Matt Stankiewicz, Partner at The Volkov Law Group, joins us to discuss OFAC’s recent sanctions relating to cybercrime, darknets, and cryptocurrency. Matt can be reached at [email protected].

Continuing with both its crackdown on cybercriminals and illicit digital marketplaces, along with its continued economic pressure on the Russian Federation, OFAC has sanctioned two entities that fit both criteria.  On April 5, 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) sanctioned Hydra, one of the world’s largest darknet marketplaces, and GARANTEX, a virtual currency exchange that is favored by ransomware and cybercriminals due to its extremely lax compliance controls.  These moves follow Treasury’s previous designations of SUEX and CHATEX, two other Russian-based virtual currency exchanges that were effectively havens for country’s extensive cybercriminal networks.  While Hydra itself was added to OFAC’s Specially Designated Nationals (“SDN”) List, OFAC took further steps to also add over 100 virtual currency wallet addresses, mostly Bitcoin wallets.  OFAC also listed three wallet addresses related to GARANTEX, one Bitcoin wallet, one Ethereum wallet, and one Tether (USDT) wallet. 

In announcing these moves, Secretary of the Treasury Janet Yellen stated:

The global threat of cybercrime and ransomware that originates in Russia, and the ability of criminal leaders to operate there with impunity, is deeply concerning to the United States.  Our actions send a message today to criminals that you cannot hide on the darknet or their forums, and you cannot hide in Russia or anywhere else in the world. In coordination with allies and partners, like Germany and Estonia, we will continue to disrupt these networks.

GARANTEX is a virtual currency exchange that is known to be connected with many cybercriminals and operates out of the Federation Tower in Moscow and other operations in St. Petersburg, Russia.  By operating with lax anti-money laundering (“AML”) and countering terrorism financing (“CTF”) controls, cybercriminals can easily exchange their ill-gotten virtual assets for fiat currency, and can do so relatively anonymously.  These types of exchanges are a key cog for cybercriminals to transact funds while avoiding law enforcement and compliance controls at traditional financial institutions.  This provides the financial incentives to pursue cybercrime, incentives that are becoming more and more significant as of late.  Shutting down these exchanges that fail to comply with basic legal requirements goes a long way towards stopping these illicit industries.  These exchanges ultimately give a bad name to the virtual asset, blockchain, and cryptocurrency industries.

The U.S. coordinated with German regulators to shut down Hydra servers and seize its assets.  In doing so, regulators seized Bitcoin totaling just over $25 million.  While this may seem like a lot, it’s only a fraction of what the marketplace has dealt with.  Hydra connects buyers and sellers over a variety of illicit goods and services.  These items include drugs, weapons, forged legal documents, credit card information, personal data obtained from data leaks, and much more.  Prosecutors claimed the marketplace had sales of over $1 billion in 2020 alone.  Various blockchain analytics firms believe the marketplace to have facilitated over $5 billion in sales since its beginnings around 2015.  In addition to listing over 100 virtual currency wallet addresses associated with Hydra, the Treasury Department noted that it will continue to add addresses in the future as needed.

Hydra is known to facilitate ransomware-as-a-service – meaning, sellers on the marketplace offer their various brands of ransomware that cybercriminals can use to infect systems around the world.  The ransomware-as-a-service system is big business at this point, and allows hackers to utilize established and effective ransomware frameworks, along with the human infrastructure as well.  The ransomware itself is simply software code, however the large players in the market operate like businesses, with back-office functions such as HR departments, customer support (I use “support” loosely here), and finance and accounting.  These hackers purchase the use of the ransomware, inject it into an entities servers, and then wait for their cut of the ransom payment to come to them.  These payments are usually paid out in virtual currency through exchanges with lax controls, such as GARANTEX. 

Paying these ransoms can be problematic for companies for a variety of reasons.  First, payment of a ransom puts that company on a list that is then bought and sold through darknet markets like Hydra.  They operate as sales leads, because if a company pays once, they’ll likely pay a second time.  Companies that pay that first ransom are then often peppered with subsequent attacks and must drastically increase their cybersecurity efforts to combat those attacks.  Second, ransomware payments come with significant risks, such as potential sanctions liability.  Just because some of these entities become sanctioned, does not mean they stop operations.  Since some of these groups or operations don’t necessarily rely on traditional foundations – such as banks, suppliers, etc. – they can still continue to exist.  Hydra, for example, is named such to suggest that if you cut off one head, another will grow.  Companies should be extremely cautious when dealing with ransomware.