US Regulators Tie Two Bitcoin Addresses to Iranian Ransomware Plot

For the first time, the U.S. Treasury Department is adding crypto addresses to its list of Specially Designated Nationals.

AccessTimeIconNov 28, 2018 at 3:34 p.m. UTC
Updated Sep 13, 2021 at 8:37 a.m. UTC

The U.S. Department of the Treasury is officially adding crypto addresses to its individual sanctions list.

The Treasury Department's Office of Foreign Assets Control (OFAC) announced Wednesday that it was adding two Iran residents – Ali Khorashadizadeh and Mohammad Ghorbaniyan – to its Specially Designated Nationals list, and for the first time in the list's history, bitcoin addresses associated with the individuals will be included with other identifying information, such as physical addresses, post office boxes, email addresses and aliases.

OFAC first indicated it might add crypto addresses to its list in March, when it updated its FAQ on sanctions compliance. At the time, the office highlighted the fact that cryptocurrencies are comparable to fiat currencies as far as the SDN list is concerned. As such, the office is alerting U.S. citizens that they are prohibited from sending any funds to the two addresses.

In a statement, Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker said the department " is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims," adding:

"We are publishing digital currency addresses to identify illicit actors operating in the digital currency space. Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and AML/CFT safeguards to further their nefarious objectives."

Malicious software

Khorashadizadeh and Ghorbaniyan are being added to the list for their role in facilitating financial transactions related to the SamSam ransomware. The ransomware has hit more than 200 victims over the last few years, including corporations, hospitals, universities and government agencies.

The malicious software held these organizations' data hostage in exchange for bitcoin, according to the Treasury Department.

OFAC believes Khorashadizadeh and Ghorbaniyan converted more than 7,000 bitcoin transactions into Iranian rial, processing roughly 6,000 bitcoin, worth millions of U.S. dollars, on behalf of SamSam's creators. These transactions included bitcoin received as part of the payment from SamSam's victims.

The two then allegedly deposited the rial into Iranian banks.

According to OFAC, the two used more than 40 crypto exchanges, including some unnamed U.S.-based exchanges, to process transactions.

Any individuals or exchanges who do send funds to the two may be subject to secondary sanctions, including by being cut off from the U.S. financial system entirely.

"As Iran becomes increasingly isolated and desperate for access to U.S. dollars, it is vital that virtual currency exchanges, peer-to-peer exchangers, and other providers of digital currency services harden their networks against these illicit schemes," Mandelker said.

Image via MohitSingh/Wikimedia Commons


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.