PwC: Bitcoin Ransomware Hackers Laundered Money via WEX Exchange

Published at: March 4, 2019

Big Four consulting and auditing company PwC has linked Iranian nationals behind Bitcoin (BTC) ransomware scheme SamSam to the crypto exchange WEX in a recent report published in February.   

The report is based on information that was previously disclosed by the United States Department of Justice (DoJ). As per the DOJ, two Iranians — Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri — were responsible for creating SamSam. SamSam is a ransomware demanding Bitcoin that reportedly damaged multiple U.S. companies, government agencies, universities, and hospitals. Within 34 months the hackers managed to extort over $6 million in Bitcoin and cause over $30 million in losses.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) also sanctioned two more Iranians, Mohammad Ghorbaniyan and Ali Khorashadizadeh. They were allegedly operating Iran-based crypto exchanges that helped Savandi and Mansouri to exchange the BTC extorted via SamSam.

After analyzing wallet addresses and emails provided by the U.S. government, PwC came to the conclusion that Khorashadizadeh and Ghorbaniyan could be linked to crypto exchange WEX.

WEX was known as BTC-e prior to a rebranding move in September 2017. The exchange rebranded in order to distance itself from a money laundering investigation that shuttered BTC-e in July of that same year. PwC further states that BTC-e was involved in exchanging at least $1.9 million related to SamSam:

“BTC-e is known for its involvement in laundering approximately $4 billion and is responsible for cashing out 95 percent of all ransomware payments made from 2014 to 2017 — of which $1.9 million came from SamSam ransomware.”

Moreover, PwC cites another investigation that links Bitcoin transactions on BTC-e to Russia’s Main Intelligence Directorate of the General Staff (GRU). As Bloomberg wrote back in 2018, both BTC-e and GRU are allegedly connected to other major cyber espionage group, “Fancy Bear,” which has purportedly been linked to a cyber attack on the Democratic National Committee ahead of the 2016 United States presidential elections.

As Cointelegraph previously reported, Alexander Vinnik, the alleged former operator of defunct BTC-e, was arrested by Greek police back in July 2017 as the DOJ accused him of fraud and money laundering. Russian human rights officials have sought Vinnik’s extradition back to his home country following health complications that are the result of a months-long hunger strike.

Tags
United States
Cryptocurrency Exchange
Cryptocurrencies
Hackers
Cybersecurity
Ransomware
Bitcoin Scams
Iran
Pwc
Btc-E
Related Posts
US Treasury Dept. Takes Action Against Two Iranians Allegedly Involved in BTC Ransomware
The U.S. Treasury Department has sanctioned two Iranians allegedly involved in Bitcoin (BTC) ransomware scheme SamSam, the Treasury reported in an official press release today, Nov. 28. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken action on Wednesday against two Iranian individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan, who are accused of exchanging Bitcoin into Iranian rials (IRR). This is also the first time that Bitcoin addresses have been publically attributed to “designated individuals” on the OFAC’s sanctions list. According to the report, SamSam ransomware breaks into companies’ computer networks, allowing criminals to take over …
United States / Nov. 28, 2018
North Korea’s ‘Bureau 121’ Has an Army of 6000 Hackers
A report unveiled by the U.S. Army reveals that North Korea now has more than 6,000 hackers stationed in countries such as Belarus, China, India, Malaysia, Russia, among others. The operations of four sub divisions are overseen by Bureau 121, the cyber warfare guidance unit of the hermit nation. The report, named North Korean Tactics, suggests the hackers do not exclusively launch cyberattacks from North Korea itself, as the country lacks the IT infrastructure to deploy the massive campaigns. Financial crimes division The “financial crime division” called the Bluenoroff Group has around 1,700 members and is dedicated to crypto crimes …
Blockchain / Aug. 19, 2020
Researchers Say Ransomware Attacks on the Rise as More People Work From Home
A study published by cybersecurity firm, Proofpoint, shows an increase in email-based phishing attacks used to deliver ransomware over the last few months. According to the report, first-stage deployments of ransomware are reportedly on the rise and have mostly been targeting the United States, France, Germany, Greece, and Italy. The attacks appear to be capitalizing on the influx of people now working from home amid the COVID-19 pandemic. Research additionally indicates that the ransom demands are very low compared to the amounts usually seen in these attacks. Lower than average ransoms A ransomware application called “Mr. Robot” has mostly targeted …
Technology / June 29, 2020
Ransomware Gang Failed to Deploy an Attack Against 30 US Firms
Cybersecurity firm Symantec blocked a ransomware attack by a group known for demanding payment in Bitcoin (BTC) directed at 30 U.S.-based firms and Fortune 500 companies. The announcement published by the cybersecurity firm claims that the Evil Group, the malware gang behind the attacks, targeted the IT infrastructures of the firms. Still, the companies were alerted in time to prevent deployment of the ransomware. The group used the ransomware WastedLocker and managed to breach the security of the victims' networks and unsuccessfully attempted to laying the ground for staging the attacks. Gang asks for million-dollar payments Cointelegraph reported recently a …
Technology / June 28, 2020
Bitcoin-Seeking Ransomware Ryuk Virus Found and Studied in China
Tencent Yujian Threat Intelligence Center says that a Ryuk ransomware virus has been spotted in China. The intelligence center released information on the outbreak in a report on July 16. According to the report, Ryuk viruses are a family of malware aimed at infecting government and enterprise machines holding valuable data. According to the report, a Ryuk virus derives from the Hermes virus, with code that is directly modified off of the latter. As noted in the report, Ryuk is the name of a death spirit in the popular manga Death Note. As per its title, Ryuk possesses a notebook …
United States / July 19, 2019