Iran ~ concerns mount over Bitcoin use for sanctions avoidance

By Christine Duhaime | December 1st, 2018

4 Iranians implicated in Bitcoin ransom extortions involving Canada

There was interesting news this week involving Iran and digital currencies that are concerning from a financial crime perspective for financial institutions.

On November 26, 2018, two Iranian foreign nationals were indicted in the US and charged with hacking and Bitcoin extortions that affected over 200 US companies and one Canadian university. According to the indictment, Iranians Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri earned over $6 million in Bitcoin from online Bitcoin ransom extortions from what is called the SamSam ransom extortions.

At the same time, OFAC blacklisted the Bitcoin wallet addresses of two other Iranian foreign nationals for facilitating the exchange of Bitcoin into fiat for, among others, the two indicted Iranians named above.

According to US Department of Treasury,  Ali Khorashadizadeh and Mohammad Ghorbaniyan, both from Iran, acted as a digital currency exchange and facilitated the trading of over 7,000 transactions in Bitcoin that were proceeds of crime from Bitcoin ransom payments. Khorashadizadeh and Ghorbaniyan are alleged to have used 40 different digital currency exchanges around the world and the banks of those exchanges, to trade in Bitcoin derived from proceeds of crime. OFAC has designated their Bitcoin wallet addresses as listed and therefore OFAC obligations are triggered in respect of those wallets for digital currency exchanges and financial institutions.

Bitcoin wallets listed

The two Bitcoin wallet address that are listed by OFAC are 149w62rY42aZBox8fGcmqNsXUzSStKeq8C and 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V.

However, since the listing, one can see doing tracing that there may have been a sanctions violation in respect of both of them because Bitcoin has been transferred to them since they were listed. There are other SamSam ransom wallets that  that appear in extortion demands including 1MddNhqRCJe825ywjdbjbAQpstWBpKHmFR which received over 30 BTC when Bitcoin was at its highest point.

According to the US Department of Treasury, SamSam ransom demands are associated with the Iranian digital currency exchange  www.enexchanger.com and the following email addresses:

  • EnExchanger@gmail.com
  • Ensaniyat1365@gmail.com
  • iranvisacart@yahoo.com;
  • mastercartaria@yahoo.com
  • alikhorashadi@yahoo.com
  • toppglasses@gmail.com
  • iranian_boy5@yahoo.com.

According to its website, EnExchanger is managed by Ghorbaniyan in Tehran and its website says in Farsi that ID is required to buy, sell or trade digital currencies on the exchange (این مجموعه بدون تایید هویت افراد هیچ گونه خدماتی ارائه نخواهد داد.), which would mean that it has records of who is moving money out of Iran and to what wallets (ergo, what pooled wallets, which would tell you to what exchanges and in what country).

The OFAC listing of the two Bitcoin wallets does not clarify whether the two wallets are the pooled wallets of the Iranian digital currency exchange holding customer coins in trust or whether they are, as suggested, the personal wallets of the two Iranian foreign nationals who moved money for the Iranian Bitcoin ransom extortionists.

Iranians confirm using foreign exchanges and mining to move money from Iran

The next day, Iranian foreign nationals informed CoinDesk that they are customers of, and conducted financial transactions on the Denver-based digital currency exchange called Shapeshift, apparently operates in part from Toronto with several Canadian officers. Shapeshift is known for conducting financial transactions from and to anywhere in the world without opening customer accounts and without undertaking client identification and verification pursuant to what they called a “no passport” policy.

CoinDesk also learned from Iranian foreign nationals that they were engaged in mining digital currencies, which is of concern because the resulting digital currencies can be sent anywhere in the world without detection and one miner of Bitcoin in Iran indicated that he does precisely that — mines for digital currencies and sends the digital currencies abroad, irrespective of sanctions.

While several countries do not have the same level of economic sanctions prohibiting all financial transactions from Iran, they all use correspondent banks and therefore all banks around the world are subject to US sanctions laws in respect of their correspondent banking relationships.

