9/26/21, 9:42 PM FDD | Treasury Takes Aim at Ransomware and Illicit Cryptocurrency Trading

September 23, 2021 | Policy Brief

Treasury Takes Aim at Ransomware and Illicit

Cryptocurrency Trading
RADM (Ret) Mark Montgomery Annie Fixler
CCTI Senior Director and Senior Fellow CCTI Deputy Director

The U.S. Treasury Department on Tuesday issued the first-ever sanctions against a virtual currency exchange
platform, SUEX, for knowingly facilitating ransomware payments and other illicit financial transactions. Treasury’s
action was a demonstration of long-held department policy that cryptocurrency exchanges are subject to the same
anti-money laundering (AML) standards as formal financial institutions.

As a result of the sanctions, Washington will block SUEX’s ability to interact with the U.S. financial system, and
international banks will likely cut off the exchange as well because of SUEX’s failure to prevent illicit transactions.
While malicious actors often exploit unwitting exchanges to move their ill-gotten gains, SUEX facilitates illegal
activities for its own profit, Treasury said. More than 40 percent of the transactions on SUEX occur between
criminals, Treasury estimated, and the exchange has facilitated proceeds from at least eight ransomware groups.

The sanctions also demonstrate the department’s modus operandi of targeting smaller actors with limited ties to the
United States to pressure larger ones into preventing illicit activity more assiduously. “Shutting down one exchange
will not materially alter the threat landscape,” Rep. Jim Langevin (D-RI) observed, but it is “an important
demonstration of our resolve.”

Michael Phillips, co-chair of the Ransomware Task Force, a coalition of government agencies, private industry
groups, and think tanks, noted that “sanctioning those bad actors puts pressure on actors who may be operating in a
grayer space, who may [now] be inclined to start to invest in compliance.”

The Russia-based SUEX may indeed be a smaller target in the cryptocurrency ecosystem, but it “filled an essential
niche” for converting “illicit crypto ransoms into real-world currency,” the blockchain intelligence and analytics firm
TRM Labs explained in a Tuesday report on SUEX’s operations.

According to blockchain data platform Chainalysis, whose research Treasury used as part of its investigation into
SUEX, 82 percent of all ransomware funds transit only five cryptocurrency exchanges. Chainalysis estimates that
SUEX alone has received and facilitated tens if not hundreds of millions of dollars’ worth of cryptocurrency payments
associated with ransomware and other cybercrime.

Treasury also issued updated guidance reminding companies that paying ransoms may run afoul of existing laws if
Treasury has previously sanctioned the hackers or anyone else involved in the transaction. The guidance echoes other
government requests for victims to work with law enforcement and not to pay ransoms, but includes a more explicit
incentive: If Treasury discovers a nexus between the ransomware payment and a designated entity in the future that

https://www.fdd.org/analysis/2021/09/23/treasury-ransomware-cryptocurrency/ 1/2
9/26/21, 9:42 PM FDD | Treasury Takes Aim at Ransomware and Illicit Cryptocurrency Trading

would lead to penalties against the company paying the ransom, the victim’s “full and ongoing cooperation with law
enforcement both during and after a ransomware attack” will be a “significant mitigating factor.” In other words,
Treasury is unlikely to take action against the company if it reported the cyber incident to law enforcement.

As part of a larger government effort, deploying Treasury’s most pointed economic tool can help combat ransomware
and other illicit transactions that have blossomed in the age of cryptocurrencies. Treasury can shape market
behavior and make it harder for bad actors to move illicit funds. In June 2021, the Justice Department revealed other
tools to make ransomware unprofitable when it announced it had clawed back the profits from the May ransomware
attack against Colonial Pipeline by Russia-based hackers.

At the end of the day, hackers will keep launching ransomware attacks until they are no longer profitable. Decreasing
ransomware’s profitability by making it harder to move money and by stripping hackers of their intake constitutes an
important cost-imposition strategy. But the solution also entails convincing private companies to invest in
cybersecurity and to build their resilience so that when hackers try to extort payments, victims can refuse to pay.

Long-term success in the fight against ransomware will occur only if the Biden administration follows through on
Deputy Secretary Wally Adeyemo’s pledge on Tuesday that this is just the first of many actions to come.

Mark Montgomery is senior director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for
Defense of Democracies (FDD) and serves as a senior advisor to the Cyberspace Solarium Commission. Annie Fixler
is CCTI’s deputy director. They also contribute to FDD’s Center on Economic and Financial Power (CEFP). For more
analysis from the authors, CCTI, and CEFP, please subscribe HERE. Follow Mark and Annie on Twitter
@MarkCMontgomery and @afixler. Follow FDD on Twitter @FDD, @FDD_CCTI, and @FDD_CEFP. FDD is a
Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.

https://www.fdd.org/analysis/2021/09/23/treasury-ransomware-cryptocurrency/ 2/2