US Treasury Sanctions Iran-Based Ransomware Group and Associated Bitcoin Addresses

by James · September 14, 2022

The US Treasury Department’s Office of Foreign Assets Control has added 10 individuals, 2 entities and several crypto addresses allegedly linked to an Iranian ransomware group to its list of Specially Designated Nationals, effectively making it illegal for US persons and companies to engage with them.

In an announcement Wednesday, the US Treasury Department said the individuals and companies in the ransomware group were affiliated with Iran’s Islamic Revolutionary Guard Corps, a branch of the country’s military. The group allegedly “conducted a diverse array of malicious cyber-enabled activities,” including compromising the systems of a US-based children’s hospital in June 2021 and targeting “US and Middle East defense, diplomatic and government personnel.”

OFAC listed 7 Bitcoin (BTC) addresses allegedly linked to 2 of the Iranian nationals – Ahmad Khatibi Aghada and Amir Hossein Nikaeed Ravar – as part of its secondary sanctions. According to Treasury, Khatibi has been associated with technology and data services firm Afkar System – one of two entities sanctioned in the same announcement – since 2007. The government ministry alleged Nikaeed “leased and registered network infrastructure” to help the ransomware group.

“Ransomware actors and other cybercriminals, regardless of their national origin or base of operations, have targeted businesses and critical infrastructure across the board — directly threatening the physical security and economy of the United States and other nations,” said Brian Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence. “We will continue to take coordinated action with our global partners to combat and deter ransomware threats.”

In a coordinated action across the US government, OFAC singled out a dozen Iran-based individuals for their roles in malicious cyber activities, including ransomware activity. The US, Australia, Canada and the UK also publish a joint cyber security advisory. https://t.co/OVnr3jprBA

— Treasury Department (@USTreasury) 14 September 2022

The notice came as the Justice Department announced an indictment against Khatibi, Nikaeed and Mansour Ahmadi — also one of the individuals listed in OFAC’s sanctions — for allegedly “orchestrating a scheme to hack into the computer networks” of US entities and individuals, including the attacks cited by Treasury. According to the Justice Department, the Iranian ransomware group targeted a New Jersey-based accounting firm in February 2022 and let Khatibi demand $50,000 in cryptocurrency in exchange for not selling the company’s data on the black market.

Related: Monero the crypto of choice as ransomware ‘double extortion’ attacks surge 500%

On August 8, OFAC added more than 40 cryptocurrency addresses linked to the controversial mixer Tornado Cash to its list of specially designated nationals, prompting criticism from many figures inside and outside the space. Treasury clarified on Tuesday that US persons and entities were not prohibited from sharing Tornado Cash’s code, but that they also required a special license to complete transactions initiated before the sanctions were imposed or make withdrawals.