U.S. Department of the Treasury
WASHINGTON Today, the U.S. Department of the Treasury s Office of Foreign Assets Control (OFAC) sanctioned virtual currency mixer Tornado Cash, which has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. This includes over $455 million stolen by the Lazarus Group, a Democratic People s Republic of Korea (DPRK) state-sponsored hacking group that was sanctioned by the U.S. in 2019, in the largest known virtual currency heist to date. Tornado Cash was subsequently used to launder more than $96 million of malicious cyber actors funds derived from the June 24, 2022 Harmony Bridge Heist, and at least $7.8 million from the August 2, 2022 Nomad Heist. Today s action is being taken pursuant to Executive Order (E.O.) 13694, as amended, and follows OFAC s May 6, 2022 designation of virtual currency mixer Blender.io (Blender). Today, Treasury is sanctioning Tornado Cash, a virtual currency mixer that launders the proceeds of cybercrimes, including those committed against victims in the United States, said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks. Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them. Treasury has worked to expose components of the virtual currency ecosystem, like Tornado Cash and Blender.io, that cybercriminals use to obfuscate the proceeds from illicit cyber activity and other crimes. While most virtual currency activity is licit, it can be used for illicit activity, including sanctions evasion through mixers, peer-to-peer exchangers, darknet markets, and exchanges. This includes the facilitation of heists, ransomware schemes, fraud, and other cybercrimes. Treasury continues to use its authorities against malicious cyber actors in concert with other U.S. departments and agencies, as well as foreign partners, to expose, disrupt, and hold accountable perpetrators and persons that enable criminals to profit from cybercrime and other illicit activity. For example, in 2020, Treasury s Financial Crimes Enforcement Network (FinCEN) assessed a $60 million civil money penalty against the owner and operator of a virtual currency mixer for violations of the Bank Secrecy Act (BSA) and its implementing regulations. MIXER: TORNADO CASH Tornado Cash (Tornado) is a virtual currency mixer that operates on the Ethereum blockchain and indiscriminately facilitates anonymous transactions by obfuscating their origin, destination, and counterparties, with no attempt to determine their origin. Tornado receives a variety of transactions and mixes them together before transmitting them to their individual recipients. While the purported purpose is to increase privacy, mixers like Tornado are commonly used by illicit actors to launder funds, especially those stolen during significant heists. Tornado is being designated pursuant to E.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain. ILLICIT FINANCE RISKS Virtual currency mixers that assist criminals are a threat to U.S. national security. Treasury will continue to investigate the use of mixers for illicit purposes and use its authorities to respond to illicit financing risks in the virtual currency ecosystem Criminals have increased their use of anonymity-enhancing technologies, including mixers, to help hide the movement or origin of funds. Additional information on illicit financing risks associated with mixers and other anonymity-enhancing technologies in the virtual asset ecosystem can be found in the 2022 National Money Laundering Risk Assessment. Those in the virtual currency industry play a critical role in complying with their Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) and sanctions obligations to prevent sanctioned persons and other illicit actors from exploiting virtual currency to undermine U.S foreign policy and national security interests. As part of that effort, the industry should take a risk-based approach to assess the risk associated with diffe...
Generate the full report
Company Info
| Company Name | Employees | Location | Last Updated | Industry |
|---|---|---|---|---|
| U.S. Department of the Treasury | 10001+ | Washington, United States of America | 20/30/2026 | Government |
U.S. Department of the Treasury Vendor Risk Report
This is an exhaustive cyber risk assessment report based on the scans performed by the Site24x7 Digital Risk Analyzer on the U.S. Department of the Treasury domain. Based on the assertion checks performed for four main security aspects, namely domain, email, network, and application, results are provided in respective categories along with the score obtained for each. An overall domain score has also been assigned based on these results.
Domain Security
Certificate Authority Authorization Check
CAA (Certificate Authority Authorization) is a DNS record that specifies which Certificate Authorities (CAs) can issue SSL/TLS certificates for a domain, enhancing security by preventing unauthorized CAs from issuing certificates. When requesting a certificate, the CA checks the domain's CAA record. If the record authorizes the CA, the certificate is issued; otherwise, the request fails. Without a CAA record, any CA can issue a certificate, increasing the risk of mis-issuance. For example, to allow only Let's Encrypt, your CAA record would look like: example.com. IN CAA 0 issue "letsencrypt.org".CAA records ensure only authorized CAs can issue certificates for your domain.Domain Expiry
To maintain domain ownership, it is essential to renew the domain name before it expires. Once a domain expires, the domain will deactivated and parked. Once it is deactivated, you will not be allowed to make any changes, neither will the customers be able to access it, leading to negative impacts on your business and brand.
