What is 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V ?
Some of you probably figured out that it is a cryptocurrency (AKA Bitcoin) wallet. But there is something that makes this bitcoin wallet different from the tens of millions of Bitcoin wallets out there in the wild.
Making a payment to this Bitcoin wallet may classify you a terrorist and subject you to arrest and prosecution.
But, you say, you were hit by a ransomware attack and you need your data back.
Sorry, says the government, you are still a terrorist.
Enough, you say, with this riddle. Explain what the **bleep** is going on.
OK, here is the story and most of it is not news to anyone who has worked in financial services.
The U.S. Treasury Department has an office (AKA Department) called OFAC or Office of Foreign Asset Control. Predecessors to the current OFAC department have around at least since the 1940s.
The idea behind OFAC is to make sure that U.S. businesses and citizens do not send money to terrorists. In fact, when I was in the title and escrow business, we checked each and every payment, both inbound and outbound to make sure that we were not accepting money from terrorists nor sending money to terrorists. We had special software to do this since we made tens of thousands of payments a day.
OFAC manages a list of what they call Specially Designated Nationals (SDN) or, basically, terrorists or people that help them. As of today, that list is contained in a PDF file that is 1254 pages long.
As a way to try to squeeze terrorists, the government has started adding cryptocurrency wallet addresses to the SDN list. The government expects that every time you make a cryptocurrency transaction, you check to make sure that the recipient is not on the SDN list. If you use a service like Coinbase or one of its competitors, they do that for you. If you arrange for the Bitcoin transfer yourself, they expect you to do it.
Since the Bitcoin blockchain (unlike many other blockchains) is publicly visible, it is pretty easy for the government to look at transactions and see if anyone in the U.S. is sending money to that wallet. Since transfers are relatively anonymous if done carefully (like you only use that wallet for one transaction and other restrictions), the government may or may not try and find you if you violate the OFAC rules, but if you are a money handler, they will definitely come after them. If you put money into a Bitcoin wallet from a bank account to pay the hacker, anonymity is totally gone – FYI.
Penalties, recently, for violating OFAC rules varied from a low of $87,000 to a high of $53,966,000 . Big range, although $87,000 is still a large number.
There is a mechanism for requesting a waiver to send money to a person on the SDN list (called a blocked person or blocked entity), but I doubt the process is simple or quick, two things that are probably important when you are trying to unlock your data.
The simple solution is don’t get attacked by ransomware (easier said than done) or only get hacked by friendly hackers or hope that your attacker is not on the SDN list. Otherwise, check and see if the person you are paying is on the bad guy list.
We live in interesting times. Information for this post came from Bleeping Computer and information on OFAC and the SDN list can be found here.