OFAC Identifies Digital Currency Addresses Of Iran-Based Financial Facilitators, Highlighting Its Focus On Sanctions Compliance In Crypto Space
On November 28, 2018, the U.S. Department of Treasury’s Office of Foreign Assets Control (“OFAC”) imposed sanctions pursuant to its cyber-related sanctions program on two Iranian individuals for their role in facilitating ransom payments made in bitcoin. In doing so, OFAC also identified the digital currency addresses associated with both individuals, which marks the first time that OFAC has published digital currency addresses linked with specific individuals. OFAC’s cyber-related sanctions program was created on April 1, 2015 and targets persons responsible for or complicit in malicious cyber-enabled activities.
OFAC designated two Iran-based individuals who allegedly helped cyber actors exchange bitcoin ransom payments into Iranian rial and also deposited the rial into Iranian banks. The bitcoins were allegedly collected from a ransomware scheme known as “SamSam,” in which cyber actors gained access to computer networks through network vulnerabilities and took control of network servers and files, demanding a ransom payment to be made in bitcoin. Since 2015, SamSam ransomware has affected numerous corporations, hospitals, universities, and government agencies in the United States, the United Kingdom, and Canada. For more information on ransomware issues, see Shearman & Sterling LLP, WannaCry Global Ransomware Attack: What You Need to Know, Perspectives (May 15, 2018).
For the first time ever, OFAC published the digital currency addresses used by the designated individuals to help identify transactions and funds that must be blocked and further investigated. Digital currency addresses are a unique combination of random letters and numbers that, without identifying an individual, represent a destination to send bitcoins or other digital currencies. According to OFAC, the two individuals used their digital currency addresses to process over 7,000 transactions in bitcoin and to send approximately 6,000 bitcoin (worth millions of U.S. dollars), interacting with more than 40 exchangers, including some U.S.-based exchangers.
The press release clarified that OFAC’s compliance obligations apply regardless of whether a transaction occurs in a digital currency or a fiat currency. OFAC also updated its Questions on Virtual Currency relating to blocking digital currency, clarifying that institutions must ensure that access to digital currency is denied to blocked persons when it is determined that the institution is holding digital currency that must be blocked pursuant to OFAC’s regulations. U.S. Department of the Treasury, OFAC FAQs: Sanctions Compliance, available at https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_compliance.aspx. The institution must create an audit trail that will allow the digital currency to be unblocked only when the legal prohibition ceases to apply and must report the blocked digital currency to OFAC within ten business days. An institution that blocks a customer may notify the customer that it has blocked digital currency pursuant to OFAC regulations.
It remains to be seen how effective the publication of digital currency addresses will be due to the ability of individuals to use many such addresses. In addition, OFAC’s actions could cause some individuals to turn to other digital currencies that offer more privacy, such as Monero, Verge or Bitcoin Private. But the release and accompanying FAQs confirms that OFAC is not only monitoring cryptocurrency exchanges, but also expects exchanges and other entities to block digital currency transactions involving individuals subject to U.S. sanctions whenever they can be identified.