US Treasury Blacklists Several More Bitcoin Addresses Allegedly Tied to Iran Ransomware Attacks

The sanctions watchdog agency added several bitcoin addresses allegedly used in ransomware attacks to its blacklist.

AccessTimeIconSep 14, 2022 at 3:08 p.m. UTC
Updated May 11, 2023 at 4:40 p.m. UTC

The U.S. Treasury Department added nine individuals and six bitcoin addresses to its blacklist Wednesday, under its “cyber-related designations” bucket.

The addresses were specifically tied to two individuals – Amir Hossein Nikaeen Ravari and Ahmad Khatibi Aghada – who allegedly helped develop and deploy ransomware as members of Iran’s Islamic Revolutionary Guard Corps (IRGC), according to a press release published by the Treasury Department.

The sanctioning came as U.S. government officials charged three individuals with hacking-related crimes. Alongside Mansour Ahmadi, Nikaeen Ravari and Aghada allegedly broke into hundreds of U.S. companies and deployed ransomware to several of these entities, including U.S. infrastructure entities, the Justice Department claimed.

The individuals are part of a hacker group that targeted hospitals, transportation companies and schools with ransomware, Treasury officials said in a press statement. It further accused the group of mounting a cyberattack against a rural electric utility company in October 2021.

The wallets did not contain any bitcoin Tuesday, having drained their balances between last October and this past May. One address linked to both individuals held 2.49 BTC over the course of its life.

Several of the addresses have not been active since 2021, according to on-chain data.

The Treasury Department’s Office of Foreign Assets Control (OFAC) has added a number of Iranian officials to its Specially Designated Nationals (SDN) list in recent weeks over cyberattacks allegedly committed by members of Iran’s government.

U.S. persons and entities – meaning anyone on American soil or any U.S. citizens abroad – are barred from transacting with the addresses or people added to the sanctions list.

Last week, OFAC added Iran’s Minister of Intelligence, Esmail Khatib, and its Ministry of Intelligence and Security, to the SDN list for allegedly attacking the country of Albania, which faced an unspecified hack earlier this year (Iran has denied the allegations).

OFAC has sanctioned crypto wallet addresses for years now, having first done so in 2018 when two other Iranian residents were accused of laundering funds for ransomware creators.

UPDATE (Sept. 14, 2022, 15:15 UTC): Adds additional detail.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Nikhilesh De is CoinDesk's managing editor for global policy and regulation. He owns marginal amounts of bitcoin and ether.

CoinDesk - Unknown

Danny is CoinDesk's Managing Editor for Data & Tokens. He owns BTC, ETH and SOL.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.