Sanctions Targeting Ransomware and Cryptocurrency Platforms
Carlin stressed DOJ’s new attention to ransomware. Because of the anonymity of ransomware groups, a significant risk exists that individuals and entities to whom ransom is paid are sanctioned. But sanctions targeting such threat actors create challenges for ransomware victims who are faced with a catch-22 to pay or violate the law. Recognizing this concern, the Biden administration shifted focus to disrupting the ecosystem that facilitates ransomware activity, and last month the Department of the Treasury’s Office of Foreign Asset Control (“OFAC”) issued the first sanctions designation against a virtual currency exchange, as well as revised ransomware guidance. In his speech, Carlin directed practitioners and companies to pay attention to this novel use of sanctions in this space—stressing that it was the “first, but not last.”
Carlin also reviewed enforcement activity involving cryptocurrency, noting that DOJ is scrutinizing the use of cryptocurrency platforms as the payment modality of choice for criminals across the globe—from “terrorist groups” to “drug transactions, child sexual exploitation material, firearms, and other illicit materials.” In an effort to limit the ability of ransomware groups and other criminal actors to profit from their unlawful activity, DOJ is dedicating increased attention and resources to identifying and seizing such funds. He highlighted the seizure of $2.3 million worth of cryptocurrency that was paid as the ransom in the Colonial Pipeline attack. And following Carlin’s speech, DOJ announced a National Cryptocurrency Enforcement task force that, among other priorities, is focused on “recover[ing] the illicit proceeds of those crimes whenever possible.”
Investigating Export Controlled “Human Knowledge”
In another first, Carlin highlighted the deferred prosecution agreement (“DPA”) that DOJ entered into last month with three defendants for providing hacking-related services to a foreign government in violation of U.S. export control laws. The defendants, all former members of the U.S. military or the intelligence community, worked for a United Arab Emirates (“UAE”)-based company carrying out hacking operations on behalf of the UAE government. The defendants used their knowledge of offensive cyber capabilities to provide the UAE with “defense services” regulated under the International Traffic in Arms Regulations (“ITAR”) without the proper licensing from the Department of State’s Directorate of Defense Trade Controls. The case marks the first time DOJ has charged hacking as a violation of ITAR.
The DPA requires the defendants to pay over $1.6 million, effectively a disgorgement of the salaries they earned as hackers-for-hire, and accept a lifetime ban on holding U.S. security clearances and government employment. Carlin noted that DOJ will investigate and bring more export control cases focused on the unlicensed transfer of what he described as “human knowledge,” particularly to limit the spread of offensive cyber capabilities. DPAs are rarely offered to individual defendants, and we predict that future defendants in such cases will be subject to more serious penalties, particularly since the Department has now put such hackers‑for-hire on notice of the criminality of their actions.
Renewed Focus on DOJ’s Voluntary Self-Disclosure Program
Carlin placed particular emphasis on the DOJ National Security Division’s (“NSD”) voluntary self-disclosure (“VSD”) program for export control and sanctions violations. As discussed in a previous client alert, and as Carlin explained, the VSD program is intended to “incentivize companies to come forward when they identify criminal violations of sanctions and export control laws so that the company and government can quickly remediate.” Carlin noted that in April, German software company SAP SE (“SAP”) became the first company to enter into a non-prosecution agreement (“NPA”) “based on its use of [NSD’s] voluntary self-disclosure program” (on which we have written before). Because SAP self-reported, cooperated extensively with DOJ, and invested $27 million in remediation efforts, the government declined to fine or monitor the company and only sought disgorgement of the profits directly related to the sanctions and export violations.
While SAP was the first such NPA based on the new NSD VSD program, it will not be the last. As noted above, NSD is now increasingly focused on sanctions and export control violations and is dedicating more resources to those investigations. When paired with DOJ opening and enforcing new areas of export control and sanctions, the VSD program is more relevant than ever. Companies should become familiar with the VSD program to understand its incentives should they discover violations in their operations.
You can read the original posting here ➡️ Morrison & Foerster LLP