Ransomware scams are on the rise: What cryptos need to know for SAR filing

November 2, 2020
Share the news!

FinCEN and OFAC released joint advisories warning businesses about an increase in ransomware scams, along with new instructions for Suspicious Activity Report (SAR) filing.

Here’s what cryptocurrency businesses need to know.

On October 1, 2020, both the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) released advisories warning businesses and consumers about an increase in size and scope of ransomware scams.

Both agencies noted the critical role that business owners play in combating financial crime and potential fraud — that of frontline responders, detecting and reporting suspicious activity to aid law enforcement and discourage bad actors.

This idea is nothing new to BitAML readers. We’ve dedicated a significant portion of blog coverage in recent months to scams in the cryptocurrency space and the role that businesses play in consumer protection.

But this entry in our series on crypto scams is unique, and if you operate a cryptocurrency money transmitter, we advise you to read closely.


The topic of ransomware scams is not only timely in light of the recent advisories, FinCEN also included specific instructions for businesses related to SAR filing.

Let’s start by covering all of our bases. In this post, we will:

  • Define ransomware scams in the context of the cryptocurrency industry
  • Offer help you can pass along to consumers who fear they have been affected by a ransomware scam
  • Share specific recommendations from FinCEN for businesses, including cryptocurrency money transmitters, for SAR filing.

Let’s dive in.

How a ransomware scam works

Typically a ransomware attack occurs when a user is browsing the internet, checking email, or scrolling through social media on a device such as a desktop computer or a smartphone.

The user either clicks on an ad or website, a link in an email or text message, or a link attached to content posted to social media (usually in a direct message, though occasionally in a public timeline, if the public post is not reported).

While the ad or site or message appear to be legitimate, once the link within is clicked, the entire screen locks, preventing the user from performing any functions. A threatening message then typically appears, demanding payment.

Some versions of ransomware attacks attempt to blackmail the user by claiming that they have obtained browser history showing access to adult websites, or even in some cases webcam footage or other material showing the victim themselves engaged in sexual acts. The fraudster’s message promises to delete the content if their ransom is paid. IT security experts refer to this version of a ransomware attack as a “sextortion” scam.

According to the AARP, senior citizens are often targets of ransomware scams, likely due to perceived or real knowledge gaps when it comes to using technology. The AARP also specifically mentions cryptocurrency as a method of payment often requested of seniors.

Ransomware scam that targets victims age 60 or older are examples of elder financial exploitation, a significant problem in the cryptocurrency space.

Here’s where cryptocurrency businesses come in.

Let’s say a customer approaches a kiosk, or creates an account with an exchange. Their first attempt at a transaction involves a large sum of fiat money (i.e., U.S. dollars). That will likely trip a few red flags and alert the institution’s compliance department.

Crypto businesses will perform Know Your Customer (KYC) on the new customer to determine the reason for such a large transaction. If at that point the customer mentions hackers have “taken over their computer” and payment needed to “get it back,” the customer has likely become the victim of a ransomware attack.

How likely is it that you could face this scenario as a business owner in the future?

Fairly likely. Ransomware attacks are among the most pernicious and ubiquitous scams of our modern lives. Local governments, educational institutions, and small businesses have collectively lost $144 million in 2020 alone rebuilding their infrastructure or paying off financial criminals after being targeted by ransomware attacks.

What potential victims should do

According to the Federal Trade Commission (FTC), victims of ransomware attacks have several options.

  • Immediately disconnect the affected devices from the network (if at work, notify a superior)
  • Report the attack to your local FBI office
  • Have a plan for regularly backing up files and data
  • It is generally advised you not pay the ransom, since there is no guarantee that you will get your files and data back.
  • NEVER send cryptocurrency to anyone pressuring you to do so.

What crypto businesses can do to help

In addition to the importance of an AML Program, up-to-date surveillance and monitoring protocols, and solid KYC practices, businesses have specific instructions from FinCEN when it comes to reporting suspicious activity.

Specifically, FinCEN requests that financial institutions reference their advisory in SAR field 2 (Filing Institution Note to FinCEN) and in the narrative by including a specific key code: “CYBER FIN-2020-A006” and then select SAR field 42 (Cyber Event).

One more pro-tip from BitAML. For cryptocurrency businesses, we advise the following: Once you have determined that a customer has become the victim of a ransomware scam, collect all data including the wallet address where the crypto is to be sent, and include it in the SAR narrative section.

We strongly recommend reading FinCEN’s advisory here and making note of their additional guidance on SAR filing toward the end of the advisory.

Key takeaways for bitcoin compliance

Ransomware attacks are pernicious and on the rise. They may over-index for senior citizens who will turn to businesses like yours in an attempt to initiate large first-time transactions. A robust AML program, transaction monitoring and red flags, and KYC are essential to frontline detection of scam activity.

FinCEN requests businesses, including cryptos, to include the code CYBER FIN-2020-A006 in specific fields in SAR filings related to ransomware scams. More details and instructions can be found in the advisory, here.

Above all, we emphasize this every time we talk about fraudulent activity in the market: every business owner in the cryptocurrency space is responsible for consumer protection.

If you need help setting up an AML program, or adding consumer protection protocols to an existing AML regime, you can contact BitAML today for a free consultation.

Similiar Blog Post

Unmasking Romance Scams to Protect Hearts and Wallets

August 17, 2020
This old-fashioned scam is more prevalent than you think — and your customers could be at risk. If you run a cryptocurrency exchange, kiosk...

Crypto Love Scams and the Rising Trend of Pig Butchering in the Crypto Industry

August 17, 2020
This old-fashioned scam is more prevalent than you think — and your customers could be at risk. If you run a cryptocurrency exchange, kiosk...

Preventing Elder Financial Exploitation in the Cryptocurrency Space – World Elder Abuse Awareness Day

August 17, 2020
This old-fashioned scam is more prevalent than you think — and your customers could be at risk. If you run a cryptocurrency exchange, kiosk...