4 Iranians implicated in Bitcoin ransom extortions involving Canada
There was interesting news this week involving Iran and digital currencies that are concerning from a financial crime perspective for financial institutions.
On November 26, 2018, two Iranian foreign nationals were indicted in the US and charged with hacking and Bitcoin extortions that affected over 200 US companies and one Canadian university. According to the indictment, Iranians Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri earned over $6 million in Bitcoin from online Bitcoin ransom extortions from what is called the SamSam ransom extortions.
At the same time, OFAC blacklisted the Bitcoin wallet addresses of two other Iranian foreign nationals for facilitating the exchange of Bitcoin into fiat for, among others, the two indicted Iranians named above.
According to US Department of Treasury, Ali Khorashadizadeh and Mohammad Ghorbaniyan, both from Iran, acted as a digital currency exchange and facilitated the trading of over 7,000 transactions in Bitcoin that were proceeds of crime from Bitcoin ransom payments. Khorashadizadeh and Ghorbaniyan are alleged to have used 40 different digital currency exchanges around the world and the banks of those exchanges, to trade in Bitcoin derived from proceeds of crime. OFAC has designated their Bitcoin wallet addresses as listed and therefore OFAC obligations are triggered in respect of those wallets for digital currency exchanges and financial institutions.
Bitcoin wallets listed
The two Bitcoin wallet address that are listed by OFAC are 149w62rY42aZBox8fGcmqNsXUzSStKeq8C and 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V.
However, since the listing, one can see doing tracing that there may have been a sanctions violation in respect of both of them because Bitcoin has been transferred to them since they were listed. There are other SamSam ransom wallets that that appear in extortion demands including 1MddNhqRCJe825ywjdbjbAQpstWBpKHmFR which received over 30 BTC when Bitcoin was at its highest point.
According to the US Department of Treasury, SamSam ransom demands are associated with the Iranian digital currency exchange www.enexchanger.com and the following email addresses:
According to its website, EnExchanger is managed by Ghorbaniyan in Tehran and its website says in Farsi that ID is required to buy, sell or trade digital currencies on the exchange (این مجموعه بدون تایید هویت افراد هیچ گونه خدماتی ارائه نخواهد داد.), which would mean that it has records of who is moving money out of Iran and to what wallets (ergo, what pooled wallets, which would tell you to what exchanges and in what country).
The OFAC listing of the two Bitcoin wallets does not clarify whether the two wallets are the pooled wallets of the Iranian digital currency exchange holding customer coins in trust or whether they are, as suggested, the personal wallets of the two Iranian foreign nationals who moved money for the Iranian Bitcoin ransom extortionists.
Iranians confirm using foreign exchanges and mining to move money from Iran
The next day, Iranian foreign nationals informed CoinDesk that they are customers of, and conducted financial transactions on the Denver-based digital currency exchange called Shapeshift, apparently operates in part from Toronto with several Canadian officers. Shapeshift is known for conducting financial transactions from and to anywhere in the world without opening customer accounts and without undertaking client identification and verification pursuant to what they called a “no passport” policy.
CoinDesk also learned from Iranian foreign nationals that they were engaged in mining digital currencies, which is of concern because the resulting digital currencies can be sent anywhere in the world without detection and one miner of Bitcoin in Iran indicated that he does precisely that — mines for digital currencies and sends the digital currencies abroad, irrespective of sanctions.
While several countries do not have the same level of economic sanctions prohibiting all financial transactions from Iran, they all use correspondent banks and therefore all banks around the world are subject to US sanctions laws in respect of their correspondent banking relationships.