The U.S. government has sanctioned a cryptocurrency exchange for the first time as part of its ongoing fight against ransomware attacks.
The Treasury Department announced Tuesday it is adding Russia-based Suex.io to its list of specially designated nationals (SDNs) for its alleged role in facilitating cryptocurrency transactions for ransomware attackers.
As a result of the designation, which puts Suex in a category with suspected terrorists and drug traffickers, U.S. residents and citizens are forbidden to do business with the exchange, on penalty of fines or prison.
Deputy Treasury Secretary Adewale Adeyemo said in a press call ahead of the announcement that Suex facilitated transactions from at least eight ransomware variants, and as much as 40% of Suex’s transaction volume was associated with addresses linked to known malicious actors.
“Exchanges like Suex are critical to attackers’ ability to extract profits from ransomware attacks. Today’s action is a signal of our intention to expose and disrupt the illicit infrastructure used in these attacks,” Adeyemo said.
The Wall Street Journal reported Friday the Treasury Department intends to impose sanctions to take on ransomware.
The Treasury Department said in a press release the U.S. would block any Suex property within its borders.
Treasury’s Office of Foreign Asset Control (OFAC), the division in charge of the SDN list, has sanctioned individual middlemen who process crypto transactions since 2018, when it added two people charged with facilitating transactions from victims of the SamSam ransomware.
The Treasury did not sanction any individuals working for the exchange at press time. Spokespeople for the department did not respond to a question about whether any employees would be added.
The Treasury Department also updated its 2020 guidance on ransomware payments, which states that “facilitating ransomware payments on behalf of a victim may violate OFAC regulations.”
Suex is nominally based in the Czech Republic but operates out of Russia, according to a blog post by TRM Labs.
The post, which summarizes a TRM investigation, says Suex began operations “under the corporate ownership” of Izibits OU, an Estonian-licensed virtual asset service provider. TRM claims the exchange’s executives are Vasilii Zhabykin, who the blog says may be affiliated with a major Russian telecom, and Tibor Bokor, a Czech venture capitalist.
While the Treasury Department did not identify any specific attacks Suex abetted, Chainalysis said in a blog post that cryptocurrencies paid by victims of the Ryuk, Conti and Maze ransomware attacks sent payments that ultimately went through the exchange.
Chainalysis identified some $13 million in bitcoin transactions sent through Suex directly tied to ransomware attacks. Scammers sent another $24 million in bitcoin, while another $20 million in bitcoin were tied to Hydra and other darknet markets.
Overall, Chainalysis said, the exchange has received over $480 million in bitcoin transactions since February 2018. The analytics firm was able to tie at least $160 million worth of that to illicit activities.
Both TRM and Chainalysis said Suex is a “nested service,” meaning it borrows custody and address services from a larger, better-established service.
In other words, the exchange did not directly provide custody services. TRM said the exchange required customers to transact in person at its offices, and only accepted customers through referrals.
Neither TRM nor Chainalysis identified the exchange or exchanges with which Suex worked, but TRM said the company had “access to cash from unknown sources.”
Chainalysis also identified more than $50 million in cryptocurrency transactions sent from addresses tied to BTC-e to Suex, a crypto exchange U.S. authorities seized in 2017 on allegations it facilitated money laundering.
Many of these transactions occurred after BTC-e was officially shut down, Chainalysis said.
Anne Neuberger, the deputy national security adviser to the Biden administration, reiterated Treasury’s approach to ransomware attacks in the press call, laying out a four-pronged strategy that includes disrupting ransomware actors and infrastructure, shoring up possible target entities, limiting cryptocurrency payments and building international cooperation to mitigate future attacks.
“This effort builds on our international efforts, often led by Treasury, to ensure proper regulation and know-your-customer controls overseas to virtual currency exchanges and we’re also building our industry partnerships and analytic capabilities to support interdiction events,” she said.
Neuberger, who oversees cybersecurity and emerging technologies for the White House, announced the federal government was creating a dedicated group to examine ransomware earlier this summer.
The group was formed in the wake of several high-profile ransomware attacks on critical infrastructure, including interstate gas provider Colonial Pipeline, meat processor JBS and software provider Kaseya.
Adeyemo said the Treasury Department is focused on other types of crypto transaction facilitators, including mixers and what role they might play in illegal transactions.
“We’re going to continue to look at [exchanges] within this ecosystem and also look at mixers and see whether and to look for other actions we can take for payments given the importance to protecting our national security,” he said.
Neither federal official said whether any specific mixer-related actions are forthcoming, but the U.S. Department of Justice has already warned that using mixers may in and of itself be a crime.
Adeyemo closed the press call with an acknowledgement that cryptocurrencies are not only being used for illegal activities.
“We recognize that the vast majority of activity that’s happening in the virtual currencies is legitimate activity, but we also do know that these criminals are using some of these exchanges and mixers and peer-to-peer services to conduct illicit activity that is not in our national interests,” he said.
Daniel Nelson contributed reporting.
UPDATE (Sept. 21, 2021, 14:50 UTC): Adds link to OFAC release.