Watch the Interview: Treasury Comments On Release of Ransomware-Related Data and Guidance

TRM InsightsInsights
Watch the Interview: Treasury Comments On Release of Ransomware-Related Data and Guidance

Todd Conklin, Counselor to the Deputy Secretary, joined a special edition of TRM Talks to announce and explain the action: "New industry-specific guidance outlines sanctions compliance best practices tailored to the unique risks posed in this dynamic space, while new data from [FinCEN] shows the increasing threat ransomware posed to the U.S financial sector, businesses, and the public during the first half of 2021."

Ransomware has increased as a threat to our private sector, with the total value of Suspicious Activity Reports (SARs) in the first half of 2021 totaling $590 million, exceeding the entire total for all of 2020.

In the wake of last month's OFAC designation of non-compliant nested crypto exchange SUEX, the administration has taken a series of measures to coordinate across the federal government and with the private sector on the issue of ransomware. Last week, the U.S. Department of Justice announced the creation of a National Cryptocurrency Enforcement Team (NCET) comprised of prosecutors focused on combatting the use of crypto for illicit finance. This week the White House issued a fact sheet on ransomware which focused on disrupting ransomware actors and hardening cyber defenses. The fact sheet also addressed the importance of mitigating the risk of illicit activity by enforcing anti-money laundering compliance in the crypto space.

Today's Treasury action, which includes the release of new Ransomware Trends in Bank Secrecy Act data from FinCEN, was the latest move. FinCEN’s analysis of ransomware-related SARs highlights average ransomware payment amounts, prevalent ransomware variants, and prominent ransomware money laundering typologies:

Average Monthly Ransomware Payment Amount: The average amount of reported ransomware transactions per month in 2021 was $102.3 million.

Prevalent Ransomware Variants: FinCEN identified 68 different ransomware variants reported in SAR data for transactions occurring between January 1, 2021 and June 30, 2021. The most commonly reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos.

Ransomware Money Laundering Typologies: FinCEN identified several money laundering typologies common among ransomware variants in 2021, including threat actors increasingly requesting payments in Anonymity-Enhanced Cryptocurrencies such as Monero, and avoiding reusing wallet addresses, “chain hopping” and cashing out at centralized exchanges, and using mixing services and decentralized exchanges to convert proceeds.

In addition to the release of FinCEN's report, OFAC also published a brochure titled, "Sanctions Compliance Guidance for the Virtual Currency Industry." The brochure is a resource for the private sector that outlines the longstanding OFAC guidance that sanctions apply to the cryptocurrency space in the same way they do for traditional financial institutions. While the brochure highlights sanctions against North Korean cyber unit Lazarus group in March 2020, and the September 2021 SUEX designation, most of the brochure is dedicated to providing digestible guidance to financial institutions and cryptocurrency businesses on best practices to combat the use of virtual currency by sanctioned persons or jurisdictions.

As OFAC Associate Director of Compliance and Enforcement Lawrence Scheinert explained, "The growing prevalence of virtual currency as a payment method brings greater exposure to sanctions risks—like the risk that a sanctioned person or a person in a jurisdiction subject to sanctions might be involved in a virtual currency transaction. Accordingly, the virtual currency industry, including technology companies, exchangers, administrators, miners, wallet providers, and users, plays an increasingly critical role in preventing sanctioned persons from exploiting virtual currencies to evade sanctions and undermine U.S. foreign policy and national security interests."

OFAC highlights the importance of:

- Geolocation tools to identify and prevent IP addresses that originate in sanctioned jurisdictions,

- Transaction monitoring for connections to sanctioned jurisdictions or transactions with digital currency addresses that have been linked to sanctioned actors;

- Employing transaction monitoring and investigation software that can be used to identify transactions involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List or other sanctions lists, or located in sanctioned jurisdictions;

- Conducting historic lookbacks of transactional activity to identify potential connections to addresses added to the sanctions list;

- Building compliance capabilities that are adaptable to changes in technology and emerging threats and typologies;

- Private sector engagement with OFAC which "wants to hear from the virtual currency industry about its compliance challenges and to learn what additional guidance, or clarity on existing guidance, would be beneficial."


When OFAC designated SUEX last month, it targeted a non-compliant exchange. However, implicitly, at least, the action sent a message to larger, compliant exchanges, that they need to have compliance programs in place that could mitigate the enormous risks associated with nested entities like SUEX taking advantage of their ecosystems. Today's OFAC brochure sends that same message, but even more directly by laying out what is expected for a sound sanctions compliance program.

When asked what comes next, Mr. Conklin responded, "We are going to continue to target the illicit parts of the crypto ecosystem while also ensuring we are helping to bolster compliance regimes across the entire ecosystem. Fundamentally though, we see ransomware as a cyber security issue. It gets framed in many areas as a cryptocurrency issue, but just attacking the crypto ecosystem is not going to fix the core problem, which is cyber vulnerabilities across multiple sectors."

The role of blockchain analytics

In today's guidance OFAC states, "Sanctions risks are vulnerabilities that, if ignored or mishandled, can lead to violations of OFAC’s regulations and subsequent enforcement actions, harm to U.S. foreign policy and national security interests, and negative impacts on a company’s reputation and business." Having clear guidance from regulators on their expectations is a helpful step in avoiding violations, but as crypto platform operators and financial institutions know, implementing these measures as part of day-to-day workflows can often be easier said than done.

As a provider of the "transaction monitoring and investigation software" referenced at several points throughout the brochure as a tool that helps enable many of these best practices, TRM engages with OFAC and other regulatory bodies to ensure the tools we build are fit for purpose with respect to regulatory guidance and requirements.

For example, in page 15 of the brochure, OFAC describes the more straightforward practice of using transaction monitoring to block transactions associated with virtual currency addresses included on the SDN list.

"As a best practice for risk-based compliance, companies operating in the virtual currency industry should employ tools sufficient to identify and block transactions associated with blocked persons, including transactions associated with those virtual currency addresses included on the SDN List."

But it goes on to introduce the idea of identifying addresses that may pose sanctions risk based on association with explicitly sanctioned addresses:

"Moreover, OFAC’s inclusion of virtual currency addresses on the SDN List may assist the industry in identifying other virtual currency addresses that may be associated with blocked persons or otherwise pose sanctions risk, even if those other addresses are not explicitly listed on the SDN List. For example, unlisted virtual currency addresses that share a wallet with a listed virtual currency address may pose sanctions risk because the sharing of a wallet may indicate an association with a blocked person. Similarly, virtual currency companies may consider conducting a historic lookback of transactional activity after OFAC lists a virtual currency address on the SDN List to identify connections to the listed address."

This idea of risk propagation — taking one known high-risk address and assigning appropriate, accurate risk ratings to addresses associated with it — is something our blockchain intelligence and data science teams at TRM have been focused on for some time. In one recent example, two addresses belonging to an Iranian ransomware group were explicitly sanctioned; TRM identified an additional 180 addresses warranting attribution as linked to a sanctioned entity.

OFAC highlights the need for a risk-based compliance program that includes "controls to identify, interdict, escalate, report (as appropriate), and maintain records for transactions or activities prohibited by OFAC-administered sanctions." We see the role of blockchain analytics being increasingly critical to organizations' ability to fulfilling this requirement.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Transaction Monitoring/Wallet Screening
Training Services
Training Services
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.