U.S. Treasury Department Sanctions Bitcoin (BTC) Addresses Linked to Ransomware

September 15, 2022 The Daily Hodl

OFAC Sanctions 7 New Bitcoin Addresses Allegedly Associated With Iran-Related Ransomware Activities

September 14, 2022 Bitcoin.com

US Treasury sanctions Iran-based ransomware group and associated Bitcoin addresses

September 14, 2022 Coin Telegraph

The Office of Foreign Asset Control sanctioned 7 Bitcoin addresses allegedly connected to Iranian nationals Ahmad Khatibi Aghada and Amir Hossein Nikaeed Ravar.

The United States Treasury Department’s Office of Foreign Asset Control has added 10 individuals, 2 entities, and several crypto addresses allegedly tied to an Iranian ransomware group to its list of Specially Designated Nationals, effectively making it illegal for U.S. persons and companies to engage with them.

In a Wednesday announcement, the U.S. Treasury said the individuals and companies in the ransomware group were affiliated with Iran’s Islamic Revolutionary Guard Corps, a branch of the country’s military. The group allegedly “conducted a varied range of malicious cyber-enabled activities,” including compromising the systems of a U.S.-based children’s hospital in June 2021 and targeting “U.S. and Middle Eastern defense, diplomatic, and government personnel.”

OFAC listed 7 Bitcoin (BTC) addresses allegedly connected to 2 of the Iranian nationals — Ahmad Khatibi Aghada and Amir Hossein Nikaeed Ravar — as part of its secondary sanctions. According to the Treasury Department, Khatibi has been associated with technology and computer services firm Afkar System — one of two entities sanctioned in the same announcement — since 2007. The governmental department alleged Nikaeed “leased and registered network infrastructure” to assist the ransomware group.

“Ransomware actors and other cybercriminals, regardless of their national origin or base of operations, have targeted businesses and critical infrastructure across the board — directly threatening the physical security and economy of the United States and other nations,” said Brian Nelson, undersecretary of the Treasury for Terrorism and Financial Intelligence. “We will continue to take coordination action with our global partners to combat and deter ransomware threats.”

In a coordinated action across the U.S. Government, OFAC designated a dozen Iran-based persons for their roles in malicious cyber acts, including ransomware activity. The U.S., Australia, Canada & the UK are also publishing a joint cyber security advisory. https://t.co/OVnr3jprBA
— Treasury Department (@USTreasury) September 14, 2022

The notice came as the Justice Department announced an indictment against Khatibi, Nikaeed and Mansour Ahmadi — also one of the individuals listed in OFAC’s sanctions — for allegedly “orchestrating a scheme to hack into the computer networks” of entities and individuals in the United States, including the attacks cited by the Treasury. According to the Justice Department, the Iranian ransomware group targeted a New Jersey-based accounting firm in February 2022, having Khatibi demand $50,000 in cryptocurrency in exchange for not selling the company's data on the black market.

On Aug. 8, OFAC added more than 40 cryptocurrency addresses connected to controversial mixer Tornado Cash to its list of Specially Designated Nationals, prompting criticism from many figures in and out of the space. Treasury clarified on Tuesday that U.S. persons and entities were not prohibited from sharing Tornado Cash’s code, but also required a special license to complete transactions initiated before the sanctions were imposed or make withdrawals.

FBI seeks Bitcoin wallet information of ransomware attackers

September 7, 2022 Coin Telegraph

Coin Telegraph

The FBI, along with two other federal agencies, CISA and MS-ISAC, asked U.S. citizens to report information that helps track the whereabouts of the hackers.

Three federal agencies in the United States — the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center — jointly issued an advisory seeking information to curb ransomware attacks.

As part of the #StopRansomware campaign, the joint cybersecurity advisory alerted citizens of Vice Society, a ransomware-type program that encrypts data and demands ransom for decryption.

The trio anticipates a spike in ransomware attacks, primarily aimed at educational institutions, adding that “School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable.”

