Treasury Sanctions Iranian Hackers And Bitcoin Addresses
Per an update from the U.S. Department of the Treasury, several Iranian nationals and their Bitcoin addresses have been sanctioned. An official release mentions Ahmad Khatibi Aghada, Amir Hossein Nikaeen, and at least seven addresses under their control.
In an indictment filed with the U.S. District Court of New Jersey, these individuals and Ahmadi Mansour have been accused of conspiracy to commit fraud and related activity in connection with computers, intentional damage to a protected computer, and asking for monetary compensation in Bitcoin.
The document was published today by the U.S. Department of Justice (DoJ) claiming that these hackers allegedly incurred in illegal cyber activities from October 2020 forward. Attacking from Iran, Nikaeen and his co-conspirators allegedly took over computers in the United States, the United Kingdom, Israel, Russia, and others.
The hackers allegedly used “known vulnerabilities in commonly used network devices and software applications” to conduct their exploits. In addition, they used Microsoft’s BitLocker to encrypt their victims’ computers and demand payment in Bitcoin before surrendering control.
In a Microsoft report published in early September, the big tech company acknowledged these attacks and linked a large portion with a hacker group known as “Nemesis Kitten”, and its Iranian chapter called DEV-0270 or “PHOSPHORUS”. The report claims these “widespread” attacks are sponsored by the government of Iran.
The indictment fails to mention any connection between the suspects and “PHOSPHORUS”, but they seemed to be operating under a similar scheme. The hacker group asked the victim for a payment of up to $8,000 to release the computer, if the victim refuses, they sell the stolen data on the internet.
The use of BitLocker via malicious commands renders the victim’s computer unusable, according to Microsoft:
DEV-0270 has been seen using setup.bat commands to enable BitLocker encryption, which leads to the hosts becoming inoperable.
Treasury Sanctions Bitcoin Addresses, What Are The Implications?
The indictment claims that the Iranian hackers were allegedly able to impact small businesses, government agencies, non-profit programs, educational and religious institutions, and multiple critical infrastructure sectors, like hospital and transportation services.
The hackers often set up websites with the naming format of legitimate technology companies to lure the victims. Once they get access to the computers, hackers demanded payment in Bitcoin and other cryptocurrencies by providing an email address, as seen below.
Authorities in the U.S. were able to link the hackers via their Bitcoin addresses. The bad actors used the same addresses when demanding payment from their victims.
In the past, law enforcement agencies were able to track down stolen funds and criminals via their BTC transactions. Given the transparent nature of the BTC network, some authorities believe that Bitcoin can be a tool to discourage criminal activities.
U.S. Attorney For New Jersey Philip Sallinger said the following on the case:
By charging them in this indictment, by publicly naming them, we are stripping their anonymity away. They cannot operate anonymously from the shadows anymore. We have put a spotlight on them as wanted criminals.
U.S. Treasury sanctions have been the object of controversy in the crypto space. A few weeks ago, the institution sanctioned Ethereum-based decentralized exchange Tornado Cash in an act that many experts considered “crossing a line”.
This was the first time that the institution sanctioned a neutral technology. Now, the Treasury released instructions for people to “safely” removed their funds from the exchange and acknowledged that some people were affected by interacting with the addresses associated with Tornado Cash. What will happen to those individuals interacting with the Bitcoin addresses sanctioned today?