PwC Report Links Crypto Exchange WEX to Iranian Ransomware Operators

  • Iranian ransomware users and WEX may have worked with various other exchange operators in order to launder money using cryptocurrency.
  • This, according to the latest report from PwC, one of the world's largest auditing firms.

Controversial crypto trading platform World Exchange Services (WEX) has reportedly been involved in orchestrating various ransomware attacks - in order to allegedly acquire and facilitate the transfer of illicit funds.

“Big Four” professional services and auditing firm, PricewaterhouseCoopers (PwC) released a report recently in which it revealed that two Iranian residents may have developed a SamSam ransomware variant. According to PwC, the ransomware program may have been used by certain individuals working at WEX to launder millions of dollars worth of illicit funds.

In November 2018, two Iranian citizens, Mohammad Mehdi Shah Mansouri and Faramarz Shahi Savandi, were charged by the US Department of Justice (DoJ) for their alleged involvement in extorting funds from several public institutions including local government offices and hospitals.

Both Iranian men reportedly used the SamSam ransomware to steal millions of dollars in cryptocurrency from the institutions.

Last year, two other Iranian citizens, Mohammad Ghorbaniyan and Ali Khorashadizadeh, had also been added to the Special Designated Nationalists List by the US Treasury Department’s Office of Foreign Assets Control (OFAC). Both Iranian residents were reportedly placed on the list for their alleged involvement in carrying out illicit cryptocurrency transactions by using SamSam ransomware - after being instructed to do so by Mansouri and Savandi.

Iranian Citizens Allegedly Using Local Exchanges To Launder Funds

At the time of these incidents, the OFAC found a link between bitcoin (BTC) addresses that may have been used by Ghorbaniyan and Khorashadizadeh and other personal identifying information including the post office boxes they might have used, their physical addresses, email address, and any aliases - in order to carry out the financial crimes.

In its recent report, PwC has noted that it carefully examined the crypto addresses identified by the OFAC. The auditing firm has determined that Iranvisacart and Enexchanger, which are two exchange websites, may be linked to Ghorbaniyan and Khorashadizadeh - as they may have used these platforms to conduct illicit transactions through WEX. As mentioned in PwC’s report, the US Federal Bureau of Investigations (FBI) found both Iranvisacart and Enexchanger to be associated with various illegal activities including money laundering.

"Threat Actors Favor Using Less Known Exchanges"

According to the FBI’s investigation, the Enexchanger exchange had been listing trading pairs in cryptocurrencies such as “swaps” which were offered with a special “WEX-code to USD.” The code reportedly allowed users to transfer funds directly from WEX’s users. Moreover, PwC’s report noted that a Slovakia-based digital asset exchange and WEX (previously known as BTC-e) may have helped “Blue Athena”, a threat actor, to launder bitcoin.

PwC’s report reads in part: 

The use of Iran- and Slovakia-based exchanges suggests that threat actors favor using lesser-known currency exchanges. This is likely because the more popular exchanges have monitoring or compliance programmes to detect illicit activities.

WEX Exchange CEO May Have Laundered $4 Billion In Crypto

Those familiar with WEX and its history know that it was previously known as BTC-e - before being shut down by international authorities in 2017 due to its alleged involvement in money laundering activities. Alexander Vinnik, who was believed to be operating BTC-e, was arrested as he was suspected of laundering around $4 billion in cryptocurrency since the exchange launched in 2011.

Commenting on these incidents, PwC’s report noted:

WEX is most notably known for its alleged involvement in the laundering of some $4 billion, transferring of funds to facilitate operations of the threat actor tracked by PwC as Blue Athena, and being responsible for cashing out 95% of all ransomware payments made since 2014.

In late October 2018, Malta-based digital asset exchange Binance froze certain user accounts that had reportedly received over 93,000 ether (ETH) from two wallets known to be associated with WEX.