US sanctions virtual currency exchange for complicity in ransomware attacks

Out-Law News | 06 Oct 2021 | 3:02 pm | 2 min. read

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has for the first time designated a virtual currency exchange for complicity in facilitating financial transactions for ransomware actors.

The designation blocks all property and interests belonging to the exchange that are subject to US interests, as well as any entities 50% or more owned by designated persons. US citizens are also generally blocked from interacting with the exchange, SUEX.

OFAC also issued an updated advisory notice to encourage reporting of ransomware attacks and payments to US government agencies.

In a corresponding development, the UK’s Crown Prosecution Service (CPS) issued revised guidance in June of this year confirming that it would consider prosecuting regulated businesses that fail to submit money laundering Suspicious Activity Reports to the UK’s Financial Intelligence Unit even if there was insufficient evidence to establish that money laundering was planned or has taken place. Ransom payments, in the hands of hackers, are effectively the proceeds of their criminal conduct and so money laundering controls are in play.

Portrait of Andrew Sackey

Andrew Sackey

Partner

The importance of being able to attest to the steps taken to ensure payments aren’t made to prohibited persons or entities, and that suitable anti-money laundering reporting has been undertaken, simply cannot be overstated

Meanwhile earlier in September the Dutch government said it was considering banning insurance companies from paying ransom payments to hackers.

White collar crime expert Andrew Sackey of Pinsent Masons, the law firm behind Out-Law, said: “OFAC’s designation of SUEX for complicity in facilitating financial transactions for ransomware actors gives an indication that the ransom payment landscape is beginning to change”.

“The importance of being able to attest to the steps taken to ensure payments aren’t made to prohibited persons or entities, and that suitable anti-money laundering reporting has been undertaken, simply cannot be overstated,” Sackey said.

OFAC said some virtual currency exchanges were exploited by “malicious actors”, but others, such as SUEX, “facilitate illicit activities for their own illicit gains”. The agency said an analysis of known SUEX transactions demonstrated that over 40% of its known transaction history was associated with illicit actors.

A strict application of the UK’s money laundering legislation raises a risk that, by paying over ransom funds, a victim could be said to be entering into a prohibited ‘arrangement’ which they knew would facilitate the ‘retention, use or control of criminal property’ by the threat actor. That offence carries a maximum penalty of 14 years.

Regulatory and compliance expert Laura Gillespie of Pinsent Masons said: “Any business hit by ransomware will immediately be faced with a decision on whether it should engage with the threat actor”.

“It is a complex issue – there is a risk that the payment could be unlawful, but in the absence of adequate back-ups, some businesses may be paralysed and so the need to engage is driven by business continuity,” Gillespie said.

“Victims, their agents and professional advisers will be increasingly obliged to document robust due diligence to underpin the difficult decision making regarding whether, or the extent to which, to engage with threat actors. Such careful consideration will also need to be given to making appropriate disclosures to the Financial Intelligence Unit, which will turn on a range of factors, but key among them will be whether your business is regulated and so operating under enhanced reporting obligations,” she said.