The Biden administration sought Tuesday to choke the finances of criminal ransomware gangs, announcing sanctions against a Russia-based virtual currency brokerage that officials say helped at least eight ransomware gangs launder virtual currency.
The Treasury Department sanctions are aimed at kneecapping the economic infrastructure of a ransomware threat that has surged over the last year, crippling corporations, schools, hospitals and critical infrastructure, including a major fuel pipeline. Ransomware payments reached more than $400 million in 2020, the costliest year on record.
The goal is to go after the “financial enablers” of ransomware gangs, Deputy Treasury Secretary Wally Adeyemo told reporters. “Today’s action is a signal of our intention to expose and disrupt the illicit infrastructure using these attacks.”
The blacklisted brokerage is SUEX OTC, a so-called “nested exchange” that conducted transactions from accounts on major, legal global cryptocurrency exchanges. Such operations process a disproportionate amount of illicit transactions, Adeyemo said. In the case of SUEX, officials said, more than 40% of its known transactions have been associated with illicit actors. That’s more than $370 million, according to the cryptocurrency-tracking firm Elliptic.
Through its Office of Foreign Assets Control, the Treasury Department has previously sanctioned ransomware developers and distributors — though periodic retirements and rebrandings of ransomware strains have complicated those efforts. Officials say more such designations are possible.
SUEX is among the biggest and most active of a small group of illicit services that handle most money laundering for cybercriminals including scammers and darknet market operators, another crypto transaction-tracking firm, Chainalysis, said in a blog post. Such firms work closely with law enforcement to track criminal money laundering online.
Although legally registered in the Czech Republic, SUEX has no known physical presence there and operates out of branches in Moscow and St. Petersburg, Russia, where users can cash out their virtual currency, said Chainalysis, adding that it also has operations in the Middle East.
Chainalysis said SUEX claims it can convert cryptocurrency holdings into cash and even real estate, cars and yachts.
Most ransomware gangs operate out of reach of Western law enforcement in Russia and allied states. President Joe Biden has repeatedly told Vladimir Putin that he expects the Russian president to crack down on the gangs, but administration officials say they have seen no signs that Moscow is cooperating.
Chainalysis said SUEX was laundering money from the illicit cryptocurrency exchange BTC-e, which U.S. authorities shut down, perhaps on behalf of administrators, associates or former users. BTC-e’s operator, arrested on holiday in Greece, was sentenced to five years in prison by a French court in December.
“SUEX largely communicated with its clients on the Telegram app and accepted new customers on a system of referrals from trusted intermediaries. This was not the kind of business where a random person on the internet could open an account,” another crypto-tracking firm, TRM Labs, said in a blog post. “Transactions were only completed in-person at SUEX’s offices.”
TRM Labs CEO Esteban Castaño said SUEX is what is known as a “parasite exchange.” They are difficult to detect by the legitimate exchanges whose infrastructure they exploit because they open accounts using fraudulent or stolen credentials to meet know-thy-customer requirements and then fly under the radar.
Chainalysis said SUEX deposit addresses hosted at large exchanges have received over $160 million in Bitcoin alone from cybercriminals since the brokerage opened in early 2018, including nearly $13 million from ransomware operators including Ryuk, Conti and Maze. Ethereum and Tether are among other cryptoassets SUEX handled.
The Treasury Department said it is also updating guidance for ransomware victims that it first issued last year. The advisory strongly discourages victims from paying ransomware, reminding them that some transactions are against the law, and urges victims to report attacks to law enforcement.
“The reality is that the thing we know about this ecosystem is the way that we prevent ransomware attacks is by making sure that we get law enforcement engaged as soon as possible,” Adeyemo said.