4 Iranians implicated in Bitcoin ransom extortions involving Canada
There was interesting news this week involving Iran and digital currencies that are concerning from a financial crime perspective for financial institutions.
On November 26, 2018, two Iranian foreign nationals were indicted in the US and charged with hacking and Bitcoin extortions that affected over 200 US companies and one Canadian university. According to the indictment, Iranians Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri earned over $6 million in Bitcoin from online Bitcoin ransom extortions from what is called the SamSam ransom extortions.
At the same time, OFAC blacklisted the Bitcoin wallet addresses of two other Iranian foreign nationals for facilitating the exchange of Bitcoin into fiat for, among others, the two indicted Iranians named above.
According to US Department of Treasury,  Ali Khorashadizadeh and Mohammad Ghorbaniyan, both from Iran, acted as a digital currency exchange and facilitated the trading of over 7,000 transactions in Bitcoin that were proceeds of crime from Bitcoin ransom payments. Khorashadizadeh and Ghorbaniyan are alleged to have used 40 different digital currency exchanges around the world and the banks of those exchanges, to trade in Bitcoin derived from proceeds of crime. OFAC has designated their Bitcoin wallet addresses as listed.
Bitcoin wallets listed
The two Bitcoin wallet address that are listed by OFAC are 149w62rY42aZBox8fGcmqNsXUzSStKeq8C and 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V.
However, since the listing, Bitcoin has been transferred to them. There are other SamSam ransom wallets that  that appear in extortion demands including 1MddNhqRCJe825ywjdbjbAQpstWBpKHmFR which received over 30 BTC when Bitcoin was at its highest point.
According to the US Department of Treasury, SamSam ransom demands are associated with the Iranian digital currency exchange  www.enexchanger.com and the following email addresses:
- EnExchanger@gmail.com
- Ensaniyat1365@gmail.com
- iranvisacart@yahoo.com;
- mastercartaria@yahoo.com
- alikhorashadi@yahoo.com
- toppglasses@gmail.com
- iranian_boy5@yahoo.com.
According to its website, EnExchanger is managed by Ghorbaniyan in Tehran and its website says in Farsi that ID is required to buy, sell or trade digital currencies on the exchange (این مجموعه بدون تایید هویت اÙراد هیچ گونه خدماتی ارائه نخواهد داد.).
Iranians confirm using foreign exchanges and mining to move money
The Iranians informed CoinDesk that they are customers of, and conducted financial transactions on the Canadian digital currency exchange called Shapeshift, which advertises services that allow people to conduct transactions from and to anywhere in the world without opening an account or undertaking client identification and verification, pursuant to what they called a “no passport” policy.
CoinDesk also learned from Iranians that they were engaged in mining digital currencies, which is of concern because the resulting digital currencies can be sent anywhere in the world without detection and one miner of Bitcoin in Iran indicated that he does precisely that — mines for digital currencies and successfully sends the digital currencies abroad, irrespective of sanctions.