Treasury sanctions Iranian hackers and Bitcoin addresses

According to an update from the US Treasury Department, several Iranian nationals and their Bitcoin addresses have been sanctioned. An official release names Ahmad Khatibi Aghada, Amir Hossein Nikaeen, and at least seven addresses under their control.

In an indictment filed in the U.S. District Court of New Jersey, these individuals and Ahmadi Mansour have been charged with conspiracy to commit computer fraud and related activity, willfully damaging a protected computer, and soliciting financial compensation in Bitcoin.

The document was published today by the US Department of Justice (DoJ) and claims that these hackers allegedly engaged in illegal cyber activities from October 2020 onwards. Attacked by Iran, Nikaeen and his co-conspirators allegedly took over computers in the US, UK, Israel, Russia and others.

The hackers reportedly used “known vulnerabilities in common network devices and software applications” to carry out their exploits. In addition, they used Microsoft’s BitLocker to encrypt victims’ computers and demand payment in Bitcoin before handing over control.

In a Microsoft report published in early September, the major technology company acknowledged these attacks and linked a large part with a hacker group known as “Nemesis Kitten”, and its Iranian chapter called DEV-0270 or “PHOSPHORUS”. The report claims that these “widespread” attacks are sponsored by the government of Iran.

The indictment does not mention any connection between the suspects and “PHOSPHORUS”, but they appeared to be operating under a similar scheme. The hacker group asked the victim for a payment of up to $8,000 to release the computer, if the victim refuses, they sell the stolen data on the internet.

The use of BitLocker via malicious commands renders the victim’s computer unusable, according to Microsoft:

DEV-0270 has been seen using setup.bat commands to enable BitLocker encryption, rendering hosts unusable.

Treasury Sanctions Bitcoin Addresses, What Are the Implications?

The indictment alleges that the Iranian hackers were allegedly able to affect small businesses, government agencies, nonprofit programs, educational and religious institutions, and several critical infrastructure sectors, such as hospitals and transportation services.

The hackers often set up websites with the name format of legitimate technology companies to lure the victims. Once they gain access to the computers, hackers demanded payment in Bitcoin and other cryptocurrencies by providing an email address, as shown below.

Authorities in the United States were able to connect the hackers via their Bitcoin addresses. The bad actors used the same addresses when demanding payment from their victims.

In the past, law enforcement agencies were able to track down stolen funds and criminals via their BTC transactions. Given the transparent nature of the BTC network, some authorities believe that Bitcoin can be a tool to counter criminal activities.

United States Attorney for New Jersey Philip Sallinger said the following about the case:

By charging them in this indictment, by naming them publicly, we remove their anonymity. They can no longer operate anonymously from the shadows. We have put the spotlight on those who were looking for criminals.

US financial sanctions have been the subject of controversy in the crypto space. A few weeks ago, the institution sanctioned the Ethereum-based decentralized exchange Tornado Cash in an action that many experts considered “crossing a line”.

This was the first time the institution sanctioned a neutral technology. Now the Treasury issued instructions for people to “safely” remove their money from the exchange and acknowledged that some people were affected by interacting with the addresses associated with Tornado Cash. What will happen to the people who interact with the Bitcoin addresses that are sanctioned today?