Bitcoin
$41,620.19-0.31%
Ethereum
$2,202.54-2.49%
Binance Coin
$223.26-1.68%
XRP
$0.61180973-4.43%
Solana
$59.93-6.73%
Cardano
$0.40021766-3.29%
Dogecoin
$0.08811118-2.63%
Tron
$0.10249472-7.63%
Chainlink
$15.32-5.49%
Avalanche
$21.98-2.38%
Toncoin
$2.28-2.70%
Polygon
$0.78725528-5.09%
PlayIconNav
Crypto Prices CoinDesk Market Index CoinDesk Market Index
Markets

Crypto Exchange WEX Linked to Iranian Ransomware Operators, Says PwC

Cryptocurrency exchange WEX, formerly called BTC-e, may have been used to launder illicit gains from the SamSam ransomware, according to PwC.

By Yogita Khatri
AccessTimeIconMar 5, 2019 at 12:40 p.m. UTC
Updated Dec 12, 2022 at 12:51 p.m. UTC
PwC

10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Cryptocurrency exchange WEX, successor to the shuttered BTC-e exchange, has again been tied to illicit funds gained through ransomware attacks.

According to a recent bulletinhttps://www.pwc.de/de/strategie-organisation-prozesse-systeme/strategic-intelligence-bulletin-airing-digital-currencys-dirty-laundry.pdf from consulting firm PwC, two Iranians said to have created the SamSam ransomware variant have been tied to the exchange and may have used it to launder their millions in illegal earnings.

Iranians Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were formally charged by the U.S. Department of Justice last November, for deploying SamSam ransomware to extort funds from hospitals, local governments and public institutions. The six-count indictment alleged that the duo collected over $6 million in ransom payments and caused over $30 million in losses to victims.

At the time, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) also added two other Iran residents, Ali Khorashadizadeh and Mohammad Ghorbaniyan, to its Specially Designated Nationals list for their role in facilitating financial transactions related to the SamSam ransomware on behalf of Savandi and Mansouri.

The OFAC also connected bitcoin addresses associated with Khorashadizadeh and Ghorbaniyan, with other identifying information, such as physical addresses, post office boxes, email addresses and aliases.

PwC said it analyzed the addresses provided by the OFAC and found that two exchange websites – Enexchanger and Iranvisacart – are connected to Khorashadizadeh and Ghorbaniyan, and allow payments through WEX. The FBI has previously linked both sites with money laundering, according to the report.

The Enexchanger website, for example, listed trading pairs including in cryptocurrencies, PwC said, adding “One of the cryptocurrency swaps offered is WEX-code to USD, which is a code that allows transferring of funds directly from [WEX] users.”

Further, citing evidence from a firm that tracks illicit crypto activity, PwC said that WEX/BTC-e and a crypto exchange based in Slovakia have been used to launder bitcoin by a threat actor tracked as "Blue Athena."

“The use of Iran- and Slovakia-based exchanges suggests that threat actors favour using lesser-known currency exchanges," PwC said. "This is likely because the more popular exchanges have monitoring or compliance programmes to detect illicit activities."

WEX rose from the ashes of the BTC-e platform after it was shuttered by international law enforcement officials in 2017. At the same time, its alleged operator, Alexander Vinnik, was arrested over claims he had laundered some $4 billion in bitcoin since 2011.

In its report, PwC said of the exchange:

“WEX is most notably known for its alleged involvement in the laundering of some USD 4 billion, transferring of funds to facilitate operations of the threat actor tracked by PwC as Blue Athena, and being responsible for cashing out 95% of all ransomware payments made since 2014."

In October 2018, cryptocurrency exchange Binance also froze accounts that received more than 93,000 ether from two wallets indirectly linked to WEX/BTC-e.

PwC image via Shutterstock 

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.