While proactive measures remain vital to counter ransomware, the FBI asked US citizens to report information that helps track the whereabouts of the hackers. Some key information the FBI seeks includes Bitcoin (BTC) wallet information, ransom notes and IP addresses linked to the attacker.

By using wallet addresses, authorities can backtrack illicit transactions on Bitcoin’s immutable blockchain without worrying about the trail going cold.

While Bitcoin enables frictionless cross-border transactions, most attackers prefer using fiat currencies to fund their illicit activities. It was also found that only 0.15% of activity on blockchains in 2021 was crime related, which has been going down consistently year over year.

Moreover, the three federal agencies strongly discourage Americans from paying ransom “as payment does not guarantee victim files will be recovered.” Individuals affected by ransomware attacks can report the details by visiting a local FBI office or through official communication channels.

The Dutch Public Prosecution Service recently tracked down crypto wallets associated with a ransomware attack on Netherland-based Maastricht University (UM).

In 2019, a ransomware hack froze all assets of UM, such as research data, emails and library resources. UM later agreed to pay the hacker’s demand of €200,000 in BTC, which is currently valued at roughly €500,000.

Russian Accused of Laundering Cryptocurrency From Ransomware Attacks Extradited to US

August 18, 2022 Bitcoin.com

‘Cryptojacking’ rises 30% to record highs despite crypto slump: Report

July 27, 2022 Coin Telegraph

Coin Telegraph

Cryptojacking has become a lucrative choice for cybercriminals as many victims are unaware they have been compromised.

New research shows that despite falling digital asset prices, cryptojacking has reached record levels in the first half of 2022.

According to a mid-year update on cyber threats by American cybersecurity company SonicWall, global cryptojacking volumes rose by $66.7 million, or 30% in the first half of 2022 compared to the same period last year.

Cryptojacking is a cybercrime whereby malicious actors commandeer a victim’s computer resources by infecting the machine with malware designed to mine cryptocurrencies. It is often executed through vulnerabilities in web browsers and extensions.

The report stated that the overall rise in cryptojacking can be attributed to a couple of factors.

Firstly, cybercriminals are leveraging the Log4j vulnerability to deploy attacks in the cloud. In December 2021, a critical vulnerability affecting java based logging utility was discovered in the Open Source Library managed by software company Apache. Hackers can exploit it to gain remote access to a system.

Secondly, cryptojacking is a lower-risk attack than ransomware which needs to be made public to succeed. Cryptojacking victims are often unaware that their computers or networks have been compromised.

Finance sector beware

Attackers also appeared to have changed their preferred targets during the period, moving from the government, healthcare and education sectors to the retail and financial sectors.

Cryptojacking attacks targeting the finance sector skyrocketed 269% in the period, more than five times greater than the second highest industry — retail, which saw attacks increase by 63%.

“The number of attacks on the finance industry is five times greater than the second highest industry — retail, which used to be at the very bottom of the list,” the researchers noted.

The researchers, however, noted that the volume cryptojacking attacks began to fall alongside the crypto markets in the first half of the year, as attacks were becoming less lucrative.

They observed a pattern of significantly higher volumes in the first quarter, followed by “cryptojacking summer slump” in Q2. The firm said that based on past trends, Q3 volumes will likely also be low, with attacks likely to pick up again in Q4.

This year's summer decline has also been attributed to a falling in crypto asset prices as markets have shrunk by 57% since the beginning of the year.

DOJ Seizes $500K in Ransom Payments, Cryptocurrency From State-Sponsored North Korean Hackers

July 21, 2022 Bitcoin.com

Insurance Company Sued for Refusing to Cover $7.5 Million Bitcoin Ransom Payment

July 12, 2022 Bitcoin.com

Dutch University set to recover more than twice the paid BTC ransom in 2019

July 5, 2022 Coin Telegraph

Bitcoin Price

The university reluctantly paid €200,000 in Bitcoin in December 2019 to avoid losing critical research data and resources.

Netherland-based Maastricht University (UM) is set to recover nearly €500,000 worth of Bitcoin (BTC) after the police authorities managed to solve the infamous ransomware attack in December 2019.

