Ransomware, Governance, Risk and Compliance, Industry Regulations

Treasury Department issues sanctions guidelines for cryptocurrency operators

A detail of the statue of Satoshi Nakamoto, a presumed pseudonym used by the inventor of Bitcoin, is displayed in Graphisoft Park on Sept. 22, 2021, in Budapest, Hungary. The U.S. Treasury Department issued guidance to promote sanctions compliance in the virtual currency industry aimed at curbing ransomware. (Photo by Janos Kummer/Getty Images)

Seeking to advance President Joe Biden’s efforts to mitigate the ransomware threat, the Treasury Department’s Office of Foreign Assets Control (OFAC) on Friday issued guidance aimed at promoting sanctions compliance in the virtual currency industry. 

As ransomware attacks have increased in recent years, so have the number of ransomware payments, which are typically paid through virtual currency. These developments have required the government to step in and issue sanctions for bad actors that profit from ransomware operations and don’t comply with the government’s guidance on cryptocurrency.  

According to the Treasury Department, OFAC’s sanctions compliance requirements apply to the virtual currency industry in the same way they do to traditional financial institutions — for example, dealing with restricted governments or blocked individuals — and there are civil and criminal penalties for failing to comply.

The guidance issued by OFAC Friday in its brochure offers an overview of OFAC sanctions requirements and gives examples of compliance best practices for operators in this industry, including technology companies, exchangers, administrators, miners, and wallet providers, as well as more traditional financial institutions that may have exposure to virtual currencies or their service providers.

As a practical matter, the government will find it difficult to assert centralized authority onto currency technologies that are designed to resist centralized authority, said David “Moose” Wolpoff, co-founder and chief technology officer at Randori.

“So while I totally support sanctioning institutions that directly support criminal groups, I'm skeptical of the practical outcome,” Wolpoff said. “If the cost of ransom payments are less than the cost of remediation (or non-payment) when including the cost of violating sanctions, we can expect that ransoms will continue to be paid by U.S. organizations, and we can expect that criminals will find ways to receive that ransom payment. It's great to see a government institution trying to utilize the tools at its disposal, and I hope they continue to influence the problem in ways they can.”

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said the recent guidelines specified by the U.S. Treasury have a simple goal: Make it more difficult for ransomware groups to profit from their crimes. Morgan said the OFAC guidelines have put more pressure on the virtual currency industry to take action against those exploiting their services.

“OFAC sanctions are varied in nature, however against ransomware operators, it’s likely that their most common targets will be against specific, listed individuals known to be associated with a criminal operation,” Morgan said. “These individuals will be registered on OFACs Specifically Designated Nationals and the Blocked Persons List. It’s unclear exactly what affect these changes will have on the ransomware industry in the short-term, however, it’s clearly a positive and proactive move towards combatting this growing problem.”

Wade Lance, Field CTO at Illusive, added that he understands the desire to counter ransomware organizations from every angle, but sanctioning the virtual currency industry when they are used in the ransomware process doesn't seem likely to have much success in the long-term.

“Attackers will do what they always do and simply move to the next unregulated form of compensation to avoid government control,” Lance said. “The ransomware problem will probably continue to grow until organizations get serious about combating the underlying security vulnerabilities and weak identity controls that allow attackers to gain control of their networks.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.