US Treasury Blacklists Several More Bitcoin Addresses Allegedly Tied to Iran Ransomware Attacks

The U.S. Treasury Department added nine individuals and six bitcoin addresses to its blacklist Wednesday, under its “cyber-related designations” bucket.

The addresses were specifically tied to two individuals – Amir Hossein Nikaeen Ravari and Ahmad Khatibi Aghada – who allegedly helped develop and deploy ransomware as members of Iran’s Islamic Revolutionary Guard Corps (IRGC), according to a press release published by the Treasury Department.

The sanctioning came as U.S. government officials charged three individuals with hacking-related crimes.  Alongside Mansour Ahmadi, Nikaeen Ravari and Aghada allegedly broke into hundreds of U.S. companies and deployed ransomware to several of these entities, including U.S. infrastructure entities, the Justice Department claimed.

The individuals are part of a hacker group that targeted hospitals, transportation companies and schools with ransomware, Treasury officials said in a press statement. It further accused the group of mounting a cyber attack against a rural electric utility company in October 2021.

The wallets did not contain any bitcoin Tuesday, having drained their balances between last October and this past May. One address linked to both individuals held 2.49 BTC over the course of its life.

Several of the addresses have not been active since 2021, according to on-chain data.

The Treasury Department’s Office of Foreign Assets Control (OFAC) has added a number of Iranian officials to its Specially Designated Nationals (SDN) list in recent weeks over cyberattacks allegedly committed by members of Iran’s government.

U.S. persons and entities – meaning anyone on American soil or any U.S. citizens abroad – are barred from transacting with the addresses or people added to the sanctions list.

Last week, OFAC added Iran’s Minister of Intelligence, Esmail Khatib, and its Ministry of Intelligence and Security, to the SDN list for allegedly attacking the country of Albania, which faced an unspecified hack earlier this year (Iran has denied the allegations).

OFAC has sanctioned crypto wallet addresses for years now, having first done so in 2018 when two other Iranian residents were accused of laundering funds for ransomware creators.

UPDATE (Sept. 14, 2022, 15:15 UTC): Adds additional detail.