US Treasury sanctions Iran-based ransomware group and associated Bitcoin addresses

The United States Treasury Department’s Office of Foreign Asset Control has added 10 individuals, 2 entities, and several crypto addresses allegedly tied to an Iranian ransomware group to its list of Specially Designated Nationals, effectively making it illegal for U.S. persons and companies to engage with them.

In a Wednesday announcement, the U.S. Treasury said the individuals and companies in the ransomware group were affiliated with Iran’s Islamic Revolutionary Guard Corps, a branch of the country’s military. The group allegedly “conducted a varied range of malicious cyber-enabled activities,” including compromising the systems of a U.S.-based children’s hospital in June 2021 and targeting “U.S. and Middle Eastern defense, diplomatic, and government personnel.”

OFAC listed 7 Bitcoin (BTC) addresses allegedly connected to 2 of the Iranian nationals — Ahmad Khatibi Aghada and Amir Hossein Nikaeed Ravar — as part of its secondary sanctions. According to Treasury, Khatibi has been associated with technology and computer services firm Afkar System — one of two entities sanctioned in the same announcement — since 2007. The government department alleged Nikaeed “leased and registered network infrastructure” to assist the ransomware group.

“Ransomware actors and other cybercriminals, regardless of their national origin or base of operations, have targeted businesses and critical infrastructure across the board — directly threatening the physical security and economy of the United States and other nations,” said Brian Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence. “We will continue to take coordination action with our global partners to combat and deter ransomware threats.”

In a coordinated action across the U.S. Government, OFAC designated a dozen Iran-based persons for their roles in malicious cyber acts, including ransomware activity. The U.S., Australia, Canada & the UK are also publishing a joint cyber security advisory. https://t.co/OVnr3jprBA

— Treasury Department (@USTreasury) September 14, 2022

The notice came as the Justice Department announced an indictment against Khatibi, Nikaeed, and Mansour Ahmadi — also one of the individuals listed in OFAC’s sanctions — for allegedly “orchestrating a scheme to hack into the computer networks” of entities and individuals in the United States, including the attacks cited by Treasury. According to the Justice Department, the Iranian ransomware group targeted a New Jersey-based accounting firm in February 2022, having Khatibi demand $50,000 in cryptocurrency in exchange for not selling the company's data on the black market.

Related: Monero’s crypto of choice as ransomware ‘double extortion’ attacks increase 500%

On Aug. 8, OFAC added more than 40 cryptocurrency addresses connected to controversial mixer Tornado Cash to its list of Specially Designated Nationals, prompting criticism from many figures in and out of the space. Treasury clarified on Tuesday that U.S. persons and entities were not prohibited from sharing Tornado Cash’s code, but also required a special license to complete transactions initiated before the sanctions were imposed or make withdrawals.

US Treasury Dept sanctions crypto OTC broker Suex for alleged role in facilitating transactions for ransomware attacks   Sept. 21, 2021
Iran One-Ups the United States? Tehran Seeks Crypto Mining Dominance   Aug. 7, 2020
US officials seize $6.1M in crypto from ransomware actors, adds Chatex to sanctions list   Nov. 8, 2021
Proactive sanctions can help spare the ecosystem: Chainalysis exec   Dec. 7, 2022
Enforcement goes on with Bitzlato action — Law Decoded, Jan. 16-23.   Jan. 23, 2023