US sanctions cryptocurrency exchange used by ransomware gangs

The US Treasury Department announced the first-ever sanctions against a cryptocurrency exchange, the Russian-linked Suex, for facilitating ransom transactions for ransomware gangs and helping them evade sanctions.

Suex is registered in the Czech Republic but has no physical presence there. Instead, it operates out of Moscow and St. Petersburg branch offices and other Russian and Middle Eastern locations, according to Chainalysis.

"SUEX has facilitated transactions involving illicit proceeds from at least eight ransomware variants. Analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors," the Treasury Department said today.

"SUEX is being designated pursuant to Executive Order 13694, as amended, for providing material support to the threat posed by criminal ransomware actors.

"This action is the first sanctions designation against a virtual currency exchange and was executed with assistance from the Federal Bureau of Investigation."

This move is designed to disrupt the main channel used by ransomware operations to collect ransom payments from their victims, which, as the Treasury added, amounted to over $400 million last year, more than four times when compared to 2019.

By sanctioning crypto exchanges providing ransomware groups with material support, the US hopes to drain their funding and disrupt their operations.

The Treasury's Office of Foreign Assets Control (OFAC) also issued an advisory today highlighting the "sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities."

As Chainalysis also revealed today, since being launched in February 2018, Suex has received more than $481 million in Bitcoin alone, including funds received from cybercriminals:

  • Nearly $13 million from ransomware operators including Ryuk, Conti, Maze, and several others
  • Over $24 million from cryptocurrency scam operators including the fraudsters behind Finiko, a scam that took in over $1 billion worth of cryptocurrency from victims primarily in Russia and Ukraine
  • Over $20 million from darknet markets, primarily the Russia-based Hydra Market
Suex funds received from cybercriminals
Suex funds received from cybercriminals since 2018 (Chainalysis)

Part of a larger effort to disrupt ransomware operations

The Biden administration was expected to issue sanctions this week against cryptocurrrency exchanges, wallets, and traders used by ransomware groups, as Wall Street Journal reported on Friday.

These are not the first sanctions the US government has levied against entities or threat actors associated with ransomware gangs.

In 2019, the US charged members of the Evil Corp for stealing more than $100 million and them to the Office of Foreign Assets Control (OFAC) sanctions list.

Over the years, Evil Corp was linked to multiple ransomware families, including WastedLocker, Hades, Phoenix CryptoLocker, and PayLoadBin.

In October, the Treasury also warned that ransomware negotiators might also face civil penalties for facilitating ransom payments to ransomware gangs on its sanctions list.

"Ransomware and cyber-attacks are victimizing businesses large and small across America and are a direct threat to our economy. We will continue to crack down on malicious actors," Treasury Secretary Janet L. Yellen added today.

"As cyber criminals use increasingly sophisticated methods and technology, we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks."

Related Articles:

US sanctions crypto exchanges used by Russian darknet market, banks

New executive order bans mass sale of personal data to China, Russia

Russian hackers shift to cloud attacks, US and allies warn

US offers up to $15 million for tips on ALPHV ransomware gang

KuCoin charged with AML violations that let cybercriminals launder billions