Treasury Sanctions Ransomware Operators and Virtual Currency Exchange
November 9, 2021
the Administration’s whole-of-government effort to counter
ransomware, the U.S. Department of the Treasury today announced
a set of actions focused on disrupting criminal ransomware
actors and virtual currency exchanges that launder the proceeds
of ransomware. Treasury’s actions today advance the Biden
Administration’s counter-ransomware efforts to disrupt
ransomware infrastructure and actors and address abuse of the
virtual currency ecosystem to launder ransom payments.
Today’s actions include the designation of Chatex, a virtual
currency exchange, and its associated support network, for
facilitating financial transactions for ransomware actors.
Chatex, which claims to have a presence in multiple countries,
has facilitated transactions for multiple ransomware variants.
Analysis of Chatex’s known transactions indicate that over half
are directly traced to illicit or high-risk activities such as
darknet markets, high-risk exchanges, and ransomware. Chatex has
direct ties with SUEX OTC, S.R.O. (Suex), using Suex’s function
as a nested exchange to conduct transactions. Suex was
sanctioned on September 21, 2021, for facilitating financial
transactions for ransomware actors. Chatex is being designated
pursuant to Executive Order (E.O.) 13694, as amended, for
providing material support to Suex and the threat posed by
criminal ransomware actors.
is designating Ukrainian Yaroslav Vasinskyi (Vasinskyi) and
Russian Yevgeniy Polyanin (Polyanin) for their part in
perpetuating Sodinokibi/REvil ransomware incidents against the
United States. Vasinskyi deployed ransomware against at least
nine U.S. companies. Vasinskyi is also responsible for the July
2021 ransomware activity against Kaseya, which caused
significant disruptions to the computer networks of Kaseya’s
customer base. Polyanin also deployed ransomware, targeting
several U.S. government entities and private-sector companies.
These two individuals are part of a cybercriminal group that has
engaged in ransomware activities and received more than $200
million in ransom payments paid in Bitcoin and Monero. OFAC is
also designating a company owned by Polyanin, pursuant to E.O.
13694 as amended. Malicious cyber activities against the U.S.
government and private sector will be aggressively investigated
and pursued. Companies are encouraged to report all ransomware
incidents to law enforcement, as well as any payments with a
potential sanctions nexus to OFAC, and strengthen their cyber
As a result of today’s designation, all property and interests
in property of the designated targets that are subject to U.S.
jurisdiction are blocked, and U.S. persons are generally
prohibited from engaging in transactions with them.
Additionally, any entities 50 percent or more owned by one or
more designated persons are also blocked. In addition, financial
institutions and other persons that engage in certain
transactions or activities with the sanctioned entities and
individuals may expose themselves to sanctions or be subject to
an enforcement action. Today’s action does not implicate a
sanctions nexus to any particular Ransomware-as-a-Service (RaaS)
In addition, the Financial Crimes Enforcement Network (FinCEN) is releasing an update today to its 2020 Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments. The updated Advisory reflects information released by FinCEN in its Financial Trend Analysis Report discussing ransomware trends, issued on October 15, 2021, and includes information on current trends and typologies of ransomware and associated payments as well as recent examples of ransomware incidents. The updated Advisory also sets out financial red flag indicators of ransomware-related illicit activity to assist financial institutions, including virtual currency service providers, in identifying and reporting suspicious transactions associated with ransomware payments, consistent with their obligations under the Bank Secrecy Act.