Crypto at the Crossroads: Exploring the Impact of the US Treasury’s Bitcoin Sanctions

At the end of last year, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) named and added two individuals – Iranians Ali Khorashadizadeh and Mohammad Ghorbaniyan – to its Specially Designated Nationals (SDN) list for their roles in the SamSam ransomware campaign. In the designations, OFAC listed two Bitcoin addresses associated with the men, in the same manner as they specify other identifying information, such as passport numbers or known aliases. This action marks the first time that cryptocurrency addresses have been included on the SDN list, a move which effectively hands responsibility to the crypto community for policing its own probity.

The US Department of Justice (DOJ) SamSam indictment asserts that Khorashadizadeh was allegedly involved in creating malware that encrypted data on victims’ computers and allowed access to their systems. After executing the ransomware on the computers, the men would then allegedly extort the victims by demanding payment in Bitcoin in exchange for decryption. They apparently laundered the payments thus obtained by using Iran and US-based cryptocurrency exchanges. The DOJ estimates that the hackers received over $6 million in ransom payments from over 200 victims, including cities, government agencies, schools, and hospitals across North America.

The SDN list is OFAC’s published list of individuals, groups, and entities whose assets are blocked in the US, and with whom US persons are prohibited from transacting. The list is searchable online, and a designation usually includes as much information as possible. Any company or person found transacting with a designated entity is considered to be in violation of US sanctions, and can be fined or jailed accordingly. In the case of Khorashadizadeh, for example, OFAC lists his passport information, gender, email addresses, program designation (CYBER2), date and place of birth, and known aliases. But then, between passport and gender, is added ‘Digital Currency Address – XBT’.

This addition from OFAC is certainly new, but not surprising. In March, OFAC updated its sanctions compliance FAQ to include a section titled ‘Questions on Virtual Currency’. This defines virtual currency and provides explanations as to the responsibilities of individuals and companies regarding a listed cryptocurrency address, as well as guidelines for following the new designations.

If nothing else, the US treasury has certainly sent a strong message to all who think that transactions in cryptocurrencies are beyond the reach of US sanctions. Indeed, OFAC has provided another level of detail to designations, one that allows interested parties to identify an address with which they may have otherwise inadvertently interacted. Bitcoin addresses are available to view on the public blockchain, so any transaction involving either account can be tracked. While these addresses have been emptied and are currently inactive, the listings provide the public with the ability to examine the network surrounding Khorashadizadeh and Ghorbaniyan.

While many transactions are SamSam ransom payments, it is likely that the addresses were also used for transactions between collaborators. Of course, this begs the question – what can OFAC actually do about those other associated addresses?

The nature of sanctions breaches is such that OFAC has the legal ability to go after any of the addresses involved with the sanctioned addresses, but there are significant technical challenges to this pursuit. Traditionally, banks act as third-party entities capable of freezing accounts pursuant to government listings. With cryptocurrency, there is no way to freeze the address itself without the private key of the owner. Addresses may be listed, but they are still able to operate. Alternatively, it is relatively easy to simply set up another address; many crypto users hold multiple addresses in a ‘wallet’ and some even advocate using a new address for each transaction.

In addition, while Bitcoin remains transparent on the public blockchain, it can still be difficult to trace addresses to identities, particularly if the owner has gone to some lengths to remain anonymous. This results in difficulties for law enforcement agencies, which find it hard to attach identities to any associated addresses they may be interested in investigating. 

With uncertainty about the future of cryptocurrency looming, a designation such as that performed in the US could signal a change to the crypto community. There are likely two consequences: that the community will move further underground and away from any possible regulation, and that currency exchanges will grasp the opportunity to lead the charge in securing their own systems.

On the one hand, the limitations on OFAC’s powers are clear to anyone involved in such transactions, and the crypto community, naturally sceptical of any government interference, could easily be pushed into adopting increased methods of identity protection and privacy, mainly through the emergence of ‘privacy coins’ and decentralised exchanges. Privacy coins, such as Zcash and Monero, offer users the ability to transact in cryptocurrency without publicly broadcasting their transactions, in contrast to Bitcoin. Like Bitcoin, privacy coins have already been linked to terrorist funding. Decentralised exchanges are not run by companies, but operate on the blockchain, limiting the potential of sanctions enforcement. Thus, the involvement of the US treasury could move many actors into anonymising further and more quickly. Using these technologies, users can ensure that their transactions are hidden and controlled only by themselves, rather than transparent and held by companies adhering to anti-money laundering regulations.

On the other hand, if those third-party companies – primarily exchanges and centralised wallet firms – view the US government’s designations as an impetus to improve the crypto community’s reputation, they could effectively secure the system from the inside. Considering the role of centralised exchanges in laundering the proceeds of both the SamSam campaign and the WannaCry hacks, the possibility of being fined may now motivate them to self-police. Indeed, there have already been some such initiatives, such as the Crypto Community Watch.

Blockchain analysis companies, such as Chainalysis and Elliptic, already provide intelligence to help companies meet their ‘Know Your Customer’ and anti-money laundering compliance obligations and enable better understanding of suspicious crypto transactions. By utilising this technology, together with other innovative solutions, centralised exchanges are in prime position to regulate the blockchain themselves, to some extent. One such solution lies in the possibility of ‘tainted’ coins, a concept in which stolen or designated coins are tagged as they move through the system, indicating the flow of money laundering as well as keeping exchanges and crypto users safe from inadvertently violating sanctions. When hackers stole $534 million in XEM cryptocurrency earlier last year, the development community was able to tag the coins, preventing the criminals from anonymously laundering the funds.

Admittedly, this systematic change would require incredible effort, desire, and expense on the part of the exchanges and developers. But with crypto’s already rocky reputation as a facilitator of crime, it could be in the community’s best interest to deal with its own problems. For those who are wary of law enforcement, this could also be a way to address the problem without moving outside the trusted blockchain family. But, if the crypto community does not take initiative to decide its own fate, it could discover that OFAC might just decide it for them.

Kayla Izenman is a Research Assistant at RUSI.

The views expressed in this Commentary are the author’s, and do not necessarily represent those of RUSI or any other institution.