The US on Wednesday imposed cyber-related sanctions on two Iranians it said had helped exchange digital Bitcoin currency obtained from ransom payments into Iranian riyal and charged two Iranian hackers involved in a ransomware conspiracy that netted them millions of dollars.
More than 7,000 transactions in Bitcoin had been traced to two digital currency addresses operated by the first two men, according to the Treasury.
Naming them as Ali Khorashadizadeh and Mohammad Ghorbaniyan, the Treasury's Office of Foreign Assets Control (Ofac) said the conspiracy involved the SamSam ransomware scheme where hackers targeted electronic systems at American hospitals, universities and government agencies.
Their digital currency addresses are the first to be publicly attributed to persons placed on a US sanctions blacklist, Ofac said.
“Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims,” said Treasury under secretary for terrorism and financial intelligence Sigal Mandelker.
“As Iran becomes increasingly isolated and desperate for access to US dollars, it is vital that virtual currency exchanges, peer-to-peer exchangers, and other providers of digital currency services harden their networks against these illicit schemes.”
Such exchanges transfer traditional currencies into Bitcoin, or Bitcoin into traditional currencies.
Criminal ransomware activity relies on electronic capability to encrypt data on mainframe style systems. The conspirators then offer to decrypt the data in return for payment.
“Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber to further their nefarious objectives,” Ms Mandelker added.
In a related action the Justice Department indicted two different Iranians for infecting data networks with SamSam ransomware in the US, Britain and Canada since 2015.
According to the indictment, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, both operating in Iran, authored and deployed SamSam ransomware to hack into networks.
Their targets included the US cities of Newark and Atlanta, the port of San Diego, Colorado's Transportation Department as well as a hospital and a medical laboratory.
“The defendants' objective allegedly was to prevent these victims from accessing or using data on the compromised computers, forcing them to shut down or dramatically curtail their operations,” the Justice Department said.
“According to the indictment, the defendants then extorted ransom payments from their victims by threatening otherwise to delete the decryption keys needed to unlock the compromised computers,” it added.
In total, the defendants allegedly hacked and extorted more than 200 victims, and collected more than $6 million in criminal proceeds, according to the charges. The victims also incurred additional losses exceeding $30 million because they were unable to access their data.
The 25-page indictment charges that the hackers' scheme was for their own personal profit, and was not government directed.
Both men are believed to be in Iran and are considered fugitives from justice, US officials said.
The Treasury and Justice departments' announcements came shortly before the US Special Representative for Iran Brian Hook said he would on Thursday deliver remarks and showcase evidence about Tehran's transfer of arms to proxy groups and issue an update on the regime's latest ballistic missile work.
“This display contains clear and tangible evidence that the Iranian regime is arming dangerous groups with advanced weapons, and spreading instability and conflict in the region, which poses a threat to international peace and security,” the State Department said in advance of the briefing to take place at a military base in southeast Washington DC.
The three separate announcements are the latest sign of the Trump administration's efforts to sanction individuals or entities in Iran.