{
	"id": "cec81416-286d-45c3-a785-92149727e5c9",
	"created_at": "2026-04-06T00:19:48.62Z",
	"updated_at": "2026-04-10T03:29:16.768524Z",
	"deleted_at": null,
	"sha1_hash": "9de005b31d77abce3cc93c8fa2d4700da0fb763c",
	"title": "Treasury Continues to Counter Ransomware as Part of Whole-of-Government Effort; Sanctions Ransomware Operators and Virtual Currency Exchange",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67855,
	"plain_text": "Treasury Continues to Counter Ransomware as Part of Whole-of-Government Effort; Sanctions Ransomware Operators and Virtual\r\nCurrency Exchange\r\nPublished: 2026-02-13 · Archived: 2026-04-02 11:36:30 UTC\r\nFinCEN Updates Ransomware Advisory\r\nOFAC Sanctions Two Ransomware Operators and a Virtual Currency Exchange Network for the Kaseya Incident\r\nand Laundering Cyber Ransoms\r\nWASHINGTON — Continuing the Administration’s whole-of-government effort to counter ransomware, the U.S.\r\nDepartment of the Treasury today announced a set of actions focused on disrupting criminal ransomware actors\r\nand virtual currency exchanges that launder the proceeds of ransomware. Treasury’s actions today advance the\r\nBiden Administration’s counter-ransomware efforts to disrupt ransomware infrastructure and actors and address\r\nabuse of the virtual currency ecosystem to launder ransom payments.\r\n“Ransomware groups and criminal organizations have targeted American businesses and public institutions of all\r\nsizes and across sectors, seeking to undermine the backbone of our economy,” said Deputy Secretary of the\r\nTreasury Wally Adeyemo. “We will continue to bring to bear all of the authorities at Treasury’s disposal to disrupt,\r\ndeter, and prevent future threats to the economy of the United States. This is a top priority for the Biden\r\nAdministration.”\r\nRansomware incidents have disrupted critical services and businesses globally, as well as schools, government\r\noffices, hospitals and emergency services, transportation, energy, and food companies. Reported ransomware\r\npayments in the United States so far have reached $590 million in the first half of 2021, compared to a total of\r\n$416 million in 2020. The perpetrators behind these ransomware incidents seek to harm the United States and\r\nextort the American people and our allies. Those who provide financial services to, or facilitate money laundering\r\nfor, ransomware actors enable this illegal activity.\r\nWhile most virtual currency activity is licit, virtual currency remains the primary mechanism for ransomware\r\npayments, and certain unscrupulous virtual currency exchanges are an important piece of the ransomware\r\necosystem. The United States urges the international community to effectively implement international standards\r\non anti-money laundering/countering the financing of terrorism (AML/CFT) in the virtual currency area,\r\nparticularly regarding virtual currency exchanges.\r\nToday’s coordinated action with several U.S. government and foreign partners demonstrates how Treasury’s\r\ninternational partnerships enhance the ability to detect and disrupt, across continents and technologies, the illicit\r\nfinancial activities of those who seek to harm people’s livelihoods, savings, and futures for private gain.\r\nDesignation of a Virtual Currency Exchange and Network for Complicit Financial Services\r\nhttps://home.treasury.gov/news/press-releases/jy0471\r\nPage 1 of 3\n\nToday’s actions include the designation of Chatex, a virtual currency exchange, and its associated support\r\nnetwork, for facilitating financial transactions for ransomware actors. Chatex, which claims to have a presence in\r\nmultiple countries, has facilitated transactions for multiple ransomware variants. Analysis of Chatex’s known\r\ntransactions indicate that over half are directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware. Chatex has direct ties with SUEX OTC, S.R.O. (Suex), using Suex’s function as\r\na nested exchange to conduct transactions. Suex was sanctioned on September 21, 2021, for facilitating financial\r\ntransactions for ransomware actors. Chatex is being designated pursuant to Executive Order (E.O.) 13694, as\r\namended, for providing material support to Suex and the threat posed by criminal ransomware actors.\r\nAdditionally, OFAC is designating IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd for providing\r\nmaterial support and assistance to Chatex, pursuant to E.O. 13694, as amended. These three companies set up\r\ninfrastructure for Chatex, enabling Chatex operations.\r\nComplementing this action, the Department of State announced a Transnational Organized Crime Reward offer of\r\nup to $10,000,000 for information leading to the identification or location of any individual(s) who hold a key\r\nleadership position in the Sodinokibi/REvil ransomware variant transnational organized crime group (22 U.S.C.\r\n§2708(b)(6)). The Department of State also announced a reward offer of up to $5,000,000 for information leading\r\nto the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to\r\nparticipate in a Sodinokibi variant ransomware incident.\r\nFollowing an inspection by Latvia’s State Revenue Service, Latvian government authorities have suspended with\r\nimmediate effect the operations of Chatextech; assessed a fine for breaches of company registration and business\r\nconduct laws and regulations; and will identify current and former Chatextech board members, all non-Latvian\r\nnationals, in Latvia’s registry of high-risk individuals. In addition, the Estonian Financial Intelligence Unit has\r\nrevoked the license of Izibits OU after working with the United States to identify the activities of entities being\r\ndesignated today.