Share this Post:
  • Facebook
  • Twitter
  • LinkedIn
  • Print
  • email

In Canada, people associated with the Mafia and drug dealers are issued cannabis licences according to CBC News Report

By Christine Duhaime | November 4th, 2018

According to a news story in French on CBC News, the government of Canada has issued licences to a cannabis company that has ties to the Mafia, and to major drug traffickers and Canada has also issued another licence to a cannabis company whose shareholders include major drug traffickers.

The journalist in the story notes that the Canadian government vetted and approved criminal elements when issuing licences when the documentation submitted was transparent (meaning the ties to a TCO were available for discovery on a routine due diligence). According to the story, all that the government does in terms of an investigation and due diligence to issue a licence to a cannabis company in Canada is conduct a litigation search and a criminal record search of a company applying.

According to the news story, the investigation work undertaken by the Government of Canada does not include a review of corporate entities (e.g., shareholders, offices, directors) or beneficial ownership. It does not include a search as against sanctions lists or terrorists lists either.

According to the story, the reason a proper due diligence on cannabis licence holders is not completed is because it involves ‘too much investment, too much time, too much money.’

Bottom line? Unfortunately, it may mean that in Canada, if you are a bank, you will not be able to place any weight on the fact that a cannabis company was granted a licence from Canada given that associates of the Mafia can obtain a licence and that means that all cannabis license holders pose a reputational, criminal and money laundering risk to a financial institution.

The CBC report declined to name those cannabis licence holders associated with TCOs.

Share this Post:
  • Facebook
  • Twitter
  • LinkedIn
  • Print
  • email

Digital currency exchange CEO who spent customers’ Bitcoin settling with SEC and awaiting criminal sentencing

By Christine Duhaime | October 23rd, 2018

Exchange CEO Indicted

The CEO of a digital currency exchange who pleaded guilty after being indicted in New York for, inter alia, selling Bitcoin to US residents illegally and then stealing it from them by removing it from the exchange’s pooled wallet, is awaiting sentencing for the criminal proceeding against him, and is also negotiating a settlement with the SEC.

Opened Accounts for American Residents

Jon Montroll operated an Australian company that provided digital currency exchange services online to US residents which allowed them to deposit US dollars and to deposit and withdraw Bitcoin. Montroll also operated another platform and co-mingled customers Bitcoin from both platforms in one pooled Bitcoin wallet that he had complete control over.

Bitcoin removed from Exchange by its Officers

For  close to a year, Montroll took Bitcoin from the exchange’s pooled wallet that belonged to customers and cashed out the customers’ Bitcoin and spent it. Digital currency exchanges are deposit-taking, and hold funds in trust for customers, and as a result are not permitted to spend Bitcoin held in trust.

Publicly Represented Company was Successful, When it was Not

Montroll’s platforms allegedly also suffered a hack which depleted the Bitcoin reserves of the exchange. When the Bitcoin was depleted from the pooled wallet, the CEO failed to disclose to customers that there was insufficient Bitcoin liquidity left and instead continued to promote the exchange services, “falsely representing to the public that the exchange was commercially successful” and viable when he knew it was not and there was insufficient liquidity to pay back any customers who may have wanted to cash out Bitcoin.

According to the indictment, the misrepresentations of the CEO led to the exchange acquiring an additional 978 Bitcoin from unsuspecting customers. In essence it was a Ponzi scheme where new customers with fresh Bitcoin were induced onto the platform to replenish the Bitcoin the CEO had taken and spent, while the CEO knew all the while that there would never be enough Bitcoin to pay back previous or new customers.

Montroll was indicted on a number of offences including wilfully, manipulatively and deceptively selling illegal securities; engaging in fraud; and making untrue and false statements to defraud the public. In addition, he was indicted for misappropriating customer funds, aka Bitcoin, and spending it without permission from the customers. He was also indicted for obstruction of justice for lying about the liquidity and number of Bitcoin in the pooled corporate digital currency wallet. In order to deflect law enforcement, he provided a screen shot purportedly showing the balance of the company pooled Bitcoin wallet but it was a fake document in that it was a screen shot of manual adjustments and balances, not of the actual balance in the pooled wallet.

Montroll faces a sentence of incarceration of up to 20 years in US federal prison and will be sentenced in January 2019.

