US Treasury Blacklists Russia-Based Crypto Exchange'Suex' Accused of Laundering Tens of Millions of Dollars for Cybercriminals
The U.S. Department of the Treasury has blacklisted Russia-based cryptocurrency exchange Suex for allegedly laundering tens of millions of dollars for ransomware operators, scammers and darknet markets. It is the first such designation for a virtual currency exchange and part of the Biden administration's efforts to undermine ransomware's financial infrastructure.
The department will now add Suex to the Specially Designated Nationals and Blocked Persons List, effectively barring Americans from doing business with the company.
In what it calls a "whole-of-government" effort to counter ransomware, the Treasury Department says its actions aim to disrupt criminal networks and virtual currency exchanges responsible for laundering ransoms.
"Ransomware and cyberattacks are victimizing businesses large and small across America and are a direct threat to our economy. We will continue to crack down on malicious actors," says Treasury Secretary Janet Yellen. "As cybercriminals use increasingly sophisticated methods and technology, we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter and prevent ransomware attacks."
Treasury officials say ransomware payments reached over $400 million in 2020 - four times their level in 2019. In addition to the millions paid out in ransoms, the disruption to critical sectors, including financial services, healthcare and energy, "can cause severe damage," they add.
Government's Stance on Ransoms
The Treasury Department's Office of Foreign Assets Control, or OFAC, has officially blacklisted the Russian exchange for allegedly enabling cybercrime - including laundering proceeds from at least eight ransomware variants. More than 40% of the exchange's known transaction history is associated with illicit actors, officials say.
They continue: "Virtual currencies can be used for illicit activity through peer-to-peer exchangers, mixers and exchanges. This includes the facilitation of sanctions evasion, ransomware schemes and other cybercrimes." The department seeks to prevent "illicit actors from exploiting virtual currencies to undermine U.S. foreign policy and national security interest[s]."
In a statement provided to ISMG, Rep. Jim Langevin, D-R.I., a senior member of the House Committee on Homeland Security and a member of the Cyberspace Solarium Commission says, "The excellent ransomware guidance released today … makes clear that the U.S. government does not support ransom payments for hackers, which serve only to perpetuate the cybercriminal ecosystem."
Langevin says the guidance "reiterates that strict liability will hold individuals and businesses to account if they support a sanctioned entity by paying a ransom."
Additionally, Marcus Fowler, a former department chief for the Central Intelligence Agency, says, "Not only [is Suex now] effectively cut off from the U.S. dollar, but the sanctions also create stigma in a market where reputation and trust are everything."
Fowler, currently the director of strategic threat at the firm Darktrace, adds, "More importantly, this is a strong wake-up call for the crypto market and sets an example for other exchanges." Still, he says, "we would have to be naive to think this will stop sophisticated cybercriminals."
“Today’s announcement wisely manages the fine line between discouraging ransomware payments and penalizing the victims, such as America’s schools, hospitals and critical infrastructure," says Angelena Bradfield, senior vice president of AML/BSA, sanctions and privacy at the Bank Policy Institute, a financial services advocacy organization. "We commend these efforts to encourage strong cybersecurity practices.”
According to blockchain analytics firm Chainalysis, Suex has moved hundreds of millions of dollars' worth of cryptocurrency - mostly in bitcoin, ether and tether - since opening in 2018. The analytics firm, which aided law enforcement agencies in this investigation, says Suex's deposit addresses had received over $160 million in bitcoin alone from ransomware actors, scammers and darknet operators.
Chainalysis' investigation showed that Suex converts cryptocurrency into cash at physical branches in Moscow and St. Petersburg, Russia, and possibly elsewhere. The firm says that between 2018 and 2021, Suex also received more than $50 million worth of bitcoin sent from BTC-e-hosted addresses, an illicit crypto exchange shuttered by the U.S. Department of Justice in 2017.
"[This] designation is important because it represents significant action taken by the U.S. government to combat the money launderers who make all other forms of cryptocurrency-based crime profitable," say experts at Chainalysis in a new blog post. "A very small group of illicit services facilitates the majority of the money laundering for all cryptocurrency-based crime. Suex is one of the biggest and most active of those services."
But Erich Kron, a former security manager for the U.S. Army’s 2nd Regional Cyber Center and currently a security awareness advocate for the firm KnowBe4, suggests, "By putting [Suex] on a sanction list, this has now limited the options for organizations that find themselves in a situation where they must pay the ransom."
Aiding Prominent Criminal Gangs
Suex, registered in the Czech Republic, is believed to have no physical presence there, instead operating out of branches in Russia and the Middle East. According to Chainalysis, it claims to convert cryptocurrency holdings into cash and facilitate the exchange of cryptocurrency into physical assets including cars, real estate and yachts. The firm says some of Suex's illegal activity includes receiving:
- Nearly $13 million from ransomware operators such as Ryuk, Conti and Maze;
- More than $24 million from cryptocurrency scam operators;
- More than $20 million from darknet markets, including Russia-based Hydra Market.
OFAC also released an advisory on potential sanctions risks for entities facilitating ransomware payments. The document emphasizes that the U.S. government discourages the payment of cyber ransoms or extortion demands. It also urges proper reporting and cooperation with U.S. government agencies in the event of an attack.
Also touted in Tuesday's announcement: collaboration with international partners. Treasury officials say in June, Group of Seven, or G7, leaders "committed to working together to urgently address the escalating shared threat from criminal ransomware networks." The G7 Cyber Expert Group, co-chaired by the Treasury Department and the Bank of England, also met on Sept. 1 and Sept. 14 to tackle ransomware concerns.
Efforts to Date
Activity from the Biden administration to disrupt ransomware attacks follows a string of devastating incidents that began in May, all involving Russian-language groups. Conti hit Ireland's National Health Service; DarkSide disrupted U.S.-based Colonial Pipeline, causing consumers to panic-buy fuel; and REvil - aka Sodinokibi - attacked meat processing giant JBS as well as remote management software firm Kaseya. The latter attack resulted in more than 1,500 organizations' systems being forcibly encrypted and held to ransom.
Biden also met with Russian President Vladimir Putin in a June summit in Geneva in which he detailed several critical infrastructure sectors that must remain off-limits to criminal hackers. He said he warned Putin that if Russia failed to act, the U.S. reserved the right to do so.
During a Senate Homeland Security Committee hearing Tuesday, FBI Director Christopher Wray told lawmakers that in countering cryptocurrency-enabled cybercrimes, the bureau has created a virtual currency evolving threats team with subject matter experts, designed to help with investigations, along with a virtual currency response team. He noted cryptocurrency "permeates pretty much every program we have" and expects that focus to increase.