Chris Swagler | March 9th, 2022


When it comes to combating the scourge of ransomware attacks plaguing schools, hospitals, and government offices, the federal government may have another option beyond sanctions, indictments, and counter cyberattacks: the Internal Revenue Service (IRS). The tax agency promises to combat a seemingly unsolvable crime spree, and the ability to trace dark money, making it a crucial partner to other federal agencies investigating ransomware groups. The IRS helped the FBI seize millions of dollars in Bitcoin from the threat operators who had crippled the U.S. gasoline supply. The IRS’ cybercrime unit has expanded to 130 personnel and plans to open a center in Northern Virginia that will bring its own cybercrime agents with law enforcement agents in other bureaus that focus on cryptocurrency investigations.

IRS Aiming To Prevent Ransomware

Profit is a powerful motivator for criminal threat operators who roam the internet encrypting victims’ data and demanding ransoms in exchange for its release. A Russia-based threat operator cyberattack crippled the world’s largest meat processing company and collected $11 million in ransom. However, the dirty money put groups in the IRS’ crosshairs. The head of the IRS combined cybercrime and digital forensics explained that other agencies do more technical investigations of the operational infrastructure and financial tracing, and acknowledged the agency is one part of a government-wide anti-breaching effort, including the FBI and the Department of Homeland Security. The IRS’ involvement in threat operator investigations has extended beyond ransomware and into cryptocurrency tracing tools.

After years of attacks, ransomware has emerged as a particularly perplexing threat to governments and businesses around the world, with victims including police departments, water utilities, and the National Rifle Association. One challenge in investigating the crimes is that the perpetrators always demand payment in cryptocurrency because it’s untraceable. According to a former senior official in the Treasury Department’s terrorism and financial intelligence office, the IRS’ criminal investigations are “the tip of the spear” when it comes to crypto investigations. The IRS has two primary tools for combating ransomware: it tracks cryptocurrency payments through companies and other victims’ tax returns, and it investigates the underground movement of cryptocurrencies between victims and ransomware groups. Last year’s bipartisan infrastructure package aided the first scenario by expanding the definition of “broker” in the tax code to include cryptocurrency exchanges like Coinbase. When these brokers file tax returns after trading or selling crypto, they will be required to report the names and addresses of their customers on an annual basis, providing a level of transparency into the average crypto owner’s transactions that don’t exist elsewhere.

Cybersecurity policy experts who have lobbied the IRS and Congress to require companies to disclose high-dollar cryptocurrency payments argue that it would provide more information about when a ransom is paid. However, there are strict limitations on tax reporting. The new reporting rules focus on the entity receiving the funds, which in this case would be Russian ransomware criminals who aren’t subject to U.S. tax laws and aren’t known for following government orders. The IRS has had more success tracking down ransomware groups by examining their cryptocurrency transactions or advising the FBI and DHS on how to do it.

For cryptocurrency investigations, the IRS uses two types of tools: clustering algorithms that determine the likelihood that two digital wallets are linked, and open-source intelligence including public records like wallet addresses, domain name registrations, email addresses, and court documents. The agency collaborates with companies that have proprietary technologies that make connecting Bitcoin faster.

The FBI and the Homeland Security Department’s investigative unit, HIS, are better equipped than the IRS to focus on the technicalities of a ransomware attack, including how threat operators gained access and the ransomware strain used. Having the IRS focus on the cryptocurrency side of an investigation helps law enforcement keep up with cybercriminals’ agility and constantly changing online locations. The FBI brings various investigative experiences, tools, and resources to the table. According to a global public sector chief technology officer, there are limitations in following the money in cybercrime. Law enforcement officers may lose the chance to track suspects while waiting for official approval to launch an investigation because cybercriminals are quick to cover their tracks. Another roadblock international investigators face is that the most notorious ransomware actors live in Russia and are unlikely to cooperate with U.S. law enforcement.

Legislation was introduced requiring the Treasury Department to report to Congress how other countries are mining, using, and regulating cryptocurrencies. Several lawmakers introduced bills that require ransom payments to be reported to DHS within three days and provide insight into numerous ransomware attacks that U.S. businesses are facing and the financial information of threat actors. The IRS Commissioner requested $21 million to support cyber, crypto, and other highly technical investigations and suggested that Congress change the current crypto reporting rules to make it easier for the IRS to share information with its investigative partners.

With the IRS utilizing its abilities, technical skills and resources to trace ransomware groups through cryptocurrencies, this can improve the FBI’s chances of combating and preventing future ransomware attacks. Additionally, it’s important for companies to always remain vigilant on the current threat landscape and regularly update their data network security software. At SpearTip, you can trust our certified engineers with their ability to continuously monitor potential ransomware threats at our 24/7/365 Security Operations Center with one of the fastest response times in the industry. We recognize the fight against ransomware requires a concerted effort by businesses, users, governments, and cyber security firms to minimize the overall attack surface of threat actor targets. To protect our partners against these malicious threats, we offer our unparalleled ShadowSpear Platform that optimizes network visibility and can identify threats, neutralize malware, and counter adversaries to prevent companies from being exploited. SpearTip defends companies, their brand, their reputation, and their livelihood against constant ransomware threats.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.