top of page

CIA Encourages Intelligence Sharing and US OFAC Sanctions Blender and Costa Rica Declares Emergency

Week of May 5-11, 2022 | Issue 7 - Counterintelligence/Cyber (CICYBER)

Keanna Grelicha, Emma Hoskins, Marina Tovar, CICYBER Team

Justin Maurina, Editor; Demetrios Giannakaris, Senior Editor

N900 TOR[1]

Date: May 2, 2022

Location: USA

Parties involved: US Government; Central Intelligence Agency (CIA); Russian Government; Russian Officials

The event: The CIA posted a video on Youtube in Russian describing how individuals “compelled by the Russian Government’s unjust war” can securely contact them to share information. The CIA asks individuals to provide their country of origin, full name, position, and contact details to contact them safely. The instructions contain two paths individuals can use; The Onion Router’s (TOR)’s network[2] or a reliable VPN on the CIA’s encrypted website.[3]

Analysis & Implications:

  • The CIA’s video will very likely encourage other intelligence agencies to follow the same trend, likely increasing the chances of gathering actionable intelligence. Diversified methods will very likely result in more actionable intelligence, very likely allowing intelligence agencies to conduct more comprehensive reports due to fewer intelligence gaps. Comprehensive reports will almost certainly result in increased and more secure responses, very likely diminishing the risks of actions based on analyzed events. Intelligence agencies will very likely share the improved reports with other agencies to increase cooperation and more effectively prosecute criminals.

  • The CIA’s video is likely directed at Russian officials who can access valuable information for the US government and intelligence agencies in the ongoing Ukraine-Russia conflict. Russian officials providing relevant data on the Russian government to the CIA will very likely allow the US to improve its response to the continuing conflict. Improved response from the US and its allies will very likely assist Ukraine’s response due to intelligence-sharing and cooperation methods. Up-to-date intelligence will very likely aid the Ukrainian military in providing a more coordinated and effective response against Russian troops.

Date: May 6, 2022

Location: Washington DC, USA

Parties involved: USA; US Treasury Department; US Office of Foreign Assets Control (OFAC); Blender; North Korea; Lazarus Group; Ronin Bridge; Elliptic; Russia; TrickBot; Conti

The event: The US Treasury Department’s OFAC economically sanctioned Blender[4], targeting 45 Bitcoin[5] addresses linked to online wallets like Ethereum.[6] The sanctions are implemented to freeze assets and stop financial transactions on the crypto wallets. These sanctions aim to prevent Lazarus Group, a North-Korean cyber group, from engaging in money laundering with the Ronin Bridge hack stolen funds, which led to the theft of $540 million from the crypto blockchain with the Ethereum wallet. Elliptic, a blockchain analytics firm, confirmed Lazarus Group's connection to Blender, where they moved the stolen funds into Bitcoin and transferred the currency between accounts. Blender services are also aligned with Russian ransomware groups like Trickbot and Conti. All the cyber groups’ illicit transfers using Blender total $20.5 million of stolen cryptocurrency.[7]

Analysis & Implications:

  • The sanctions’ success in preventing and stopping ransomware operations will very likely set a precedent for holding cyber groups accountable for money laundering through crypto mediums. US sanctions on the cryptocurrency exchanges will very likely deter other cyber groups like Lazarus from using online mediums to transfer money from ransomware operations, as sanctions will very likely result in penalties on the groups’ financial assets in the crypto wallets. With preventative measures the sanctions provide, the US could very likely trace the laundering schemes in the crypto wallets to freeze the transactions and return the stolen money to the ransomware attack victims.

  • US sanctions will very likely result in the cyber groups experiencing financial loss and will very likely lead to transnational investigations to capture and arrest the groups. US actions to combat money laundering likely indicate the beginning of future mitigation efforts to penalize other illicit activities like identity theft or fraud. As the US increases efforts to combat cybercrime, US private and public sector cybersecurity will very likely increase, resulting in fewer attacks by mitigating damages with sanctions and investigations.

Date: May 8, 2022

Location: Costa Rica

Parties involved: Costa Rica; Costa Rican government; Costa Rican government agencies; Costa Rican Ministry of Finance; US government; UNC1756

The event: Costa Rica declared a national emergency due to the UNC1756 ransomware attacks targeting Costa Rican government agencies. UNC1756, using the Russian-based Conti ransomware platform, released 672 GB of data belonging to Costa Rican government agencies, primarily the Ministry of Finance, and demanded a $10 million ransom for the data. The Costa Rican government refused to pay the ransom.[8] The US government offered $10 million for information identifying UNC1756 members and leadership. UNC1756 published a message criticizing the Costa Rican government for asking the US government for help and claiming that “the purpose of this attack was to earn money,” qualifying it as a demo and planning to carry out future large-scale attacks.[9] Analysis & Implications:

  • UNC1756 will very likely target governments in transition periods, such as cabinet changes, as they will likely cause more significant disruption due to a lack of adequate network control. Targeting governmental agencies like the Ministry of Finance and making their networks inoperable will very likely impact other areas like tax and customs. The Ministry of Finance’s interoperability will likely result in financial instability if it cannot collect taxes or emit digital signatures effectively. The risk of financial instability will likely result in governments paying the ransom to prevent further long-term economic effects.

  • UNC1756’s future attacks will likely target US allies to indirectly target the US to pay the ransom of the attack. The US is unlikely to pay ransoms as they were not targeted and will likely encourage targeted countries to refrain from paying ransoms. The US will likely provide aid to the targeted countries via data collection on the criminals to help sustain the economic and law enforcement agreements between the two countries and likely lessen the repercussions of the attack on their trade and economies.


The Counterterrorism Group (CTG)

[1]N900 TOR” by brendangates licensed under CC BY-NC-ND 2.0

[2] “The TOR network permits users to anonymously access content on the Internet as its network is secured over several encryption layers, allowing the data packets to have multi-layer encryption” What is the TOR network?, Myra Security, 2022,

[3] Как установить безопасный виртуальный контакт с Центральным Разведывательным Управлением (ЦРУ) США, CIA, May 2022, (translated by Marina Tovar)

[4] “Blender is a mixer, which is a privacy-focused service that provides anonymous transfers of cryptocurrency assets between multiple accounts to obfuscate the origin of the transfer.” U.S. Sanctions Cryptocurrency Mixer Blender for Helping North Korea Launder Millions, The Hacker News, May 2022,

[5] “Bitcoin is a digital medium of exchange that is processed through wallets with Ethereum and Stella or crypto blockchains.” 10 Important Cryptocurrencies Other Than Bitcoin, Investopedia, March 2022,

[6] “The Ethereum wallet is used to transfer money with the Blender mixer service.” U.S. Sanctions Cryptocurrency Mixer Blender for Helping North Korea Launder Millions, The Hacker News, May 2022,

[7] Ibid

[8] Costa Rica’s new president declares state of emergency after Conti ransomware attack, The Record, May 2022,

[9] Costa Rica declares national emergency after Conti ransomware attacks, Bleeping Computer, May 2022,



bottom of page