On November 28, 2018, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC), announced an action against two Iranian citizens, Ali Khorashadizadeh and Mohammad Ghorbaniyan, who facilitated the exchange of bitcoin ransom payments on behalf of Iranian malicious cyber actors.  This client update provides an overview of the OFAC action and identifies certain key issues raised by OFAC’s addition of digital currency addresses as associated information for the listings of Khorashadizadeh and Ghorbaniyan on the OFAC Specially Designated Nationals and Blocked Persons List (SDN list).

As a financial intelligence and enforcement agency of the U.S. Treasury Department, OFAC is responsible for administering and enforcing economic sanctions in support of U.S. national security and foreign policy objectives.  On March 19, 2018, OFAC announced that it was considering including digital currency addresses associated with individuals included on the OFAC SDN list.  The recent action against Khorashadizadeh and Ghorbaniyan is the first instance in which OFAC has included actual digital currency addresses as part of an SDN listing.

OFAC’s action arose partly in response to the SamSam ransomware scheme that targeted over 200 known victims, including corporations, hospitals and universities.  As part of the ransomware attack, Iranian malicious cyber actors demanded payment in bitcoin in exchange for allowing their victims to regain access to their own networks.  Khorashadizadeh and Ghorbaniyan assisted these cybercriminals in converting the ransomed bitcoin into Iranian rial.

OFAC identified two bitcoin wallet addresses that included over 7,000 transactions in bitcoin, worth millions of U.S. dollars.  Among the transactions processed with these wallet addresses, OFAC identified several transactions tied directly to the ransomware attacks.  The wallet addresses were also used to transact with over 40 different digital currency exchanges, sending approximately 6,000 bitcoin to exchanges around the world.  As a result of the OFAC action, persons who engage in transactions with Khorashadizadeh or Ghorbaniyan, including via the digital currency addresses below, will violate OFAC sanctions.  The wallet addresses are as follows:

OFAC’s decision to include digital currency wallet addresses in SDN listings raises several practical issues for businesses and digital currency users that remain unresolved.  First, it is unclear how an individual should scrutinize his blockchain transactions to ensure that he has not dealt with an SDN-listed address given that bitcoin wallet addresses are not frequently reused.  In fact, many bitcoin wallet clients (i.e., the software used to interact with the blockchain) generate a new bitcoin wallet address for each transaction.  It should be noted that in the case of Khorashadizadeh and Ghorbaniyan, they did not generate a new wallet address for each transaction.  However, it remains a possibility that a sanctioned individual could easily generate a new address using the same wallet client or transfer their funds to another address and therefore avoid reusing an SDN-listed digital currency address.

In OFAC’s FAQs related to digital currency, it explains that “OFAC’s digital currency address listings are not likely to be exhaustive [so] . . . [p]arties who identify digital currency identifiers or wallets that they believe are owned by, or otherwise associated with, an SDN and hold such property should take the necessary steps to block the relevant digital currency.”  The FAQs also explain that institutions “must ensure that access to that digital currency is denied to the blocked person,” and the institutions may do so by blocking “each digital currency wallet associated with the digital currency addresses that OFAC has identified as being associated with blocked persons.”

[View source.]