to ransomware gangsters include Canadian aircraft manufacturer Bombardier, the Washington D.C. Police Department, electronics company Acer, the University of Colorado, the Cities of Atlanta and Baltimore, Quanta Computers and the CNA financial group. Much of the extortion has been in the form of Bitcoin or Ethereum cryptocurrency. Chainanalysis’ Ransomware 2021 report shows the trend of exponential growth in the value of cryptocurrency received by tracked ransomware addresses (see Figure 1).
Cryptocurrency has spawned an ecosystem of criminals who exploit the lack of regulation across jurisdictions. Cryptocurrency exchanges act as the ‘layering’ stage in money laundering by facilitating the conversion of illegal crypto ransoms to fiat currency and vice versa. The problem is compounded when smaller exchanges are ‘nested’ within bigger cryptocurrency exchanges. This is similar to the concept of nested accounts which occur when customers of a foreign financial institution (Bank A) gain access to the US financial system by operating through a US correspondent account belonging to another foreign financial institution (Bank B). Bank B often has no direct relationship with the underlying customers of Bank A – it therefore relies on the processes of Bank A to verify identity and implement Know Your Customer processes.
According to TRM Labs – a company involved in monitoring digital asset transactions – Suex operated a ‘nested’ exchange by using larger global cryptocurrency exchanges to conduct its transactions. Similar to nested accounts, nested exchanges have the ability to access greater liquidity, provide lower transaction costs and faster turnaround times, through the infrastructure provided by the bigger crypto exchange houses. Suex’s Bitcoin deposit addresses hosted at large cryptocurrency exchanges received over $160m from ransomware actors, scammers, and darknet market operators. It was also said to have received over $50m worth of Bitcoin sent from addresses hosted at illicit cryptocurrency exchange BTC-e that was shut down by US authorities for cybercrime-related money laundering.
The misuse of cryptocurrencies and virtual assets is a cause for concern. OFAC’s sanctions on crypto exchanges are part of the US Treasury’s approach to combating attacks, which includes disrupting ransomware actors and infrastructure, limiting cryptocurrency payments, identifying and protecting target entities and building international cooperation to thwart future attacks. It is well known that sanctioned parties are increasingly turning to cryptocurrencies to hide their financial footprint. Intermediaries who facilitate ransom payments (including depository institutions and money services) thus run the risk of being cut off from the US financial system, if it is proven that the ransomware payment was made through them to a sanctioned person/entity/digital address.
There is, however, the danger is that the criminals may move away from the public ledger operated by Bitcoin and Ethereum to privacy coins like Monero, Dash and z-cash that obscure customer identities and transaction amounts. For example, Monero assigns a one-time, unique wallet address/key to the sender and buyer to complete the transaction. Monero’s wallet users also have decoy addresses on top of a public address. This level of anonymity makes monitoring, tracking and the performance of due diligence extremely difficult.
If you would like to give your knowledge a boost but don’t have the time, take a look at our newest online courses written by professionals for professionals:
The OFAC has made it clear that compliance and AML obligations are the same irrespective of whether the transaction involves regular currency or digital assets. The case of BitPay, Inc. – an Atlanta based payment processing company – indicates the importance of not only implementing KYC, but KYCC (know your customer’s customers). Its BitSend programme bears the tagline “Pay out crypto to anyone, anywhere”. While the company screened merchants who were its customers and conducted due diligence on them, the OFAC stated that BitPay had failed to “screen location data that it obtained about merchants’ buyers.” Consequently, buyers from sanctioned geolocations in the Crimea, Cuba, North Korea, Iran, Sudan, and Syria were able to make purchases from US based sellers using digital currency on BitPay’s platform. It is hence extremely important for crypto processing players to:
While the OFAC has provided guidance, many jurisdictions have not released any regulations regarding digital assets and cryptocurrency. It would be extremely useful if regulators organised training sessions by digital crypto asset experts for their staff and for financial institutions in their domain, so that their financial systems are not unwittingly exploited by criminals and malicious actors alike.
About the author: Deepa Chandrasekhar is the Senior Vice President, Chief Compliance Officer and MLRO for United Gulf Bank B.S.C. (c). The views expressed in this article are hers alone and do not represent those of the organisation
 SDNs comprise individuals, groups, entities, shipping vessels and cryptocurrency addresses
Thank you. Your comment is awaiting moderation and should appear on the site shortly.
Required fields are not completed, please ensure all required fields (*) have been filled in properly.
You can leave the name empty should you wish to remain Anonymous.