FinCEN warns ransomware proceeds could be part of Russia sanctions evasion

Treasury is reminding banks and other institutions of "red flags" as they handle cryptocurrency that could potentially be headed to Russia.
bitcoin trading, cryptocurrency, crypto mixing, FinCEN, Treasury, ransomware proceeds
(Getty Images)

As banks and other financial institutions work to honor the U.S. sanctions against Russia and monitor for efforts to evade them, the feds are warning that ransomware proceeds could be in the mix.

The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued guidance this week on the responsibility that private institutions have for detecting “sanctions evasion activity” and reporting it under the Bank Secrecy Act and other laws.

The alert comes as federal lawmakers have expressed concern about the use of crypto to evade sanctions, and Bloomberg is reporting that the Biden administration is preparing an executive order on the topic this week.

At least one big player in the cryptocurrency industry, the trading platform Coinbase, already has expressed a commitment to supporting sanctions from the U.S. and other nations looking to punish Russia for its invasion of Ukraine. Coinbase said it had blocked 25,000 accounts linked to Russian people or entities.


The FinCEN document lists 13 “red flags” for transactions involving what FinCEN calls “convertible virtual currency,” essentially cryptocurrencies like bitcoin or ethereum. Three of the red flags directly apply to suspicious activity that can signify the laundering of ransomware proceeds:

• Attempts to “break the chain of custody” on the currency by initiating multiple, rapid trades across several types of digital coins, “with no apparent related purpose, followed by a transaction off the platform.”
• Transfers of funds involving a “mixing service” — essentially a third-party organization that pools currencies together in a way that hides where they came from.
• Activity that exposes an institution, directly or indirectly, to transactions already identified by blockchain tracing software as being related to ransomware.

FinCEN said institutions should “quickly report suspicious activity associated with potential sanctions evasion, and conduct appropriate risk-based customer due diligence or, where required, enhanced due diligence.”

Cryptocurrency-tracking company Chainalysis noted that the alert is important “because Russian cybercriminals play an outsized role in overall ransomware activity, and some Russian ransomware organizations have already voiced their intent to aid Russia in its war efforts.” Earlier this year, Chainalysis noted the significant role of Moscow-based financial companies in the crypto trade.

In outlining its response to the sanctions, Coinbase argued that cryptocurrencies “have properties that naturally deter common approaches to sanctions evasion,” because “digital asset transactions are traceable, permanent, and public.”


Changpeng Zhao, the founder of trading platform Binance, argued last week that “crypto is too small for Russia,” given the relatively low rate of adoption around the world.

Ransomware continues to be an attractive target for cybercrime groups with known Russian connections. After a recent disruption, the Conti gang reportedly bounced back and is hitting new targets with malware and ransom demands.

Latest Podcasts