Share this Post:
  • Facebook
  • Twitter
  • LinkedIn
  • Print
  • email

FinCEN Employee Arrested for Illegally Disclosing SARs

By Christine Duhaime | October 19th, 2018

Arrest of FinCEN employee for SARs disclosure

The US government has arrested an employee of FinCEN for providing copies of suspicious activity reports (“SAR”)  to the media.

SARs disclosure is illegal 

SARs are required to be filed and submitted by certain reporting entities, such as banks, to FinCEN when the bank or its employees, have reasonable grounds to suspect that a financial transaction is associated with money laundering.

SARs contain invasively personal and private information of a person or a company and because they involve a subjective determination, can cause harm to a person or a business if filed without justification. As a result, the legislation protects the filer of the information and also protects the filing itself.

It is a criminal offence to disclose the filing of a SAR, or the contents of such to anyone other than FinCEN (or in Canada, FINTRAC). Reporting entities such as banks and casinos, that file SARs (STRs in Canada), are protected from law suits over wrongful filings provided they themselves do not violate the disclosure laws. The reason for the protection in respect of reporting entities such as banks is that they would not provide full disclosure if there was a possibility, however remote, that the public or the media would see a filed SAR. Reporting entities that give copies of STRs to other government agencies or to law enforcement in violation of federal law are not protected and such unauthorized disclosures can be compelled by anyone under privacy legislation because the disclosure thereof to unauthorized parties render them a non-protected document.

Endangers lives of AML & bank officers

The disclosure of a SAR could endanger the lives of bank employees and AML officers. That is because AML officers report cases of serious criminality often involving organized crime and if not organized crime, then certainly criminal elements who may not hesitate to harm an AML officer in connection with a SAR. In this case, the FinCEN employee went so far as to disclose to the media that SARs were filed by Citibank’s AML officers over their client, the Embassy of Russia, which is the confidential business information of Citibank and of the Embassy of Russia, and places a risk on the AML officers of Citibank.

Disclosure of terrorist financing reports

According to the criminal complaint, over the course of a year, the FinCEN employee, Natalie Edwards, allegedly provided SARs to a reporter and described the contents of several other SARs over Telegram. At first, she allegedly lied to the FBI and denied having supplied federal records to a reporter and then subsequently allegedly admitted it.

She is alleged to have saved 24,000 FinCEN files on a flash drive, including many SARs and records of a highly sensitive nature involving financial transactions of Iranian foreign nationals and terrorist financing of ISIS, the disclosure of which may adversely impact international security.

Share this Post:
  • Facebook
  • Twitter
  • LinkedIn
  • Print
  • email

FinCEN issues money laundering advisory for Iran’s use of Bitcoin and digital currencies

By Christine Duhaime | October 14th, 2018

FinCEN has issued an advisory for Iran that specifically is targeted for digital currency exchanges, banks and foreign banks so that the latter can understand their obligations under the correspondent banking system. The advisory is interesting because it is one of first instances of an attempt to provide guidance to foreign banks in respect of the reach of US financial crime law arising from the correspondent banking system. Often foreign banks, and in particular, digital currency exchanges, are not aware of the correspondent banking system and how US AML / CTF / sanctions law is applicable to them.

The practice in Iran is to move money out to Dubai and from there, banks and money services businesses sanctions-strip the money and move it to the US, Germany, UK or Canada. Sanctions-stripping is a way of providing originating information for banks that strips the origin of the money from being associated with Iran, an Iranian foreign national, or a person who holds an Iranian passport.

The FinCEN Advisory directs US correspondents to go back to foreign banks they provide services to (including Canadian banks) and seek additional information to ascertain that they are not being used for sanctions avoidance from Iran. In other words, to determine if sanctions-stripping of data occurred.

Here is a common example in Canada –  an Iranian foreign national, almost always an undisclosed politically exposed person (“PEP“) immigrating to Canada opens a bank account in Dubai and wires money to that bank. The bank then wires it to a bank located in Quebec as part of a paid investor immigration program and strips out the originating information that the funds originated from Iran or an Iranian foreign national. The Dubai bank and the bank in Quebec know the funds involve an Iranian foreign national (the latter because they administer investor immigration funds) but that information is stripped. The money moves through a US correspondent bank in New York as originating from Dubai. The US correspondent bank is unaware that it handled Iranian funds from a PEP that may be subject to US sanctions. The US correspondent bank is then exposed to potential criminal liability in the US for unknowingly dealing in funds from Iran. Often, a money services business in Dubai acts as the facilitator whereby they are the party wiring funds to Canada secretly for an Iranian foreign national.

