US Treasury said it tied $5.2 billion in BTC transactions to ransomware payments
Catalin Cimpanu October 15, 2021

US Treasury said it tied $5.2 billion in BTC transactions to ransomware payments

US Treasury said it tied $5.2 billion in BTC transactions to ransomware payments

The financial crimes investigation unit of the US Treasury Department, also known as FinCEN, said today it identified approximately $5.2 billion in outgoing Bitcoin transactions potentially tied to ransomware payments.

FinCEN officials said the figure was compiled by analyzing 2,184 Suspicious Activity Reports (SARs) filed by US financial institutions over the last decade, between January 1, 2011, and June 30, 2021.

While the initial SAR reports highlighted $1.56 billion in suspicious activity, a subsequent FinCEN investigation of the Top 10 most common ransomware variants exposed additional transactions, amounting to around $5.2 billion just from these groups alone.

FinCEN-totals-ransomware
Image: FinCEN

$590 million in ransomware payments in H1 2021

But while the FinCEN report included some historical data on past ransomware attacks, most of the organization’s investigation focused on the first half of 2021 and the analysis of recent trends.

According to FinCEN:

  • Financial institutions filed 635 SARs in the first half of 2021 related to suspected ransomware activity.
  • The SARs referenced 458 suspicious transactions amounting to $590 million.
  • The H1 2021 figure exceeds the value reported for the entirety of 2020, which was $416 million, showing an uptick in ransomware activity.
  • The average amount of reported ransomware transactions per month in 2021 was $102.3 million.
  • Based on SARs data, FinCEN said it identified 68 different ransomware variants active in H1 2021.
  • The most commonly reported variants in H1 2021 were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos.

The report’s conclusion unequivocally points to a ramp-up in ransomware-related activities throughout 2021.

It also highlights several growing trends among ransomware money laundering operations, such as:

  • Using anonymity-enhanced cryptocurrencies, such as Monero.
  • Avoiding reusing wallet addresses to prevent security firms from easily identifying and tracking transactions.
  • Using the “chain hopping” technique to exchange funds into other cryptocurrency variants.
  • Cashing out at centralized exchanges
  • Using mixing services and decentralized exchanges to convert proceeds.

The FinCEN report comes as the US Treasury announced plans earlier today to sanction any virtual currency entity that helps ransomware gangs launder their proceeds.

The Treasury announcement also comes a day after the Biden administration concluded a two-day meeting with representatives from more than 30 countries where officials discussed ways to combat the ransomware epidemic.

One of the methods countries agreed on during the talks was to crack down on cryptocurrency exchanges that are currently turning a blind eye and helping ransomware gangs launder and cash out their profits.

If the US Treasury decides to go this route and impose new sanctions on cryptocurrency entities for helping ransomware gangs, this wouldn’t be the first time they do so, as the agency already sanctioned Russian cryptocurrency exchange Suex last month for the same reason.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.