Cryptocurrency exchange WEX, successor to the shuttered BTC-e exchange, has again been tied to illicit funds gained through ransomware attacks.
According to a recent bulletin from consulting firm PwC, two Iranians said to have created the SamSam ransomware variant have been tied to the exchange and may have used it to launder their millions in illegal earnings.
Iranians Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were formally charged by the U.S. Department of Justice last November, for deploying SamSam ransomware to extort funds from hospitals, local governments and public institutions. The six-count indictment alleged that the duo collected over $6 million in ransom payments and caused over $30 million in losses to victims.
At the time, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) also added two other Iran residents, Ali Khorashadizadeh and Mohammad Ghorbaniyan, to its Specially Designated Nationals list for their role in facilitating financial transactions related to the SamSam ransomware on behalf of Savandi and Mansouri.
The OFAC also connected bitcoin addresses associated with Khorashadizadeh and Ghorbaniyan, with other identifying information, such as physical addresses, post office boxes, email addresses and aliases.
PwC said it analyzed the addresses provided by the OFAC and found that two exchange websites – Enexchanger and Iranvisacart – are connected to Khorashadizadeh and Ghorbaniyan, and allow payments through WEX. The FBI has previously linked both sites with money laundering, according to the report.
The Enexchanger website, for example, listed trading pairs including in cryptocurrencies, PwC said, adding “One of the cryptocurrency swaps offered is WEX-code to USD, which is a code that allows transferring of funds directly from [WEX] users.”