By Samuel Rubenfeld
Monday, October 18, 2021
Players in the virtual currency industry are subject to the same sanctions compliance obligations as traditional financial institutions, even as the sector’s growing prevalence brings greater risk exposure, the U.S. Treasury Department said Friday.
The guidance came in the form of a 28-page brochure that provides an overview of U.S. sanctions requirements, as well as examples of compliance best practices for the myriad companies that operate in the virtual currency sector. The brochure builds on last month’s first-ever U.S. sanctions designation of a virtual currency exchange; ignoring compliance obligations could lead to a potential violation or enforcement action, the Treasury warned.
“Industry participants should consider incorporating the elements and controls outlined in the brochure into their sanctions compliance programs,” the Treasury said in a statement.
The private sector “plays a key role” by implementing controls to prevent sanctioned parties and others from exploiting virtual currencies, the Treasury said, adding that it will continue to engage with industry operators to address the issue. To help with compliance, the Treasury also issued guidance on key terms and provided general instructions on how to block digital currencies.
The guidance was also part of the U.S. government’s latest effort against ransomware, which included a virtual meeting the White House held with representatives of more than 30 countries and the European Union. Ransomware is a software used to encrypt a victim’s data until they meet a payment demand. The Treasury has also updated its advisory on ransomware, stressing the benefits of reporting an attack with a nexus to a sanctioned party.
“Ransomware actors are criminals who are enabled by gaps in compliance regimes across the global virtual currency ecosystem,” said Deputy Secretary of the Treasury Wally Adeyemo. “[The] Treasury is helping to stop ransomware attacks by making it difficult for criminals to profit from their crimes, but we need partners in the private sector to help prevent this illicit activity.”
Attackers have shifted in recent years to becoming more selective in their targets, choosing larger enterprises and demanding bigger ransoms, according to a report issued Friday by the Treasury’s Financial Crimes Enforcement Network (FinCEN) alongside the brochure. Targets of ransomware can vary widely. This week, U.S. security agencies issued a joint advisory about recent ransomware attacks on U.S. water and wastewater treatment facilities, saying the activity “threatens the ability” for the facilities to provide potable water to their communities.
Bitcoin is the most common ransomware-related payment method in transactions reported to FinCEN, the agency said in the report. Based on blockchain analysis of identifiable transactions with 177 virtual currency addresses, FinCEN was able to spot about USD 5.2 billion in outgoing bitcoin transactions potentially tied to ransomware payments, the report said. About half of the amount was sent to virtual currency exchanges, according to FinCEN’s findings.
Last month, the Treasury sanctioned the virtual currency exchange SUEX OTC s.r.o. for its role in facilitating financial transactions for ransomware actors. More than 40 percent of SUEX’s known transactions involved illicit actors, and the exchange had facilitated transactions involving proceeds from at least eight variants, or versions, of ransomware, the Treasury said at the time.
In the first six months of 2021, FinCEN received 635 ransomware-related suspicious activity reports (SARs), a jump from the 487 filed in all of 2020, the report said. The full dataset for January through June 2021 concerned USD 590 million in suspicious activity, but about USD 398 million was actually transferred during the six-month review period, according to FinCEN.
Companies engaged in digital forensic incident response (DFIR), a cybersecurity field focused on identifying, investigating and remediating cyberattacks, had filed about 63 percent of the SARs during the six-month period, according to the FinCEN report. Within the SARs data, FinCEN said it had identified 68 ransomware variants in the transaction data, the most common of which were identified as REvil/Sodinokibi, Conti, DarkSide, Avaddon and Phobos. The REvil ransomware group shut down its operation for the second time this year, claiming they lost control of their servers, according to a report by cybersecurity firm Recorded Future.
Typologies common among the ransomware variants in 2021 included an increase in requesting payment in cryptocurrencies with anonymizing features, avoiding the reuse of wallet addresses, using mixing services and cashing out at centralized exchanges, FinCEN found. Victims typically communicated with the ransomware actors through venues provided by the attackers, including The Onion Router (Tor) and encrypted email, according to the FinCEN report.
The virtual currency brochure and FinCEN report also come amid increased U.S. scrutiny of virtual currency operators, including through their abuse by ransomware actors.
Earlier this month, Deputy U.S. Attorney General Lisa Monaco announced the creation of a national cryptocurrency enforcement team. The group would handle investigations and prosecutions of criminal uses of cryptocurrency, particularly cases involving virtual currency exchanges and others providing money laundering infrastructure, the Justice Department said.
The Biden administration is building an illicit virtual asset notification platform to improve the detection and disruption of ransomware, and other illicit virtual currency payment flows, according to a White House fact sheet released last week.
And on Friday, the Commodities Futures Trading Commission (CFTC) fined stablecoin issuer Tether USD 41 million for misleading claims that its token was fully backed by U.S. dollars, and cryptocurrency exchange Bitfinex USD 1.5 million for illegal transactions on its platform.