According to a recent bulletin from consulting firm PwC, two Iranians said to have created the SamSam ransomware variant have been tied to the exchange and may have used it to launder their millions in illegal earnings.
Iranians Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were formally charged by the U.S. Department of Justice last November, for deploying SamSam ransomware to extort funds from hospitals, local governments and public institutions. The six-count indictment alleged that the duo collected over $6 million in ransom payments and caused over $30 million in losses to victims.
Cryptocurrency exchange WEX, successor to the shuttered BTC-e exchange, has again been tied to illicit funds gained through ransomware attacks.
At the time, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) also added two other Iran residents, Ali Khorashadizadeh and Mohammad Ghorbaniyan, to its Specially Designated Nationals list for their role in facilitating financial transactions related to the SamSam ransomware on behalf of Savandi and Mansouri.
The OFAC also connected bitcoin addresses associated with Khorashadizadeh and Ghorbaniyan, with other identifying information, such as physical addresses, post office boxes, email addresses and aliases.
PwC said it analyzed the addresses provided by the OFAC and found that two exchange websites – Enexchanger and Iranvisacart – are connected to Khorashadizadeh and Ghorbaniyan, and allow payments through WEX. The FBI has previously linked both sites with money laundering, according to the report.
The Enexchanger website, for example, listed trading pairs including in cryptocurrencies, PwC said, adding “One of the cryptocurrency swaps offered is WEX-code to USD, which is a code that allows transferring of funds directly from [WEX] users.”
Further, citing evidence from a firm that tracks illicit crypto activity, PwC said that WEX/BTC-e and a crypto exchange based in Slovakia have been used to launder bitcoin by a threat actor tracked as “Blue Athena.”
“The use of Iran- and Slovakia-based exchanges suggests that threat actors favour using lesser-known currency exchanges,” PwC said. “This is likely because the more popular exchanges have monitoring or compliance programmes to detect illicit activities.”
WEX rose from the ashes of the BTC-e platform after it was shuttered by international law enforcement officials in 2017. At the same time, its alleged operator, Alexander Vinnik, was arrested over claims he had laundered some $4 billion in bitcoin since 2011.
In its report, PwC said of the exchange:
“WEX is most notably known for its alleged involvement in the laundering of some USD 4 billion, transferring of funds to facilitate operations of the threat actor tracked by PwC as Blue Athena, and being responsible for cashing out 95% of all ransomware payments made since 2014.”
In October 2018, cryptocurrency exchange Binance also froze accounts that received more than 93,000 ether from two wallets indirectly linked to WEX/BTC-e.