According to the Advisory, officials tied to the Central Bank of Iran, in particular, are being deployed to move money internationally to finance terrorism through Dubai and other cities in the United Arab Emirates. The Advisory provides examples including of an Iranian airline that moved money to Canada through Germany to finance terrorism. All Iranian foreign nationals use third parties and third party countries to move money – they have to because it is near impossible to export money in any form from Iran directly to another foreign financial institution except to Dubai and a handful of other countries whose banks deal with Iranian funds.

Enter Bitcoin – Bitcoin and other digital currencies allow for the movement of funds from Iran to anywhere in the world because they are decentralized and are outside of the formal financial system. The Advisory estimates that at least $3.8 million is exiting Iran through Bitcoin annually using digital currency exchanges.

And that brings us to so-called sovereign initial coin offerings (“SOV“); they are ICOs issued by a government. A SOV is a new digital currency issued off an existing or a new Blockchain by a government agency. Venezuela is an example of a country that issued a SOV called the Petro coin for sanctions avoidance on the NEM Blockchain, that can be bought with NEM coins. Here, you can read how millions of dollars of stolen NEM coin were allegedly traced and traded at a Vancouver digital currency exchange. That means that the Petro coin from Venezuela apparently issued for US sanctions avoidance, can be bought with NEM at a Vancouver digital currency exchange without visibility because that exchange trades NEM. If you can buy the Petro coin in Vancouver with NEM for sanctions avoidance, you will likely be able to buy an Iranian SOV.

Last month, Iran issued a notice that it was working on a SOV and the concern is that it will be used, like Venezuela, for sanctions avoidance.

The Advisory suggests that banks and foreign digital currency exchanges monitor IP addresses and engage in Blockchain tracing to ascertain the origin of digital currency trades from Iran, although the latter is harder to do than the Advisory suggests. No Blockchain identifies the origination of a transaction – only IP tracing can do that and with Iran’s heavy use of VPNs countrywide, such tracing is difficult.

You can, however, trace to Iranian wallets and that is where the focus should be on, in addition to utilizing competent AML, CTF and sanctions compliance methods. And in addition, banks and digital currency exchanges should know the typologies in respect of Iran — for example, the trades of digital currencies involving Iran in Canada typically take place involving former Iranians in Canada with a Canadian passport. The movement of money to and from Iran is closely transacted among persons of Iranian origin and specifically those with a Canadian passport (meaning those with undisclosed dual passports – one they use to travel from Dubai to Canada which they then switch out and hide and the second one they use to travel from Tehran to Dubai, and vice versa).

Iranian foreign nationals can only move money to Canada if they use banks, which means a US correspondent bank is being used unwittingly and unknowingly, or if they use digital currencies. They can use cash but it is bulky and they use credit card credits (e.g., pre-paying a Visa card so that the money can be spent in another country by another person. Leaving a large credit balance on an American Express or Visa credit card is a red flag for money laundering and sanctions avoidance).

Share this Post:
  • Facebook
  • Twitter
  • LinkedIn
  • Print
  • email

Oxymonster sentenced to 20 years for money laundering and dark net drug sales

By Christine Duhaime | October 10th, 2018

A foreign national from France, known on the dark net as OxyMonster, was sentenced to 20 years jail in the US for selling drugs such as fentanyl, online, and laundering the proceeds of crime. Gal Vallerius, 36, pleaded guilty to drug distribution and money laundering in Miami in June for selling cocaine, methamphetamine, fentanyl, oxycodone and other drugs on Dream Market where he was paid in Bitcoin.

Vallerius was arrested in August 2017, entering the US to attend a beard contest. In addition to selling illegal drugs online, he admitted to being an administrator of Dream Market. Part of the way he was detected was through his Twitter and Instagram accounts and by tracing his Bitcoin wallet addresses to Local Bitcoins.

Dream Market is a marketplace accessible on TOR, which has a tumbler service built in so that it is not possible to trace Bitcoin payments from buyer and seller.