Using this check, Digital Risk Analyzer will track your domain expiry date and the number of days left for expiry.Blocklisted Domain
A blocklist will contain the list of IPs, domains, or email addresses that were reported for spam or any other malicious activity. A blocklisted domain will face a huge drop in the number of visitors and will be marked unsafe leading to a tarnished brand reputation.
Using this check, Digital Risk Analyzer will cross-verify your domain against the popular blocklists to ensure that your domain isnt flagged as a blocklisted one.
Email Security
TLS-RPT Existence
TLS-RPT (TLS Reporting) enables a domain to receive reports on TLS encryption issues in email delivery. It helps administrators identify and address failed secure delivery attempts. Defined in RFC 8460, it works with MTA-STS for better email security. A TLS-RPT record, located at _smtp._tls.example.com, directs email servers to send reports on failed TLS negotiations. Example: v=TLSRPTv1; rua=mailto:tls-reports@example.com. This assertion confirms the presence of the TLS-RPT record and initiates further actions, if found.MTA-STS DNS Existence
MTA-STS (Mail Transfer Agent Strict Transport Security) enforces secure TLS connections for email, preventing man-in-the-middle attacks. MTA-STS DNS records configure this protocol, directing mail servers to enforce TLS and specify related policies. This assertion verifies if the domain has an MTA-STS record in its DNS.MTA-STS HTTPS Existence
MTA-STS HTTPS existence ensures that a domain has an HTTPS-hosted policy file required for Mail Transfer Agent Strict Transport Security (MTA-STS). This protocol enforces encrypted email delivery. The policy file, named mta-sts.txt, must be hosted at: https://mta-sts.example.com/.well-known/mta-sts.txt.Email Server Certificate
Mail servers are responsible for receiving, routing, and delivering e-mail. This check ensures correct configuration, Starttls support, valid certificates, and its expiry.SPF Maximum Lookup
The SPF framework has a threshold limit of 10 DNS lookups to resolve a record. This check analyses whether there are more than 10 lookups in the SPF record. DNS lookups up to 10 per SPF record is allowed, which includes lookups caused by the use of terms like redirect, include, a, mx, ptr, and exists.SPF Existence
SPF is a DNS record that prevents email spoofing by specifying which mail servers can send emails on behalf of your domain. This check verifies if an SPF record is present for the domain, with further validation if a record exists.Recursive SPF Redirect
This check detects recursive redirects in the SPF record which can exceed the lookup limits.DMARC Existence
DMARC is a DNS record that enhances SPF and DKIM to protect against email spoofing and phishing by specifying how email receivers should handle messages that fail authentication checks. This assertion verifies the presence of a DMARC record for the domain, with further validation performed if a record exists.
Network Security
Insecure Cipher
A cipher is an algorithm for encryption and decryption of data. Ciphers enable private communication on different networking protocols, including the Transport Layer Security (TLS) protocol that offer encryption of network traffic. They use a system of fixed rules to transform plain text, or a message, into cipher text, a random string of characters. Your application or sever can be prone to vulnerabilities if you havent configured any order for your ciphers or if there are any insecure ciphers. The chances for an attacker to eavesdrop or tamper your data is high if youve insecure ciphers.
Digital Risk Analyzer will run a check to trace out weak ciphers with less than 128 bits, NULL ciphers, ciphers without encryption, etc., to avoid vulnerabilities.DNSSEC Validation
Domain Name System Security Extensions (DNSSEC) is an extension of the Domain Name Server (DNS) protocol that allows DNS responses to be digitally signed and authenticated. It adds cryptographic signatures to the existing DNS records and helps the DNS resolver to verify authenticity of the responses. This can help in identifying fake DNS records created through cache poisoning or during man-in-the-middle attacks.
