PwC: Bitcoin Ransomware Hackers Laundered Money via WEX Exchange
Big Four consulting and auditing company PwC has linked Iranian nationals behind Bitcoin (BTC) ransomware scheme SamSam to the crypto exchange WEX in a recent report published in February.
The report is based on information that was previously disclosed by the United States Department of Justice (DoJ). As per the DOJ, two Iranians — Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri — were responsible for creating SamSam. SamSam is a ransomware demanding Bitcoin that reportedly damaged multiple U.S. companies, government agencies, universities, and hospitals. Within 34 months the hackers managed to extort over $6 million in Bitcoin and cause over $30 million in losses.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) also sanctioned two more Iranians, Mohammad Ghorbaniyan and Ali Khorashadizadeh. They were allegedly operating Iran-based crypto exchanges that helped Savandi and Mansouri to exchange the BTC extorted via SamSam.
After analyzing wallet addresses and emails provided by the U.S. government, PwC came to the conclusion that Khorashadizadeh and Ghorbaniyan could be linked to crypto exchange WEX.
WEX was known as BTC-e prior to a rebranding move in September 2017. The exchange rebranded in order to distance itself from a money laundering investigation that shuttered BTC-e in July of that same year. PwC further states that BTC-e was involved in exchanging at least $1.9 million related to SamSam:
“BTC-e is known for its involvement in laundering approximately $4 billion and is responsible for cashing out 95 percent of all ransomware payments made from 2014 to 2017 — of which $1.9 million came from SamSam ransomware.”
Moreover, PwC cites another investigation that links Bitcoin transactions on BTC-e to Russia’s Main Intelligence Directorate of the General Staff (GRU). As Bloomberg wrote back in 2018, both BTC-e and GRU are allegedly connected to other major cyber espionage group, “Fancy Bear,” which has purportedly been linked to a cyber attack on the Democratic National Committee ahead of the 2016 United States presidential elections.
As Cointelegraph previously reported, Alexander Vinnik, the alleged former operator of defunct BTC-e, was arrested by Greek police back in July 2017 as the DOJ accused him of fraud and money laundering. Russian human rights officials have sought Vinnik’s extradition back to his home country following health complications that are the result of a months-long hunger strike.