In 2019, a ransomware hack targeted the said university and froze all its research data, emails and library resources. The hackers demanded €200,000 in BTC and the university decided to pay the said amount fearing losing critical research data.

The Dutch Public Prosecution Service (DDPS) managed to track down one of the crypto wallets associated with the hack in 2020 to Ukraine and froze funds in the account valued at only €40,000 at the time. In the next two years, the DPPS managed to secure the contents of the account including nearly one-fifth of the stolen BTC.

The value of the part ransom recovered by the authorities has reached €500,000, more than double the amount university paid two and a half years ago, thanks to the price surge of the top cryptocurrency during the bull run in 2021.

The university in its official statement said that even though the monetary value of the recovered ransom is higher, it cannot undo the damages done by hackers. The university in an official blog post said:

“The Netherlands Public Prosecution Service was able to seize cryptocurrencies worth approximately €500,000 which may be made available to UM. This is still less than the damages incurred by the university, but it is a nice sum to be used to support students in need.”

The seized funds are currently with the DPPS and a legal proceeding has been initiated to transfer the funds to the university. The executive board of the university has decided to utilize the recovered fund to help students in financial need.

The seizure of crypto funds by authorities highlights the importance of a decentralized and transparent public ledger system used by BTC and crypto in general. While critics often portray crypto as an opaque and anonymous system preferred by criminals, research data indicate that less than 1% of current crypto in circulation is associated with illicit activities.

Even stolen and ransom crypto funds are often tracked down and recovered. For example, the United States authorities managed to recover $2.3 million in crypto from the Colonial Pipeline ransom.

Infamous North Korean hacker group identified as suspect for $100M Harmony attack

June 30, 2022 Coin Telegraph

Infamous North Korean hacker group identified as suspect for 0M Harmony attack

Coin Telegraph

A new report suggests that a notorious North Korea-affiliated hacking group may be behind last week’s $100 million Harmony attack.

The Lazarus Group, a well-known North Korean hacking syndicate, has been identified as the primary suspect in the recent attack that saw $100 million stolen from the Harmony protocol.

According to a new report published today by blockchain analysis firm Elliptic, the manner in which Harmony’s Horizon Bridge was hacked and the way stolen digital assets were consequently laundered bears a striking resemblance to other Lazarus Group attacks.

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds.”

Additionally, Elliptic outlined exactly how the heist was executed, noting that The Lazarus Group targeted the login credentials of Harmony employees in the Asia Pacific region to breach the protocol’s security system. After gaining control of the protocol, the hackers deployed automated laundering programs that moved the stolen assets late at night.

Elliptic also noted that the hackers have already transferred over 40% of the $100 million to Tornado Mixer, an Ethereum-based “mixing service” that obscures transaction data and makes it extremely difficult for investigators to trace the movement of funds.

Initially, the Harmony team offered up a $1 million bounty as an incentive for the hackers to return the funds. However, on June 29, Harmony upped the bounty to $10 million, and claimed that a full return of funds would cease the investigation and no further criminal charges would be pursued.

The $600 million Ronin bridge hack, which occurred in April, has also been linked back to The Lazarus Group. Due to current market conditions, the value of the stolen Ether (ETH) has plummeted more than 60% down to $230 million.

A recent report from Coinclub.com indicates that North Korea has deployed 7,000 full-time hackers to raise funds through cyberattacks, ransomware and crypto protocol hacks. North Korea is the world leader in cryptocurrency-related crime, with over 15 documented instances of cyber theft amounting to roughly $1.59 billion in stolen funds.

Harmony’s Horizon Bridge is the latest addition to a growing list of token bridges that have been attacked, including Meter, Wormhole and Ronin, bringing the total amount of bridge token-related theft to a little over $1 billion in 2022 alone.

The largest token bridge to be hacked was Poly Network in 2021, which lost $610 million that was almost entirely returned.

Ransomware

Finance sector beware

Share this video