On Wednesday, the Department of Justice released an unsealed indictment charging two Iranians, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, with distributing the SamSam ransomware that has been used since 2015 to target more than 200 victims, including the city of Atlanta, the Hollywood Presbyterian Medical Center in Los Angeles, and the University of Calgary, costing those victims more than $30 million collectively. This type of indictment has become relatively routine—in the past five years, the U.S. government has filed indictments against Chinese, Iranian, North Korean and Russian government operatives for alleged cybercrimes (though the latest indictment does not indicate that Savandi and Mansouri were working for the Iranian government).
As a general rule, these indictments serve primarily to name and shame the perpetrators rather than as the precursor to any arrests or trials, since the people charged in these documents are never turned over by their home governments. Savandi and Mansouri are no exception in that regard. But while this case echoes many previous attempts at charging international cybercrime perpetrators, it is new and different in at least one major way. In addition to charging Savandi and Mansouri, the U.S. government took steps last week to sanction two other Iranians, Ali Khorashadizadeh and Mohammad Ghorbaniyan, who helped the criminals exchange the bitcoins they were paid as ransoms for local Iranian currency.
This is both a big deal and also, potentially, a relatively trivial obstacle for the extortionists to overcome.
In a statement Wednesday, the Treasury Department’s Office of Foreign Assets Control published Khorashadizadeh and Ghorbaniyan’s digital currency addresses: 149w62rY42aZBox8fGcmqNsXUzSStKeq8C and 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V
By making those Bitcoin wallet addresses public and associating them with the names of their owners, OFAC not only undermined the supposed anonymity of cryptocurrency, it also forbade U.S. individuals and organizations from making payments to those addresses or helping them process any transactions.
As with so many law enforcement attempts to crack down on international cybercrime, this is both a big deal and also, potentially, a relatively trivial obstacle for the extortionists to overcome. It’s a big deal because cybercrimes like those the SamSam ransomware were used for are primarily financially motivated. If the perpetrators can’t make money off of them, then they won’t bother to carry them out in the first place. The indictment estimates that Savandi and Mansouri generated more than $6 million in ransom payments using the SamSam malware. If it were actually possible to block them from being able to access that money or convert it into nonvirtual currencies, such as Iranian rial, then they would probably have to find a new line of work to support themselves.
Discouraging cybercrime by making it less profitable and catching cybercriminals by following their financial profits have long been important strategies for law enforcement. Historically, that has meant a lot of tracing stolen credit card numbers back to who is selling them, and whom they then send their profits on to. It can also mean pre-emptively canceling stolen cards so that data cannot be monetized, or encouraging payment networks to blacklist the banks that process transactions for criminals.
Ransomware schemes like SamSam that rely on cryptocurrency payments have undermined many of these policing efforts because cryptocurrencies are not susceptible to many of these regulatory approaches. So the Office of Foreign Assets Control’s attempt to go after the monetization stages of a major ransomware scheme is a big deal because it attempts to replicate one of the most effective and promising techniques for disincentivizing financially motivated cybercrime and to apply it to a new kind of crime—and a new breed of currency. OFAC’s announcement is meant to signal that cryptocurrencies are not quite so anonymous and so impossible-to-regulate as people have been led to believe, that it is in fact possible to crack down on illegal uses of bitcoin and trace the people behind those uses and impose sanctions on them. For people who want to use cryptocurrencies for legal purposes, this would actually be good news—it would mean that those currencies could in fact be regulated, protected, and traced in ways that would make them safer and more widely acceptable.
Furthermore, if it were actually possible to block Khorashadizadeh and Ghorbaniyan from receiving any more payments from the United States or exchanging their accumulated cryptocurrency wealth for hard currency, that would be a major step toward making ransomware less profitable and, by extension, less prevalent. Of course, Savandi and Mansouri could always find new people to exchange their ransom profits, but others might take notice of what happened to their previous partners and be wary of ending up on the receiving end of OFAC’s wrath.
The problem is that it’s not clear that announcing and sanctioning two cryptocurrency addresses will actually have any effect, either on their owners’ ability to receive cryptocurrency payments from the U.S. or on their ability to exchange their amassed cryptocurrency funds into real money. After all, Khorashadizadeh and Ghorbaniyan can easily set up new addresses and, if they want, transfer any or all of their funds into those new wallets. Perhaps OFAC will be able to keep pace with these changes and identify and publish these new addresses as quickly as they are created. If so, that will be a major blow to criminals relying on cryptocurrencies worldwide. If not, however, the trumpeted sanctions on these two specific virtual currency addresses may backfire—showing the world just how little control the U.S. government is actually able to exercise over international cybercriminals and their income.