SamSam Ransomware, Iran Sanctions + More

SamSam Ransomware Iran Sanctions

Each month the Coinfirm’s AMLT Network and Token team will provide you interesting and important high-risk addresses submitted into the AMLT Network so we can better inform and protect the industry and public. Please follow the series by subscribing to our newsletter and following us on Twitter and joining our Telegram communities AMLT by Coinfirm and AMLT Announcements.

On November 28th, 2018, the U.S. Department of the Treasury made a first of its kind announcement, targeting two Bitcoin addresses in its Iran Sanctions process. This is a direct result of actions against two Iranian citizens who were liquidating Bitcoins obtained through ransomware attacks. A part of the fourth round of sanctions against the Iranian regime, the actions are the first time cryptocurrency addresses to have been targeted by authorities in this way and attributing them to an individual.

SamSam Ransomware Iran Sanctions

The root of the problem here is the infamous SamSam ransomware. First entering the scene in 2016, the malicious software has become very notorious, often making even well-prepared victims pay the ransom since the recovery costs and losses suffered from downtime would exceed the price of succumbing to the hackers. Especially since a lot of the victims were hospitals or other medical facilities who just couldn’t afford the loss of morale and network outage.

The ransom attacks were mostly targeted, contrary to how most of such attacks are carried out. The hackers singled out vulnerable machines and set up their traps, waiting for the victim to do the rest of the work for them.

SamSam Ransomware Iran Sanctions

The two sanctioned addresses have been active since September 2013 and February 2014 respectively and possessed a very rich transaction history – nearly 7000 transactions combined. The largest incoming and outgoing transactions were varying between 31 and 51 BTC, averaging 3.16 BTC per transaction.

A large portion of the transaction flow between these addresses was also related to over 40 exchanges. Thanks to our ability to analyze on-chain transactions, we’ve been able to identify various well-known exchanges and payment processors. The Treasury’s Office of Foreign Assets Control (OFAC) has also targeted them as parties who enabled the Iranian hackers to liquidate their ransom payments. This comes in along with a declaration of tightening the regulations and countering the nefarious actors through fighting exploits.

“Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and AML/CFT safeguards to further their nefarious objectives.”

Below you can find the Coinfirm AML reports on both of the sanctioned addresses:

SamSam Ransomware Iran Sanctions
SamSam Ransomware Iran Sanctions

As seen below, both subjects were put on sanctions lists along with the individual addresses:

SamSam Ransomware Iran Sanctions
SamSam Ransomware Iran Sanctions

The visualization tool allowed us to identify some of the exchanges and other known parties that were receiving payments from sanctioned addresses. As you can see, the funds were often mixed and transferred through various other addresses. Please see the graph analysis below, known entities are marked as orange:

1. AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V

SamSam Ransomware Iran Sanctions

2.  149w62rY42aZBox8fGcmqNsXUzSStKeq8C  

SamSam Ransomware Iran Sanctions

Interacting with the addresses connected in close proximity might end up with an increased C-Score in our platform and can be treated as high risk according to AML standards. For entities in the cryptocurrency space and overall it shows again the importance of proper AML/KYC and using the best tools available to address these requirements as exposing yourself to these types of addresses or funds can bring risk to your business and partners and clients. Recently Coinfirm launched its AMLT Network attached to the Coinfirm AML Platform, allowing anyone in the world to provide data on such entities so that other market participants can limit their exposure to the risk of related addresses and funds.  

If you’re interested in partnering with Coinfirm or becoming an AMLT Network Member then contact us!

Thank you for your continued support and make sure to follow all of our latest updates on Coinfirm’s Twitter, Facebook, LinkedIn and AMLT Telegram Community.

The Coinfirm Team

subscribe to newsletter

    You accept our Direct Marketing & Privacy Policies by submitting your info. Opt-out anytime.