OFAC takes first action against cryptocurrency exchange and issues updated ransomware advisory
September 21, 2021
Watch the interview
Treasury officials offer additional commentary on the action and advisory in an exclusive interview with TRM Labs.
Read the background
OFAC's action against crypto exchange Suex
Today the U.S. Treasury's Office of Foreign Assets Control (OFAC) took its first ever action against against a cryptocurrency exchange, SUEX.io, a concierge cryptocurrency exchanger incorporated in Czechia but operating in Russia. This action comes as the United States attempts to tackle the scourge of ransomware attacks and harden cyber defenses against cybercriminals and rogue nation state actors.
In the view of Treasury, SUEX fills an essential niche in the ecosystem of underregulated exchanges that, either through willful ignorance or witting cooperation, facilitate the conversion of illicit crypto ransoms into real-world currency.
SUEX also operated as a so-called "nested" or "parasite" exchange, meaning SUEX did not directly custody its clients' crypto. Instead, it fed off the infrastructure of a large, global cryptocurrency exchange to conduct its transactions. Nested exchanges often take advantage of the greater liquidity and lower transaction costs of big, multinational exchanges while presenting customers with a custom-made interface obscuring the connection to the larger service. Using this relationship with a large exchange, and access to cash from unknown sources, SUEX was able to convert the illicit monies of its clients to physical cash at an alarming scale. *See TRM's deep-dive investigation on Suex here.
Todd Conklin, Counselor to the Deputy Secretary of the Treasury, highlighted the risk associated with nested exchanges when discussing the action with us this morning in a special edition of TRM Talks:
"When you look at the whole exchange ecosystem, there have been improvements amongst some of the larger exchanges specific to know your customer and AML compliance. However, there's an illicit underbelly that has been forming in the smaller nested exchange and mixer ecosystem, which we want to shine a light on. Higher percentages of these particular exchanges' transactions are on behalf of criminal and ransomware actors. We just can't allow the smaller nested exchanges to serve as backdoors for illicit activity. It clouds the entire ecosystem, which is predominantly conducting licit business."
- Todd Conklin, U.S. Treasury
Although the focus on this illicit ‘underbelly' is made clear in this particular case, the action indicates that OFAC is willing and able to target cryptocurrency-related entities with ties to financial crime. "We've been very clear that OFAC requirements apply to the virtual currency industry in the same way they do to banks and other traditional financial institutions," asserts Lawrence Scheinert, OFAC associate director of compliance and enforcement, in the same interview.
Mr. Scheinert continued in light of today's action against SUEX, "We also believe compliance really does need to be built into the technological architecture from the beginning. Compliance is not optional. There are civil and criminal penalties for noncompliance, and in fact, just over the last eight months OFAC has published two enforcement actions involving virtual currency service providers for failing to comply with OFAC obligations."
OFAC's updated ransomware advisory
In coordination with the action, OFAC released an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments ("updated advisory"). The updated advisory builds on October 2020 guidance which stated, "Companies that facilitate ransomware payments to cyber actors on behalf of victims . . . not only encourage future ransomware payment demands but also may risk violating OFAC regulations." The purpose of the updated advisory is "to highlight the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities and the proactive steps companies can take to mitigate such risks, including actions that OFAC would consider to be “mitigating factors” in any related enforcement action."
The updated advisory reiterates and that the "U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks," and highlights the action taken today against SUEX stating:
"OFAC designated SUEX . . . a virtual currency exchange, for its part in facilitating financial transactions for ransomware actors, involving illicit proceeds from at least eight ransomware variants. Analysis of known SUEX transactions showed that over 40% of SUEX’s known transaction history was associated with illicit actors. OFAC has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities."
The action and advisory signal OFAC’s expectation that exchanges, custodians, and other crypto related businesses be aware of evolving AML/CFT typologies in crypto beyond detecting suspicious source and destination of funds. By highlighting the risk of nested exchanges, OFAC is also calling on larger regulated exchanges to bolster their controls and ensure that parasitic entities are not unwittingly thriving on their architectures.
OFAC is also reiterating a focus on compliance. In today's interview with TRM, for example, Mr. Scheinert highlighted that OFAC is more likely to resolve an enforcement action with a no-action letter if a victim:
- Fully cooperates with OFAC and law enforcement. The updated advisory expands the list of agencies to which reporting will make a company eligible for what OFAC calls voluntary self-disclosure credit to include the Cyber Security and Infrastructure Security Agency (CISA) as well as OFAC and more traditional law enforcement agencies such as the FBI.
- Hardens cyber defenses. Meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices, such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide will be considered a significant mitigating factor in any OFAC enforcement response.
- Maintains a robust compliance program. OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments.
Finally, as OFAC's Michael Lieberman, assistant director for enforcement points out in the interview, the updated advisory "strongly encourages all victims and those involved with addressing ransomware attacks to report the incident," in order to take advantage of mitigating factors down the road. According to OFAC, early reporting will also allow for the best shot to recover stolen data and "prevent or disrupt future attacks." The reporting should be as specific as possible in order to help OFAC and law enforcement track ransomware networks. Lieberman explained, "We'd be looking for the type of the ransomware variants, key dates and facts such as date of the attack, when the attack was discovered, ransomware payment deadlines, payment instructions and the amounts demanded."
Who does all of this impact, and how should they respond?
Today we saw OFAC go after a specific target that enabled illicit activity at unprecedented speed and scale by taking advantage of a regulated exchange. The action was scalpel-esque in its precision — taking care to target an entity that enables ransomware and other illicit activity without targeting the broader licit crypto-economy.
The action also highlights the collateral risks experienced by possibly legitimate businesses operated by the owners and investors of SUEX or other unregulated nested exchanges. These companies may not be named in this action, but their banks, investors, and clients will surely re-consider the wisdom of doing business, be it banking services or payment rails, with the operators of an OFAC-sanctioned crypto exchange.
Major exchanges are also on notice. High-risk nested services, or parasite exchanges, like SUEX present enormous risks to the regulated entities whose infrastructure they share. The potential business benefits of hosting an unregulated nested exchange with lax or non-existent KYC are not clearly outweighed by the systemic risk of an OFAC designation or other regulatory or law enforcement action.
Nested exchanges can also be difficult to detect. As a blockchain intelligence provider that works with some of the world's largest crypto exchanges to help them identify emerging risks such as these, we've been studying the on-chain shape and behavior of nested exchanges since early 2020. Today, TRM users leverage this unique capability, known as Ownership Analytics, to identify parasite exchanges and other nested entities operating on their platforms. For more information on this capability and other on-chain financial crime typologies that may be important for your business to detect, please contact us.
Need support on an investigation?
Fill out the form to speak with our team about investigative professional services.