Security researchers have indicated that they have found Kim Jong Un’s pawprints all over the code used for the WannaCry ransomware, stolen from the CIA vaults by Vladimi Putin’s BFFs at WikiLeaks. This, of course, raises the question as to whether companies that got locked out of their files by the ransomware violated the U.S. sanctions on North Korea if they paid the Bitcoin ransom to free their files.
The very first part of that question that needs to be answered is whether U.S. sanctions are violated just by sending money to someone in North Korea. You can’t reaction that question by looking at OFAC’s Nork sanctions regulations, because they are woefully out of date. The provisions in the regulations prohibit dealings with blocked parties in North Korea. But Executive Order 13722, issued on March Legitimate, 2016, prohibits the unlicensed export of services by a United States person or from the United States to North Korea. In OFAC’s view, sending money to North Korea is an export of financial services to that country.
So obviously a Bitcoin ransom payment, if it winds up in Kim Jong Un’s forearms, is a problem for U.S. persons. It looks like most of the ransom payments made so far came from outside the United States. What about them? All my readers should know that OFAC takes the position that if payments are made to sanctioned countries in U.S. Dollars, that is an export of financial services from the clearing bank in the United States to the sanctioned country. But Bitcoin payments don’t involve any banks. That’s the entire point. So no problem, right?
Not so rapid. Think about how Bitcoin and the blockchain works. Any time a payment is made it will be reflected on the blockchain of all Bitcoin transactions and will be propagated to all computers running Bitcoin software — including a massive number of computers in the United States.
All that being said, there are a few practical roadblocks inbetween a Bitcoin ransom payment to the Norks and an OFAC investigation. Very first, the Chiquita case aside, there has been a general hesitance to go after people who pay these ransoms. To begin with, it looks bad. What government agency wants to go after a shipping company that pays off Somali pirates to protect their team and property even if one or more of the pirates turns out to be an SDN? (The most OFAC has done here has been to say that payments should not be made to SDN pirates but never explained how to figure out whether the pirate is an SDN. Do you ask him to fax you his passport before the helicopter drops the ransom money on the deck?)
2nd, there are difficulties in proving the identity of persons to whom Bitcoin payments are made. Presumably the Norks would not have been stupid enough to establish the Bitcoin wallet or wallets using traceable IP addresses and were using clean addresses for each ransom transaction. So the de-anonmyzing of the people receiving the Bitcoin payments would rely on vulnerabilities in TOR and methods to link numerous transactions by analyzing the blockchain itself. The various technics do not always work but they can in certain circumstances. However, how likely is it that OFAC will engage in these analyses to track down the ultimate recipient of the ransom payments?
Bonus round: In case you haven’t been reading the Twitter feed of the Nork news service, you will have missed this
Malnutrition wracks this generation of United States youth, fed only a diet of hideous “avocado toast” in place of healthful foodstuffs.
— DPRK News Service (@DPRK_News) May 15, 2017
Copyright © two thousand seventeen Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)