November 8, 2021
U.S. Treasury designates crypto exchange Chatex for facilitating ransomware payments
Today the U.S. Treasury's Office of Foreign Assets Control (OFAC), as part of a series of coordinated actions across the U.S. government also involving the Department of Justice (DOJ) and the State Department, used economic sanctions against a second cryptocurrency exchange in under two months. Today’s actions include the designation of Chatex, a virtual currency exchange, and its support network for facilitating ransomware payments and other illicit activity. According to the press release from the Treasury Department, Chatex "has facilitated transactions for multiple ransomware variants."
On September 21, 2021, OFAC took its first ever action against against a cryptocurrency exchange, SUEX.io, a concierge cryptocurrency exchanger incorporated in Czechia but operating in Russia. SUEX, which operated as a so-called "nested" exchange or "parasite VASP," did not directly custody its clients' crypto. Instead, it fed off the infrastructure of a large, global cryptocurrency exchange to conduct its transactions. Nested exchanges often take advantage of the greater liquidity and lower transaction costs of big, multinational exchanges while presenting customers with a custom-made interface obscuring the connection to the larger service. Using this relationship with a large exchange, and access to cash from unknown sources, SUEX was able to convert the illicit monies of its clients to physical cash at an alarming scale. See TRM's commentary on Suex here.
According to Treasury, Chatex has direct ties with SUEX, using SUEX’s function as a nested exchange to conduct transactions. Chatex is being designated today for providing material support to SUEX. Treasury is also taking aim at the network of those providing support to SUEX and Chatex including companies IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd. According to Treasury, these three companies set up the infrastructure for Chatex, enabling Chatex operations and the ensuing illicit payments.
OFAC is also designating two individuals associated with ransomware today: Ukrainian Yaroslav Vasinskyi (Vasinskyi) and Russian Yevgeniy Polyanin (Polyanin). According to Treasury, "these two individuals are part of a cybercriminal group that has engaged in ransomware activities and received more than $200 million in ransom payments paid in Bitcoin and Monero.
In addition, the Financial Crimes Enforcement Network (FinCEN) is releasing an update to its 2020 Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments which provides red flag indicators associated with ransomware to financial institutions including cryptocurrency-related businesses in order help them identify and report suspicious transactions under the Bank Secrecy Act.
The latest in a steady drum beat of ransomware actions
The U.S. government has made clear that it plans to go after Chatex, SUEX and others that that fill an essential niche in the ecosystem of non-compliant exchanges that, either through willful ignorance or witting cooperation, facilitate the conversion of illicit crypto ransoms into real-world currency.
In a speech last week, Treasury Deputy Secretary Wally Adeyemo previewed today's action saying:
"Treasury is prepared to use "targeted sanctions designations not simply to hold bad actors responsible, but also to shine a light on the parts of the virtual currency ecosystem home to illicit activity – and to make it clear what Treasury sees as a threat. Right now, mixing services, darknet markets, and nested exchanges used to launder or cash out illicit funds are at the top of our list of concerns."
As Todd Conklin, Counselor to the Deputy Secretary, explained in an interview with TRM Labs after announcing the SUEX designation, "There's an illicit underbelly that has been forming in the smaller nested exchange and mixer ecosystem, which we want to shine a light on. Higher percentages of these particular exchanges' transactions are on behalf of criminal and ransomware actors. We just can't allow the smaller nested exchanges to serve as backdoors for illicit activity. It clouds the entire ecosystem, which is predominantly conducting licit business."
Today's Treasury and DOJ actions are yet another assault against ransomware in what has become a steady drum beat of actions and announcements meant to curtail the threat of attacks by cybercriminals and nation state actors. Here are just some of the steps that the U.S. government has taken since the May 7 ransomware attack on Colonial Pipeline:
- May 12, President Biden signs Executive Order on Improving the Nation’s Cybersecurity as an attempt to remove barriers to information sharing between the public and private sectors and to modernize the federal government's cyber defenses.
- June 2, the White House issues an open letter to the private sector provide an outline of best practices to harden cyber defenses.
- June 3, the United States Department of Justice orders United States Attorneys across the country to coordinate cases involving ransomware and other cyberattacks with the newly created Ransomware and Digital Extortion Task Force.
- June 4, FBI Director Christopher Wray compares ransomware scourge to 9-11. “There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention."
- July 15, the White House announces the formation of an interagency task force on ransomware.
- July 27, the Senate Judiciary Committee held a hearing titled “America Under Cyber Siege: Preventing and Responding to Ransomware Attacks,” with a witness panel of U.S. government officials including including representatives from DOJ, FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Secret Service.
- August 25, The Biden Administration met with private sectors leaders to announce a series of initiatives to bolster the nation's cybersecurity.
- September 21, OFAC announces the designation of non-compliant nested exchange SUEX for facilitating ransomware payments. This is the first time OFAC has used sanctions against a cryptocurrency business.
- October 6, the U.S. Department of Justice announced the creation of a National Cryptocurrency Enforcement Team (NCET) comprised of prosecutors focused on combatting the use of crypto for illicit finance.
- October 13, the White House issued a fact sheet on ransomware which focused on disrupting ransomware actors and hardening cyber defenses. The fact sheet grew out of an agreement between 30 countries "to accelerate cooperation on improving network resilience, addressing the financial systems that make ransomware profitable, disrupting the ransomware ecosystem via law enforcement collaboration, and leveraging the tools of diplomacy to address safe harbors and improve partner capacity." The fact sheet also addressed the importance of mitigating the risk of illicit activity by enforcing anti-money laundering compliance in the crypto space.
- October 15, Treasury announced FinCEN's Ransomware Trends in Bank Secrecy Act data, a new analysis of ransomware-related SARs which highlights average ransomware payment amounts, prevalent ransomware variants, and prominent ransomware money laundering typologies. In addition, OFAC published a brochure titled, "Sanctions Compliance Guidance for the Virtual Currency Industry." The brochure is a resource for the private sector that outlines OFAC's longstanding guidance in the cryptocurrency space. Check out TRM's full coverage of the rollout.
- October 19, Deputy Treasury Secretary Wally Adeyemo, at a Senate Banking, Housing and Urban Affairs Committee hearing, told lawmakers that the recent designation of Suex was just the beginning of Treasury's focus on non-compliant entities that facilitate ransomware payments and other illicit activity. "As you know we recently sanctioned a crypto exchange that predominantly facilitated ransomware attacks. We're also looking at other exchanges and other mixers that are doing the same in order to hold them accountable and working with our international counterparts to do so as well," he said.
- November 4, Deputy Treasury Secretary Wally Adeyemo gave a speech detailing the importance of working with the private sector to harden cyber defenses and continued efforts by OFAC and others to go after "mixing services, darknet markets, and nested exchanges used to launder or cash out illicit funds."
Need support on an investigation?
Fill out the form to speak with our team about investigative professional services.