Cyber Security updates
Sign up to myFT Daily Digest to be the first to know about Cyber Security news.
The US Treasury has imposed sanctions on a cryptocurrency exchange that it says allowed ransomware hackers to launder extortion payments from victims, in one of its most significant interventions to date against a digital asset group.
Working together with the FBI, the US Treasury’s Office of Foreign Assets Control announced the curbs on an exchange called SUEX, which it said deliberately “facilitated illicit activities for [its] own illicit gains”.
The sanctions block US citizens and companies from transacting with the group, with penalties that include fines.
The move marks a new frontier in the government’s fight against a scourge of ransomware attacks, in which hackers seize a company’s systems or data only to release them when a ransom is paid.
Cybersecurity experts have long called for tougher barriers to stop cyber criminals receiving and then laundering ransom payments, which have typically been enabled by the use of difficult-to-trace cryptocurrencies.
According to the Treasury, some 40 per cent of SUEX’s transactions are linked to illicit actors, while the company has facilitated the laundering of funds from more than eight ransomware variants.
SUEX’s website says the company was established in Prague, in the Czech Republic, while its LinkedIn page says it is “used by thousands of residents of Russia, Europe, Asia, South and North America”.
SUEX operates as a so-called “nested” exchange, according to crypto intelligence group TRM Labs, meaning that instead of acting as a direct custodian of its clients’ crypto funds, it merely provided a custom-made interface while tapping into the services of a larger exchange.
According to TRM Labs, the exchange, which appears to deal in transactions of $10,000 or more, accepted new customers on a system of referrals from trusted intermediaries.
Its largest shareholder is a Russian national, TRM said. A message to the email listed on the SUEX website bounced back.
Ofac said it would “continue to impose sanctions on these actors and others who materially assist, sponsor or provide financial, material or technological support for these activities” — a statement that will send a warning to other larger cryptocurrency exchanges that have not bolstered their anti-money laundering and “know-your-customer” capabilities.
Ransomware attacks have exploded in volume as a pandemic-related shift to remote working has left businesses more vulnerable to intruders. The trend was thrust into the spotlight earlier this year by several audacious and highly disruptive attacks, including one on the East Coast’s Colonial Pipeline.
The Treasury also updated its ransomware advisory on Tuesday to recommend that victims disclose breaches to law enforcement and other US agencies — particularly if they feel compelled to pay a ransom, as this will give them extra leverage with regulators if they are later found to have unwittingly broken sanctions.
Another “significant mitigating factor” will be whether a company co-operates and shares information with law enforcement, the Treasury said.
The guidance will be updated to state explicitly that the government discourages paying ransoms altogether, as it has outlined in public statements in the past.
Wally Adeyemo, deputy secretary of the Treasury, said the agency was also “investigating” the role of mixers — third-party services that mix up illicit funds with clean cryptocurrencies before redistributing them, throwing investigators off the trail.
On top of targeting the crypto payments infrastructure, many experts have complained that the Biden administration should be tougher on Moscow, given that the majority of ransomware criminals are believed to be based in Russia or Russian-speaking countries, and are allowed to operate with impunity.
For the latest news and views on fintech from the FT’s network of correspondents around the world, sign up to our weekly newsletter #fintechFT
In July, Joe Biden warned Russian president Vladimir Putin that the country would face consequences if it failed to act against such hackers, and warned that certain critical infrastructure entities were off limits.
The Treasury said on Tuesday that it planned to better leverage international co-operation and multilateral forums such as the G7 and United Nations. It sought to encourage the countries that harbour ransomware criminals to take action or be “held accountable” for failing to do so.
When asked about a recent ransomware attack on a grain co-operative in Iowa, which analysts believe was carried out by a suspected Russian-linked group called BlackMatter, the White House told reporters that it had not yet made any formal attribution.