Can the U.S. Sanction What It Can’t Find?

This week, U.S. sanctions policy entered the digital age when the Treasury Department for the first time blocked two bitcoin accounts, which belonged to Iranian nationals tied to a ransomware scheme. But the move raises a thorny question: Can the U.S. government enforce financial sanctions against accounts tied to a digital currency that is supposed to maintain its users’ anonymity?

That question has broad implications for U.S. law enforcement and foreign policy, as both criminal groups and nation-states have used cryptocurrencies to escape the long reach of American power. Traffickers sell drugs online in large quantities in exchange for bitcoin, and North Korea has used the technology to get around broad financial sanctions.

While cryptocurrencies are widely touted as being fully anonymous, transactions with a given wallet—roughly the equivalent of a bank account—are publicly listed on the blockchain, the public ledger that forms the basis of cryptocurrency technology. This means that transactions remain anonymous so long as the wallet associated with a given account remains anonymous.

To get around this issue, a small cottage industry has sprung up to figure out how to de-anonymize wallets. With the help of digital forensics and some clever detective work, it’s often possible to figure out to whom a given wallet belongs.

This week’s action by the U.S. Treasury Department is an example of such a de-anonymizing operation.

By slapping American sanctions on these two accounts, U.S. officials have placed the onus for enforcing the penalties on private cryptocurrency companies, said Yaya Fanusie, a former CIA economic analyst and a sanctions expert at the Foundation for the Defense of Democracies, an influential, hawkish Washington think tank. The sanctions on the accounts effectively make transactions with the targeted accounts illegal, and cryptocurrency firms could face legal penalties if they don’t prevent payments to and from the two wallets.

The accounts in question belong to two Iranian men—Ali Khorashadizadeh and Mohammad Ghorbaniyan—who are alleged to have profited from a ransomware scheme known as SamSam that targeted computers at hospitals and government facilities in the United States. SamSam encrypted the contents of computers it infected and demanded payment in exchange for the computer to be decrypted. American prosecutors believe the scheme netted its organizers at least $6 million in ransom.

To convert those payments into Iranian rials, Khorashadizadeh and Ghorbaniyan relied on the two sanctioned bitcoin wallets to process the transactions. Following this week’s Treasury Department announcement, U.S. persons are now prohibited from engaging in transactions with those wallets.

In recent years, the U.S. government has moved to update its financial regulatory regime to combat criminal and money-laundering concerns related to anonymous digital currencies. In 2013, the Treasury Department announced that companies which process cryptocurrencies are subject to the provisions of the Bank Secrecy Act and its anti-money laundering provisions.

This meant that cryptocurrency exchanges—the companies that buy and sell cryptocurrencies in exchange for ordinary fiat currency—must carry out basic due diligence on customers and report suspicious transactions, according to Fanusie.

But it’s unlikely those sanctions will have any serious bite. For one thing, both wallets were emptied of funds in the last year.

More critically, the increasing regulatory scrutiny and the well-known privacy weaknesses of mainstream cryptocurrencies have prompted the creation of a new generation of digital currencies that place greater premium on maintaining user anonymity and are harder to trace, including ZCash and Monero.

Access to these newer, more advanced currencies is expanding, and on Thursday Coinbase— a popular cryptocurrency exchange—rolled out support for Zcash.

By transaction volume these newer currencies still pale in comparison to bitcoin, but American law enforcement officials are well aware that cybercriminals are likely to use these technologies to stay under the radar.

Speaking at a cybercrime conference at Georgetown University on Thursday, Deputy Assistant Attorney General Richard Downing said he was troubled by the trend that cryptocurrencies are moving in the direction “that are being designed in a way to make them much less able to be traced.”

“Our traditional tools of being able to follow the money is then put into doubt.”

But even if the new generation of currencies makes it harder to enforce sanctions, Fanusie argues that the U.S. decision to block bitcoin accounts is important. “The U.S. is showing that it’s going to enforce sanctions policies even with new financial technologies like cryptocurrencies,” he said.