On November 28, the Treasury Department sanctioned two Iran-based individuals for exchanging bitcoin into Iranian rials on behalf of malicious cyber actors involved in the SamSam ransomware scheme. Notably, this action marks the first time that OFAC included digital currency addresses in the identifying information for persons it added to the Specially Designated Nationals and Blocked Persons (“SDN”) List. OFAC also published two FAQs clarifying the ways in which a custodian of virtual currency owned by a blocked person can meet its compliance obligations. While the FAQs clarified some important questions about how persons subject to U.S. jurisdiction can implement their existing obligations with respect to blocked property, a number of important questions remain outstanding.
The SamSam scheme targeted hospitals, universities, corporations and government agencies and, like typical ransomware attacks, took control of victim computers and files and rendered them inaccessible until the victim pays the hackers. Ransomware attackers often demand payment in bitcoin in an effort to remain anonymous. OFAC sanctioned Ali Khorashadizadeh and Mohammad Ghorbaniyan for their role in converting the proceeds of the SamSam ransomware attacks from bitcoin to Iranian rials because they “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, the SamSam ransomware attacks.” Of note, the Department of Justice also indicted two individuals yesterday—Faramaz Savandi and Mohammad Mansouri—for creating and deploying the SamSam ransomware, but OFAC did not sanction them alongside Khorashadizadeh and Ghorbaniyan.
Beyond the significance of the designations themselves, OFAC included the digital currency addresses used in the conversion by Khorashadizadeh and Ghorbaniyan in their respective entries on the SDN List. While OFAC can include such identifications for any person it designates under any sanctions program, this is the first time that it included the digital currency addresses in SDN designations. Non-U.S. persons engaging in certain transactions with Khorashadizadeh and Ghorbaniyan—whether through traditional means or with cryptocurrency—may now be subject to secondary sanctions.
All persons subject to U.S. jurisdiction are required to block the property or interests in property of Khorashadizadeh and Ghorbaniyan, but their digital currency addresses will be particularly helpful to cryptocurrency exchanges or other wallet providers. Those individuals and entities will need to ensure they have a way to prevent bitcoin from being sent to, or received from, the addresses associated with Khorashadizadeh and Ghorbaniyan. And while OFAC made clear in FAQs published earlier this year that compliance obligations are the same whether property is denominated in fiat currency or digital currency, it has been difficult until this point to link the real-world identities of sanctioned persons to any digital currency addresses they may use. This reality posed a significant compliance challenge to persons regularly engaging in cryptocurrency transactions.
OFAC also published two FAQs, adding to the growing list of OFAC FAQs pertaining to virtual currency, that clarified compliance obligations for cryptocurrency custodians. One pertained to the mechanisms by which an institution holding cryptocurrency must implement the blocking requirement. First, institutions can block “each digital currency wallet associated with the digital currency addresses that OFAC has identified as being associated with blocked persons.” But OFAC also noted that custodians can use their own wallets to “consolidate wallets that contain the blocked digital currency (similar to an omnibus account),” provided that there is an audit trail that will allow digital currency belonging to a particular blocked person to be unblocked if there is authorization to do so. This guidance appears to be based on an assumption that a company holding digital currency on behalf of customers will create unique wallets or addresses for each customer; in reality there are other ways to organize the provision of digital currency services to customers for which this guidance does not provide clear answers. The second FAQ that OFAC published clarified that OFAC may notify a customer whose digital currency it has blocked that it has done so.
While this guidance is helpful in clarifying how persons subject to U.S. jurisdiction can implement their OFAC compliance obligations, significant outstanding questions remain. Three in particular are likely to pose ongoing compliance challenges:
Linking Digital Currency Addresses to Real-World Identities: Unless OFAC continues to identify the digital currency addresses that belong to sanctioned persons, it will be difficult for individuals and entities to do this on their own and thus to know whether the source or destination for a cryptocurrency transaction in fact benefits a sanctioned person. It will sometimes be possible to make this identification if persons subject to sanctions advertise their digital currency address as a fundraising strategy, as some terrorist groups have done. Without this information, however, it will remain difficult to link digital currency addresses to real-world identities so that individuals and entities may implement their sanctions compliance obligations.
Implementing Obligations Under Comprehensive Sanctions Programs: OFAC currently administers comprehensive or near-comprehensive sanctions with respect to five countries or territories—the Crimea region of Ukraine, Cuba, Iran, North Korea, and Syria. But it is a significant challenge to determine if the owner of a particular digital currency address is located in one of these countries or territories, particularly if that address is hosted by a personal wallet as opposed to an established exchange. Thus, persons regularly transacting in cryptocurrency may not know whether their counterparties are located in countries or territories subject to OFAC sanctions.
Cryptocurrencies Other Than Bitcoin: The cryptocurrency guidance OFAC has published thus far relates primarily to bitcoin, but the blockchains and protocols that power different cryptocurrencies operate differently and so guidance that applies to bitcoin might not apply directly to other cryptocurrencies.
This recent designation and guidance fulfill a statement OFAC made in its March cryptocurrency FAQs that it will identify digital currency addresses associated with blocked persons in the identifiers published alongside SDN listings. OFAC should consider doing so whenever it has access to such information, as it will help cryptocurrency exchanges and others to meet their sanctions compliance obligations.