On September 21, 2021, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the first virtual currency exchange for laundering cyber ransoms and updated its ransomware advisory to encourage reporting of incident and ransomware payment to both Treasury and law enforcement.
Rationale for Designating Virtual Currency Exchanges
OFAC explained that some virtual currency exchanges play a critical role in the ransomware ecosystem, since virtual currency is the main way of facilitating ransomware payments and associated money laundering activities. In this regard, the Financial Crimes Enforcement Network (FinCEN) has issued guidance concerning the application of the Bank Secrecy Act rules in this area in 2013 and 2019. FinCEN has also taken enforcement action against non-compliant virtual currency money transmitters facilitating ransomware payments. In 2017, it acted against BTC-e and in 2020 against the virtual currency mixing service Helix.
FinCEN is especially targeting “nested” exchanges, such as SUEX, that piggyback off large crypto platforms; peer-to-peer platforms that permit direct confidential transactions between parties; and mixers, whose exchange services make tracking transactions more difficult. Virtual currencies facilitate illicit activities for their own profits. Treasury will continue to employ its authorities against malicious cyber actors in cooperation with other U.S. law enforcement agencies, as well as with its foreign partners. The goal is to disrupt financial nodes connected to ransomware payments and cyber-attacks.
Designation of SUEX
SUEX OTC, S.R.O. (SUEX), a virtual currency exchange, is designated due to its facilitation of financial transactions for ransomware actors. SUEX has alleged facilitated transactions involving illicit proceeds from at least eight ransomware variants. Over 40% of SUEX’s known transaction history is with illicit actors. OFAC is designating SUEX pursuant to Executive Order 13694, as amended, for providing material support to the threat posed by criminal ransomware actors.
SUEX is believed to have facilitated ransomware attacks, which help fund additional cybercriminal activity. Treasury has promised to continue to disrupt and hold accountable entities, such as SUEX, to reduce the incentive for cybercriminals to continue to conduct these attacks.
The designation of SUEX is the first sanctions designation against a virtual currency exchange. The Federal Bureau of Investigation assisted in the designation.
The designation of SUEX means that all property and interests in property of SUEX that are subject to U.S. jurisdiction are blocked. U.S. persons are generally prohibited from engaging in transactions with them. In addition, any entities 50% or more owned by one or more designated persons are also blocked. Additionally, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals can expose themselves to sanctions and/or enforcement actions, especially for money laundering.
OFAC Updates Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.
OFAC issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. The Advisory underscores that the U.S. government continues to strongly discourage the payment of cyber ransom or extortion demands. It recognizes the importance of cyber hygiene in preventing or mitigating such attacks.
The updated advisory underscores the importance of improving cybersecurity practices and reporting to, and cooperating with, appropriate U.S. government agencies in the event of a ransomware attack. The reporting is critical for U.S. government agencies, including law enforcement, to understand and counter ransomware attacks and malicious cyber actors. For instance, law enforcement has knowledge of payment right after it occurs, it can more easily trace and seize the money.
International Cooperation on AML/CFT Measures for Virtual Currencies and Service Providers
The international cooperation against ransomware is quite dynamic. The G7 heads of state agreed to act and had statements in the communique after their June meeting in England. They committed to cooperate to urgently address the increasing threat from criminal ransomware networks. The G7 Expert Group (CEG), co-chaired by the U.S. treasury and the Bank of England, met on September 1 and September 14, 2021, to discuss ransomware. They explored ways to improve overall security and resilience against malicious cyber activity. At the September 8-9 meeting of the G7 ministers of security and INTERPOL, the participants agreed to hold an Extraordinary Senior Officials Forum on ransomware by the end of 2021.
In June 2019, the Financial Action Task Force (FATF) revised its standards to require all countries to regulate and supervise virtual asset service providers (VASPs), including exchanges, and to mitigate against such risks when engaging in virtual asset transactions. For instance, countries must impose customer due diligence (CDD) requirements and suspicious transaction reporting obligations across Virtual Asset Service Providers (VASPs). The due diligence will inhibit cybercriminals’ exploitation of virtual assets and support investigations into the illicit finance activities.
The designation of SUEX is likely the first of a series of designations by the U.S. and G7 countries of virtual currency exchanges and platforms deemed to be servicing ransomware attacks. Meanwhile, the G7, G20, and FATF continue to strengthen the standards for applying AML/CFT and financial regulation to crypto-assets.
VASPs and crypto platforms will want to review with an eye to upgrading their AML/CFT due diligence standards as the regulatory requirements will continue to be dynamic.
The next issue of the IELR will have a more comprehensive discussion of this matter.