Crypto Exchange WEX Linked to Iranian Ransomware Operators, Says PwC

Cryptocurrency exchange WEX, formerly called BTC-e, may have been used to launder illicit gains from the SamSam ransomware, according to PwC.

AccessTimeIconMar 5, 2019 at 12:40 p.m. UTC
Updated Aug 18, 2021 at 10:54 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Cryptocurrency exchange WEX, successor to the shuttered BTC-e exchange, has again been tied to illicit funds gained through ransomware attacks.

According to a recent bulletin from consulting firm PwC, two Iranians said to have created the SamSam ransomware variant have been tied to the exchange and may have used it to launder their millions in illegal earnings.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • Iranians Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were formally charged by the U.S. Department of Justice last November, for deploying SamSam ransomware to extort funds from hospitals, local governments and public institutions. The six-count indictment alleged that the duo collected over $6 million in ransom payments and caused over $30 million in losses to victims.

    At the time, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) also added two other Iran residents, Ali Khorashadizadeh and Mohammad Ghorbaniyan, to its Specially Designated Nationals list for their role in facilitating financial transactions related to the SamSam ransomware on behalf of Savandi and Mansouri.

    The OFAC also connected bitcoin addresses associated with Khorashadizadeh and Ghorbaniyan, with other identifying information, such as physical addresses, post office boxes, email addresses and aliases.

    PwC said it analyzed the addresses provided by the OFAC and found that two exchange websites – Enexchanger and Iranvisacart – are connected to Khorashadizadeh and Ghorbaniyan, and allow payments through WEX. The FBI has previously linked both sites with money laundering, according to the report.

    The Enexchanger website, for example, listed trading pairs including in cryptocurrencies, PwC said, adding “One of the cryptocurrency swaps offered is WEX-code to USD, which is a code that allows transferring of funds directly from [WEX] users.”

    Further, citing evidence from a firm that tracks illicit crypto activity, PwC said that WEX/BTC-e and a crypto exchange based in Slovakia have been used to launder bitcoin by a threat actor tracked as "Blue Athena."

    “The use of Iran- and Slovakia-based exchanges suggests that threat actors favour using lesser-known currency exchanges," PwC said. "This is likely because the more popular exchanges have monitoring or compliance programmes to detect illicit activities."

    WEX rose from the ashes of the BTC-e platform after it was shuttered by international law enforcement officials in 2017. At the same time, its alleged operator, Alexander Vinnik, was arrested over claims he had laundered some $4 billion in bitcoin since 2011.

    In its report, PwC said of the exchange:

    “WEX is most notably known for its alleged involvement in the laundering of some USD 4 billion, transferring of funds to facilitate operations of the threat actor tracked by PwC as Blue Athena, and being responsible for cashing out 95% of all ransomware payments made since 2014."

    In October 2018, cryptocurrency exchange Binance also froze accounts that received more than 93,000 ether from two wallets indirectly linked to WEX/BTC-e.

    PwC image via Shutterstock 

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.