PwC Discovers Iranian Link to Bitcoin (BTC) Laundering on WEX Exchange


Iranian nationals liked to the SamSam ransomware were using the WEX exchange to launder their funds, auditing giant PwC has discovered. Using data from the US Department of Justice (DoJ), the auditing giant established that hacker group used BTC-E, as the Russian exchange was previously called, before the market closed in September 2018.

BTC-E was used to liquidate as much as 95% of ransomware payments since 2014. The exchange allegedly laundered up to $4 billion, of which $1.9 billion came from the SamSam ransomware scheme, and also saw inflows from the Blue Athena threat group. The stream of dark business funds continued into the rebranded exchange, which claimed to be unrelated to the previous market. However, the behavior of WEX resembled that of BTC-E, as noted in the auditor’s report.

PwC linked the exchange with the SamSam scheme by tracking known Bitcoin addresses revealed by the DoJ investigation. Two Iranian nationals, Mohammad Ghorbaniyan and Ali Khorashadizadeh, were indicted in November 2018 for spreading the SamSam ransomware.

WEX closed after a dramatic month of problematic withdrawals. Traders could not take out BTC, so they tried to withdraw Tether (USDT) instead, which raised its price to as much as $8 from the usual $1 peg.

The laundering accusations led to the arrest of Alexander Vinnik in July 2017 and his extradition from Greece to the USA. Most of the SamSam laundering happened during the BTC-E era.

PwC has also linked the usage of BTC-E to Russia’s Main Intelligence Directorate (GRU). Allegedly, the agency used the exchange to hide transfers of BTC, but those were relatively small – a sum of 0.026 BTC was sent to a specific address on January 1, 2016. The reason for the transaction is unknown.

Exchanges are still used to launder BTC and other digital currencies as various hacker groups acquire coins and tokens through ransomware, breaches, exploits, or other means. Liquidation on exchanges is generally difficult to track, especially on relatively small markets with a less strict trader monitoring procedure.

Laundering funds through small-scale exchanges is seen as one of the key threats for the cryptocurrency sector when it comes to illegal activity. There are currently suggestions that another defunct platform, Canada’s QuadrigaCX, had been used to transfer, mix, or launder funds from criminal operations.