He was arrested with 99.98 in Bitcoin and 121.98 in Bitcoin Cash under his control which was seized.

Share this Post:
  • Facebook
  • Twitter
  • LinkedIn
  • Print
  • email

ICOs & tokens increasingly attracting FBI criminal attention

By Christine Duhaime | October 8th, 2018

According to this interview with FBI’s Financial Crimes Section Chief on CNBC, the FBI is seeing an increase in the number of complaints and cases opened involving digital currencies and crime. In particular, the FBI said that it is mostly ICOs and associated investment fraud schemes involving Bitcoin that are on the raise for investigations where retail investors (e.g., the public) is the target.

According to the FBI, criminals are increasingly using Bitcoin for crimes and as a result, the FBI is liaising with the Five Eyes to learn about digital currencies and crime. However, cash is still king for crimes because of the fact that there is always an intersection point when dealing with digital currencies.

Share this Post:
  • Facebook
  • Twitter
  • LinkedIn
  • Print
  • email

7 Russian foreign nationals indicted in US for alleged money laundering and hacking of Canadian / US agencies

By Christine Duhaime | October 7th, 2018

The Department of Justice announced the indictment of 7 Russian foreign nationals in Pennsylvania for their roles in an alleged hacking of anti-doping sports agencies, including one in Canada called the Canadian Centre for Ethics and Sports. According to the indictment, the indicted persons hacked into computers for several years to allegedly influence sports doping and used Bitcoin to facilitate the payment of domain names and to use servers. According to the indictment, the defendants hacked into computers remotely from Moscow and also hacked into agency computers and mobile devices by gaining access to hotel and airport wifi networks. The defendants allegedly traveled to Brazil and Switzerland to hack hotel wifi networks to obtain log in credentials, and once they had access, they conducted large-scale exports of data. The indictment also alleges that the defendants acquired Bitcoin from mining, which offers a way to acquire Bitcoin relatively anonymously because the only connection point (and therefore identifying point), is the IP address.

You can read more here.

Share this Post:
  • Facebook
  • Twitter
  • LinkedIn
  • Print
  • email

Hezbollah financier arrested for laundering $10 million at casino

By Christine Duhaime | September 22nd, 2018

An alleged financier for Hezbollah, Assad Ahmad Barakat, was arrested in Brazil, accused of laundering $10 million at a casino in Argentina. In 2004, the US Treasury said Barakat was one of the most influential members of  Hezbollah, a listed terrorist organization. It accused him of using his businesses in the border areas of Brazil, Paraguay and Argentina as a front for fundraising for Hezbollah as well as coercing local shopkeepers into giving money to the organization. Barakat is on the US sanctions list.

Paraguay has stated that it believes Barakat financed the 1994 attack in Buenos Aires that killed 85 people.

Share this Post:
  • Facebook
  • Twitter
  • LinkedIn
  • Print
  • email

Iran using ghost supertankers to avoid sanctions law

By Christine Duhaime | September 22nd, 2018

According to this article in the Financial Times, Iran has sent a supertanker, called Happiness I, en route to Asia, carrying 2 million barrels of oil that is off-the-radar literally, in order to obfuscate that it is transporting Iranian oil to another country. When ships are off-radar, they turn off their transponders and are no longer broadcasting their positions.

Off-radar shipping by Iran is in response to the new US sanctions imposed against Iran that come into effect on November 5, 2018.

Although many EU nations appear to oppose the renewal of US sanctions against Iran, their opposition has little effect because oil sales involve the private sector (banks, law firms, insurance firms, refineries, accounting firms), and it is the private sector that needs access to US correspondent banks to survive. Engaging in commerce with Iran, including dealing with Iranian oil, is too much of a risk for the private sector. Even Turkey, which buys 7% of Iranian oil, decreased its purchases by 45%.

Officials are suggesting that the US government intends to ramp up sanctions enforcement against the private sector, mostly as against foreign banks with US correspondents or operations in the US which gives them jurisdiction, that facilitate sanctions avoidance involving Iran or Iranian foreign nationals.

Share this Post:
  • Facebook
  • Twitter
  • LinkedIn
  • Print
  • email