Digital Risk Analyzer will check if DNSSEC is enabled for the domain, whether there is any breakage in the chain, and whether the DNS records like A, AAAA, SOA, NS, MX, and TXT are signed with a valid key.SSL Certificate Vulnerabilities
SSL Vulnerabilities arise because of improper configuration of the SSL certificates. The most common vulnerabilities include BEAST, POODLE, POODLE (TLS), ROBOT, RC4 Vulnerability, CBC Vulnerability, AEAD, etc,.These vulnerability can lead to session hijackings, man-in-the-middle attacks, text command injections, and many other security issues.
Digital Risk Analyzer will check the SSL certificates to trace out any of the above mentioned vulnerabilities.Application-Layer Protocol Negotiation (ALPN)
ALPN is a TLS extension that allows clients and servers to negotiate the application protocol (e.g., HTTP/1, HTTP/2) during the handshake, improving compatibility and performance. It enables faster data transfer, such as switching from HTTP/1.1 to HTTP/2, by reducing latency while ensuring secure communication.Valid SSL Certificate
An SSL Certificate is supposed to have a validity of 13 months or less. An expired SSL Certificate can make your site prone to phishing attacks, man-in-the-middle attacks, and data breaches. Moreover, it is essential to ensure that the certificate was issued by a trusted certificate authority and that the root certificate is a valid one. If not, "The certificate is not issued by a trusted certificate authority" or "SSL Certificate Not Trusted" errors will be raised.
Digital Risk Analyzer will run a check to ensure that your certificate hasnt expired and that it is issued by a valid certificate authority.SSL Chain Expiry
The SSL Certificate Chain is a list of certificates that include the root certificate, intermediate certificates, and the end-user certificate. The intermediate certificate along with the server certificate helps to complete the trust chain and makes the certificate chain efficient. When an intermediate certificate in your chain expires, SSL errors will be thrown and you wont be able to install any other certificates on your platform.
{0} will be checking the expiry of all your intermediate certificates and the number of days left for their expiry.Insecure SSL Protocol
SSL (Secure Sockets Layer) is a security protocol that encrypts data between a server and client, ensuring privacy and protection against tampering. However, outdated versions like SSL 2.0 and 3.0 are vulnerable to attacks, exposing sensitive data to breaches and phishing. Modern browsers flag websites using insecure SSL, damaging credibility and trust. To mitigate risks, SSL has been replaced by TLS (Transport Layer Security), which offers stronger encryption and enhanced security. Using up-to-date TLS versions, such as TLS 1.2 or 1.3, is crucial for safeguarding data and maintaining compliance with security standards.
Application Security
Brand Reputation
Retaining the customer trust and the credibility of the brand is crucial for any business entity. With important data transactions happening through the websites, any issue that affects the security of the webpage can impact your brands reputation. Hence, it is essential to ensure that youre offering a secure online space for your customers.
Digital Risk Analyzer will cross check your website with Googles list of blocklisted URLs to ensure that it isnt present.Phishing
Phishing attackers use emails, text messages, or calls to steal sensitive information like social security number, passwords, or credit card details or manipulate people to download malware-infected files.It is the most common type of social engineering attack. Phishing attacks can result in huge financial loss, identity theft, and loss of brand reputation.
Digital Risk Analyzer will check your site against the Google list of webpages affected by phishing attacks to ensure that your site isnt listed there.Insecure Header
HTTP headers help in providing enhanced protection by preventing several vulnerabilities that can put your applications security in jeopardy. An insecure header may not help in preventing the users from connecting to an unencrypted site.
{0} checks for headers that are not configured correctly and may make the application vulnerable to attacks.Insecure Cookies
Insecure cookies lack key security attributes, making them vulnerable to interception and attacks. Without the Secure attribute, cookies can be transmitted over unencrypted HTTP. The absence of SameSite makes them susceptible to CSRF attacks.Directory Listing
Directory listing exposes sensitive files when no default index file is present, allowing attackers to view and exploit them. Disabling it helps protect your server from unauthorized access.Cross-Origin Resource Sharing (CORS)
Cross-Origin Resource Sharing (CORS) is a security feature that controls access to resources on one domain from another. It prevents unauthorized requests by specifying which domains and methods are allowed through server response headers. For example, if example.com needs data from api.otherdomain.com, the API must allow this by setting Access-Control-Allow-Origin: example.com. Improper CORS configuration can block legitimate requests or expose sensitive data.