The Justice Department’s seizure of $6.1m in funds tied to alleged ransom payments, announced alongside fresh sanctions against a cryptocurrency exchange and arrests of alleged hackers, marked an escalation in Washington’s attempt to weaken hacking groups that have disrupted US businesses.
The retrieval of funds shows how victim companies’ cooperation with law enforcement can sometimes pay off, US officials said on 8 November, while sanctions will create additional questions for US businesses faced with hackers’ ransom demands.
“If you target victims here, we will target you,” Deputy Attorney General Lisa Monaco said at a news conference.
US officials ramped up their push to track and potentially seize ransomware groups’ cryptocurrency after Colonial Pipeline paid hackers $4.4m during a May hack that disrupted the East Coast’s largest conduit for fuel. US businesses made a combined $590m in such payments during the first six months of this year, according to the Treasury Department’s Financial Crimes Enforcement Network, up from $416m a year earlier.
The seizure and arrests announced on 8 November came as the Treasury Department sanctioned Chatex, a cryptocurrency exchange that has allegedly facilitated ransomware payments, as well as affiliated businesses. The move made Chatex the second exchange blacklisted by the US government in recent months, following Russian-owned SUEX OTC.
“This means that effective immediately, all assets of these entities that are subject to US jurisdiction are blocked,” Deputy Treasury Secretary Wally Adeyemo said. “All transactions are prohibited for US persons. And all domestic [cryptocurrency] exchanges are prohibited from processing transactions with this exchange.”
The Treasury Department said on 8 November that more than half of Chatex’s known transactions are linked to ransomware, darknet markets and other high-risk exchanges. Companies facing ransomware attacks often enlist outside cybersecurity specialists to negotiate with hackers and check whether they or the crypto infrastructure they use have been blacklisted by the US government. The Treasury Department has urged businesses to report such demands and warned that those that pay sanctioned entities such as Chatex could face stiff penalties.
Chatex didn’t immediately respond to requests for comment. The Treasury Department said the exchange has presences in Latvia, Estonia, and Saint Vincent and the Grenadines.
US actions targeting cryptocurrency came as part of an international cybersecurity crackdown unveiled on 8 November by US and European officials.
Authorities in Romania and Poland in recent days arrested several individuals allegedly tied to REvil, the ransomware gang behind attacks this year on software provider Kaseya and meat processor JBS SA.
READ Robinhood says hacker made off with five million email addresses
Attorney General Merrick Garland on 8 November said an alleged hacker, 28-year-old Russian national Yevgeniy Polyanin, had made off with the equivalent of $13m from other ransom payments. The Justice Department seized more than $6.1m of those funds in September, according to a search warrant made public on 8 November.
An indictment unsealed on 8 November charged Polyanin with hacking at least two companies and 13 government entities in Texas during a two-week period in August 2019. Polyanin is believed to be in Russia, Federal Bureau of Investigation Director Christopher Wray said.
Polyanin couldn’t immediately be reached for comment.
US officials have said hackers operate in Russia with relative impunity — a claim the Kremlin denies — but added on 8 November that the seized funds show how they can disrupt hacking outfits without local cooperation. Investigators can monitor criminals’ transactions if victim companies share information such as the digital address to which they make payments, according to cybersecurity experts and blockchain analysts.
Urging victims to report ransomware incidents to authorities, Wray said, “The long arm of the law reaches a lot further than [hackers] think.”
Write to David Uberti at [email protected]
This article was published by Dow Jones Newswires