\r\nUnprincipled virtual currency exchanges like Chatex are critical to the profitability of ransomware activities,\r\nespecially by laundering and cashing out the proceeds for criminals. Treasury will continue to use all available\r\nauthorities to disrupt malicious cyber actors, block ill-gotten criminal proceeds, and deter additional actions\r\nagainst the American people. Treasury benefitted immensely from close coordination with our partners across\r\nLatvian and Estonian government agencies, including their information sharing and swift action.\r\nDesignation of Two Ransomware Operators\r\nOFAC is designating Ukrainian Yaroslav Vasinskyi (Vasinskyi) and Russian Yevgeniy Polyanin (Polyanin) for\r\ntheir part in perpetuating Sodinokibi/REvil ransomware incidents against the United States. Vasinskyi deployed\r\nransomware against at least nine U.S. companies. Vasinskyi is also responsible for the July 2021 ransomware\r\nactivity against Kaseya, which caused significant disruptions to the computer networks of Kaseya’s customer\r\nbase. Polyanin also deployed ransomware, targeting several U.S. government entities and private-sector\r\ncompanies. These two individuals are part of a cybercriminal group that has engaged in ransomware activities and\r\nreceived more than $200 million in ransom payments paid in Bitcoin and Monero. OFAC is also designating a\r\ncompany owned by Polyanin, pursuant to E.O. 13694 as amended. Malicious cyber activities against the U.S.\r\ngovernment and private sector will be aggressively investigated and pursued. Companies are encouraged to report\r\nhttps://home.treasury.gov/news/press-releases/jy0471\r\nPage 2 of 3\n\nall ransomware incidents to law enforcement, as well as any payments with a potential sanctions nexus to OFAC,\r\nand strengthen their cyber defense posture.\r\nSanctions Implications\r\nAs a result of today’s designation, all property and interests in property of the designated targets that are subject to\r\nU.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.\r\nAdditionally, any entities 50 percent or more owned by one or more designated persons are also blocked. In\r\naddition, financial institutions and other persons that engage in certain transactions or activities with the\r\nsanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action.\r\nToday’s action does not implicate a sanctions nexus to any particular Ransomware-as-a-Service (RaaS) or variant.\r\nFinCEN Releases Updated Advisory on Ransomware and the Use of the Financial System to\r\nFacilitate Ransom Payments\r\nIn addition, the Financial Crimes Enforcement Network (FinCEN) is releasing an update today to its 2020\r\nAdvisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments. The updated\r\nAdvisory reflects information released by FinCEN in its Financial Trend Analysis Report discussing ransomware\r\ntrends, issued on October 15, 2021, and includes information on current trends and typologies of ransomware and\r\nassociated payments as well as recent examples of ransomware incidents. The updated Advisory also sets out\r\nfinancial red flag indicators of ransomware-related illicit activity to assist financial institutions, including virtual\r\ncurrency service providers, in identifying and reporting suspicious transactions associated with ransomware\r\npayments, consistent with their obligations under the Bank Secrecy Act.\r\nClick here to view identifying information on the individuals and entities designated today.\r\nClick here to view FinCEN’s Updated Advisory on Ransomware and the Use of the Financial System to Facilitate\r\nRansom Payments.\r\nFor More Information on Ransomware\r\nPlease visit StopRansomware.gov, a one-stop resource for individuals and organizations of all sizes to reduce their\r\nrisk of ransomware incidents and improve their cybersecurity resilience. This webpage brings together tools and\r\nresources from multiple federal government agencies under one online platform. Learn more about how\r\nransomware works, how to protect yourself, how to report an incident, and how to request technical assistance.\r\n###\r\nSource: https://home.treasury.gov/news/press-releases/jy0471\r\nhttps://home.treasury.gov/news/press-releases/jy0471\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://home.treasury.gov/news/press-releases/jy0471"
	],
	"report_names": [
		"jy0471"
	],
	"threat_actors": [
		{
			"id": "c5f79f58-db78-4cd7-88cf-c029a2199360",
			"created_at": "2022-10-25T16:07:23.325227Z",
			"updated_at": "2026-04-10T02:00:04.542909Z",
			"deleted_at": null,
			"main_name": "APT 12",
			"aliases": [
				"APT 12",
				"BeeBus",
				"Bronze Globe",
				"CTG-8223",
				"Calc Team",
				"Crimson Iron",
				"DNSCalc",
				"DynCALC",
				"G0005",
				"Group 22",
				"Hexagon Typhoon",
				"Numbered Panda"
			],
			"source_name": "ETDA:APT 12",
			"tools": [
				"AUMLIB",
				"ETUMBOT",
				"Exploz",
				"Graftor",
				"HIGHTIDE",
				"IHEATE",
				"IXESHE",
				"RIPTIDE",
				"RapidStealer",
				"Specfix",
				"THREEBYTE",
				"bbsinfo",
				"mswab",
				"yayih"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d18fe42c-8407-4f96-aee0-a04e6dce219a",
			"created_at": "2023-01-06T13:46:38.275292Z",
			"updated_at": "2026-04-10T02:00:02.907303Z",
			"deleted_at": null,
			"main_name": "APT12",
			"aliases": [
				"Group 22",
				"Calc Team",
				"DNSCalc",
				"IXESHE",
				"Hexagon Typhoon",
				"BeeBus",
				"DynCalc",
				"Crimson Iron",
				"BRONZE GLOBE",
				"NUMBERED PANDA",
				"TG-2754"
			],
			"source_name": "MISPGALAXY:APT12",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434788,
	"ts_updated_at": 1775791756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9de005b31d77abce3cc93c8fa2d4700da0fb763c.pdf",
		"text": "https://archive.orkl.eu/9de005b31d77abce3cc93c8fa2d4700da0fb763c.txt",
		"img": "https://archive.orkl.eu/9de005b31d77abce3cc93c8fa2d4700da0fb763c.jpg"
	}
}