Treasury Analysis Identifies Cryptocurrency Exchanges Associated With Ransomware


The department is tracking a huge increase in ransomware disclosures but data suggests the events are still grossly underreported.

The Treasury Department’s Financial Crimes Enforcement Network is using a combination of greater ransomware disclosures and commercially available tools for blockchain analysis to figure out which cryptocurrency exchanges are facilitating payments to ransomware criminals.

“This analysis allowed FinCEN to chart the flow of ransomware payments in [Bitcoin] to identify which [Convertible Virtual Currency] exchanges and services ransomware actors used to launder their proceeds,” reads a report Treasury released Friday.

The report found Bitcoin to be the most commonly used cryptocurrency for ransomware payments. 

It comes in the wake of the department’s first ever designation of a cryptocurrency exchange—SUEX—as a sanctioned entity and Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger saying there would be more to come in the fight against ransomware.     

Alongside the FinCEN report, the department also issued a guide to help organizations in the virtual currency industry comply with sanctions policy from its Office of Foreign Assets Control. The guide encouraged organizations to use geolocation tools and know-your-customer policies—whereby account holders must provide personally identifiable information such as a physical address and date of birth—in order to screen for and avoid transactions with banned persons or entities.

“Ransomware actors are criminals who are enabled by gaps in compliance regimes across the global virtual currency ecosystem,” Deputy Secretary of the Treasury Wally Adeyemo said in a press release. “Treasury is helping to stop ransomware attacks by making it difficult for criminals to profit from their crimes, but we need partners in the private sector to help prevent this illicit activity.”

The FinCEN report is based on ransomware-related activity entities disclosed of their own volition from January through June of 2021. It covers 635 reports tracking $590 million in suspicious funds. That’s a 42% increase when compared to a total of $416 million for all of 2020, the report noted, with a couple of important caveats. 

“This trend potentially reflects the increasing overall prevalence of ransomware-related incidents as well as improved detection and reporting of incidents by covered financial institutions, which may also be related to increased awareness of reporting obligations pertaining to ransomware and willingness to report,” FinCEN wrote.

The report noted ransomware advisories and virtual events FinCEN and OFAC promoted late last year and a key term used in those (“CYBER-FIN-2020-A006”) that was specifically referenced in the majority of subsequent disclosures over the first six months of this year.

Treasury has promised to factor such disclosures as mitigating factors when considering enforcement actions for entities paying ransoms to potentially sanctioned individuals. But the department found the events are still likely vastly underreported.

While FinCEN identified 177 virtual wallets from the suspicious activity reports they received, they used commercially available tools to identify 422,895 such wallets associated with common ransomware variants like REvil, Conti, DarkSide, Avaddon and Phobos.

“This difference is likely due to underreporting of ransomware incidents,” FinCEN wrote, adding, “Not all of the funds sent from these wallet addresses are definitively related to ransomware payments; however, all of the exchanges and services identified ... were at a minimum a direct counterparty to wallet addresses that received ransomware-related payments.”