The Treasury Department's Financial Crimes Enforcement Network (FinCEN) warned U.S. financial institutions this week to keep an eye out for attempts to evade sanctions and US-imposed restrictions following Russia's invasion of Ukraine.
Although unlikely, FinCEN added that convertible virtual currency (CVC) — the term used by U.S. Treasury to describe unregulated digital currency like cryptocurrency — exchanges and other financial institutions may still observe transactions linked to crypto wallets associated with sanctioned Russian, Belarusian, and affiliated individuals.
In such cases, FinCEN said [PDF] that it's critical to "identify and quickly report suspicious activity associated with potential sanctions evasion, and conduct appropriate risk-based customer due diligence or, where required, enhanced due diligence."
In the past few years, we have seen a rise in ransomware attacks fueled by cryptocurrency. Unlike the traditional fiat currency, cryptocurrency is decentralized and unregulated. While these digital transactions are recorded, it is difficult to trace the transactions back to a defined source as the currency is moved from one account to another. In turn, threat actors have been able to extort huge ransom payments from their victims, including large institutions, hospitals, and even government organizations. With the recent sanctions imposed on Russia, we are likely to see a continual growth in ransomware attacks involving ransom payments requested in cryptocurrencies such as Bitcoin and Ethereum.
FinCEN has provided examples of red flags that would help identify suspicious activity that may be linked to sanctions evasion and reminded financial institutions of their duty to report such events under the Bank Secrecy Act.
Out of the list of all red flags included in the alert, the following three specifically relate to potential money laundering of payments from ransomware attacks and other cybercrime activity:
- A customer receives CVC from an external wallet and immediately initiates multiple, rapid trades among multiple CVCs with no apparent related purpose, followed by a transaction off the platform. This may indicate attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.
- A customer initiates a transfer of funds involving a CVC mixing service.
- A customer has direct or indirect transaction exposure identified by blockchain tracing software as related to ransomware.