US Treasury Blacklists Several More Bitcoin Addresses Allegedly Tied to Iran Ransomware Attacks

The sanctions watchdog agency added several bitcoin addresses allegedly used in ransomware attacks to its blacklist.

AccessTimeIconSep 14, 2022 at 3:08 p.m. UTC
Updated May 11, 2023 at 4:40 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

The U.S. Treasury Department added nine individuals and six bitcoin addresses to its blacklist Wednesday, under its “cyber-related designations” bucket.

The addresses were specifically tied to two individuals – Amir Hossein Nikaeen Ravari and Ahmad Khatibi Aghada – who allegedly helped develop and deploy ransomware as members of Iran’s Islamic Revolutionary Guard Corps (IRGC), according to a press release published by the Treasury Department.

The sanctioning came as U.S. government officials charged three individuals with hacking-related crimes. Alongside Mansour Ahmadi, Nikaeen Ravari and Aghada allegedly broke into hundreds of U.S. companies and deployed ransomware to several of these entities, including U.S. infrastructure entities, the Justice Department claimed.

The individuals are part of a hacker group that targeted hospitals, transportation companies and schools with ransomware, Treasury officials said in a press statement. It further accused the group of mounting a cyberattack against a rural electric utility company in October 2021.

The wallets did not contain any bitcoin Tuesday, having drained their balances between last October and this past May. One address linked to both individuals held 2.49 BTC over the course of its life.

Several of the addresses have not been active since 2021, according to on-chain data.

The Treasury Department’s Office of Foreign Assets Control (OFAC) has added a number of Iranian officials to its Specially Designated Nationals (SDN) list in recent weeks over cyberattacks allegedly committed by members of Iran’s government.

U.S. persons and entities – meaning anyone on American soil or any U.S. citizens abroad – are barred from transacting with the addresses or people added to the sanctions list.

Last week, OFAC added Iran’s Minister of Intelligence, Esmail Khatib, and its Ministry of Intelligence and Security, to the SDN list for allegedly attacking the country of Albania, which faced an unspecified hack earlier this year (Iran has denied the allegations).

OFAC has sanctioned crypto wallet addresses for years now, having first done so in 2018 when two other Iranian residents were accused of laundering funds for ransomware creators.

UPDATE (Sept. 14, 2022, 15:15 UTC): Adds additional detail.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Nikhilesh De

Nikhilesh De is CoinDesk's managing editor for global policy and regulation. He owns marginal amounts of bitcoin and ether.

Danny Nelson

Danny is CoinDesk's Managing Editor for Data & Tokens. He owns BTC, ETH and SOL.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.