May

16

Send 3 Bitcoins to the Norks or You’ll Never See Your Files Again!


Posted by at 9:42 pm on May 16, 2017
Category: North Korea SanctionsOFAC

Kim Jong Un Wonders What To Do With Tennis Shoes via DPRK Twitter Feed[Fair Use]Security researchers have indicated that they have found Kim Jong Un’s pawprints all over the code used for the WannaCry ransomware, stolen from the CIA vaults by Vladimi Putin’s BFFs at WikiLeaks.  This, of course, raises the question as to whether companies that got locked out of their files by the ransomware violated the U.S. sanctions on North Korea if they paid the Bitcoin ransom to free their files.

The first part of that question that needs to be answered is whether U.S. sanctions are violated just by sending money to someone in North Korea.  You can’t answer that question by looking at OFAC’s Nork sanctions regulations, because they are woefully out of date.  The provisions in the regulations prohibit dealings with blocked parties in North Korea. But Executive Order 13722, issued on March 18, 2016, prohibits the unlicensed export of services by a United States person or from the United States to North Korea.  In OFAC’s view, sending money to North Korea is an export of financial services to that country.

So obviously a Bitcoin ransom payment, if it winds up in Kim Jong Un’s hands, is a problem for U.S. persons.   It looks like most of the ransom payments made so far came from outside the United States.   What about them?  All my readers should know that OFAC takes the position that if payments are made to sanctioned countries in U.S. Dollars, that is an export of financial services from the clearing bank in the United States to the sanctioned country.  But Bitcoin payments  don’t involve any banks.  That’s the whole point.  So no problem, right?

Not so fast.   Think about how Bitcoin and the blockchain works.  Any time a payment is made it will be reflected on the blockchain of all Bitcoin transactions and will be propagated to all computers running Bitcoin software — including a massive number of computers in the United States.

All that being said, there are a few practical roadblocks between a Bitcoin ransom payment to the Norks and an OFAC investigation.  First, the Chiquita case aside, there has been a general hesitance to go after people who pay these ransoms.   To begin with, it looks bad.   What government agency wants to go after a shipping company that pays off Somali pirates to protect their crew and property even if one or more of the pirates turns out to be an SDN?  (The most OFAC has done here has been to say that payments should not be made to SDN pirates but never explained how to figure out whether the pirate is an SDN.   Do you ask him to fax you his passport before the helicopter drops the ransom money on the deck?)

Second, there are difficulties in proving the identity of persons to whom Bitcoin payments are made.  Presumably the Norks would not have been stupid enough to establish the Bitcoin wallet or wallets using traceable IP addresses and were using clean addresses for each ransom transaction.  So the de-anonmyzing of the people receiving the Bitcoin payments would rely on vulnerabilities in TOR and methods to link multiple transactions by analyzing the blockchain itself. The various techniques do not always work but they can in certain circumstances. However, how likely is it that OFAC will engage in these analyses to track down the ultimate recipient of the ransom payments?

Bonus round:  In case you haven’t been reading the Twitter feed of the Nork news service, you will have missed this

Permalink

Bookmark and Share

Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


2 Comments:


@dprk_news is a parody account.

http://www.newsweek.com/interview-men-behind-fake-north-korean-twitter-account-fooled-newsweek-294438

Comment by LSG on May 19th, 2017 @ 2:25 pm

    Yep. I figured that out after about five of the new ones showed up in my Twitter feed!

    Comment by Clif Burns on May 19th, 2017 @ 4:07 pm