The report is based on information that was previously disclosed by the United States Department of Justice (DoJ). As per the DOJ, two Iranians — Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri — were responsible for creating SamSam. SamSam is a ransomware demanding Bitcoin that reportedly damaged multiple U.S. companies, government agencies, universities, and hospitals. Within 34 months the hackers managed to extort over $6 million in Bitcoin and cause over $30 million in losses.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) also sanctioned two more Iranians, Mohammad Ghorbaniyan and Ali Khorashadizadeh. They were allegedly operating Iran-based crypto exchanges that helped Savandi and Mansouri to exchange the BTC extorted via SamSam.
After analyzing wallet addresses and emails provided by the U.S. government, PwC came to the conclusion that Khorashadizadeh and Ghorbaniyan could be linked to crypto exchange WEX.
WEX was known as BTC-e prior to a rebranding move in September 2017. The exchange rebranded in order to distance itself from a money laundering investigation that shuttered BTC-e in July of that same year. PwC further states that BTC-e was involved in exchanging at least $1.9 million related to SamSam:
“BTC-e is known for its involvement in laundering approximately $4 billion and is responsible for cashing out 95 percent of all ransomware payments made from 2014 to 2017 — of which $1.9 million came from SamSam ransomware.”