U.S. Seizes $6.1 Million in Cryptocurrency in Ransomware Crackdown

“If you target victims here, we will target you,” Deputy Attorney General Lisa Monaco said at a news conference.

U.S. officials ramped up their push to track and potentially seize ransomware groups’ cryptocurrency after Colonial Pipeline Co. paid hackers $4.4 million during a May hack that disrupted the East Coast’s largest conduit for fuel. U.S. businesses made a combined $590 million in such payments during the first six months of this year, according to the Treasury Department’s Financial Crimes Enforcement Network, up from $416 million a year earlier.

The seizure and arrests announced Monday came as the Treasury Department sanctioned Chatex, a cryptocurrency exchange that has allegedly facilitated ransomware payments, as well as affiliated businesses. The move made Chatex the second exchange blacklisted by the U.S. government in recent months, following Russian-owned SUEX OTC.

“This means that effective immediately, all assets of these entities that are subject to U.S. jurisdiction are blocked,” Deputy Treasury Secretary Wally Adeyemo said. “All transactions are prohibited for U.S. persons. And all domestic [cryptocurrency] exchanges are prohibited from processing transactions with this exchange.”

The Treasury Department said Monday that more than half of Chatex’s known transactions are linked to ransomware, dark net markets and other high-risk exchanges. Companies facing ransomware attacks often enlist outside cybersecurity specialists to negotiate with hackers and check whether they or the crypto infrastructure they use have been blacklisted by the U.S. government. The Treasury Department has urged businesses to report such demands and warned that those that pay sanctioned entities such as Chatex could face stiff penalties.

Chatex didn’t immediately respond to requests for comment. The Treasury Department said the exchange has presences in Latvia, Estonia, and Saint Vincent and the Grenadines.

U.S. actions targeting cryptocurrency came as part of an international cybersecurity crackdown unveiled Monday by U.S. and European officials.

Authorities in Romania and Poland in recent days arrested several individuals allegedly tied to REvil, the ransomware gang behind attacks this year on software provider Kaseya Ltd. and meat processor JBS SA .

Attorney General Merrick Garland on Monday said an alleged hacker, 28-year-old Russian national Yevgeniy Polyanin, had made off with the equivalent of $13 million from other ransom payments. The Justice Department seized more than $6.1 million of those funds in September, according to a search warrant made public Monday.

An indictment unsealed Monday charged Mr. Polyanin with hacking at least two companies and 13 government entities in Texas during a two-week period in August 2019. Mr. Polyanin is believed to be in Russia, Federal Bureau of Investigation Director Christopher Wray said.

Mr. Polyanin couldn’t immediately be reached for comment.

U.S. officials have said hackers operate in Russia with relative impunity—a claim the Kremlin denies—but added Monday that the seized funds show how they can disrupt hacking outfits without local cooperation. Investigators can monitor criminals’ transactions if victim companies share information such as the digital address to which they make payments, according to cybersecurity experts and blockchain analysts.

Urging victims to report ransomware incidents to authorities, Mr. Wray said, “The long arm of the law reaches a lot further than [hackers] think.”

Write to David Uberti at [email protected]