World Exchange Service (WEX), successor of the infamous BTC-e that was shut down by the US Law Enforcement and Greek authorities for its involvement in money laundering, finds itself embroiled in the notorious SamSam ransomware and computer hacking extortion case that was carried out over a period of 34 months.
The consultancy and audit firm, PricewaterhouseCoopers (PwC) recently published a ‘Strategic Alliance Bulletin’ on the increasing use of cryptocurrency for illicit and fraudulent activities such as money laundering, and mentions the ties between the SamSam ransomware and WEX crypto trading platform.
“We identified this Iranian money laundering operation as having links with currency exchange WEX (previously known as BTC-e). WEX is most notably known for its alleged involvement of $4 billion, transferring of funds to facilitate operations of the threat actor tracked by PwC as Blue Athena, and being responsible for cashing out 95% of all ransomware payments made since 2014…of which USD 1.9 million came from SamSam ransomware .”
The SamSam ransomware bitcoin extortion
The international bitcoin extortion perpetuated by two Iranian hackers, Mohammad Mehdi Shah Mansouri and Faramarz Shahi Savandi had employed the sophisticated version of SamSam ransomware, that forcibly exploited and infected the computers security vulnerabilities, resulting in the encryption of data of more than 200 victims including government agencies, hospitals, administrative and public institutions. According to the six-count indictment filed by the US Department of Justice, Savandi and Mehndi demanded ransom in Bitcoins from the victims in exchange for decrypted keys, collecting almost $6 million USD as ransom payments and causing an overall loss of $30million.
WEX connection to the SamSam ransomware
The WEX crypto trading platform was created around the time US and Greek authorities seized BTC-e’s domain by arresting its operator, Alexander Vinnik who was charged with money laundering and fraud. PwC wrote, “WEX claims to be unrelated to BTC-e but its website design and trading pairs are almost identical and it migrated over all the exchange’s former users after BTC-e was shut down.”
The US Department of Treasury’s, Office of Foreign Asset Control named two more Iranians, Ali Khorashadizadeh and Mohammad Ghorbaniyan who were complicit with the SamSam duo hackers and is said, were the primary bitcoin launderers. PwC identified Ghorbaniyan and Khorashadizadeh’s connections with the crypto platform WEX as well as a secondary exchange based in Slovakia.
PwC elaborates that the use of Iranian and Slovakia-based exchanges shows that threat actors are choosing ‘lesser known’ virtual currency exchanges to launder cryptocurrencies, because popular platforms usually have tools in place that detect illicit activities such as phising making it difficult for hackers to launder money. Even digital asset analysts have found that countries with minimal crypto regulation received 36 times more bitcoins from criminally-linked groups, than countries which have proper crypto regulation in place.