OFAC and Crypto Crime: Every OFAC Specially Designated National with Identified Cryptocurrency Addresses

As far back as the early 1800s, the U.S. Department of the Treasury has issued economic sanctions to achieve foreign policy and national security objectives. Today, the Treasury’s Office of Foreign Assets Control (OFAC) sanctions countries, individuals, companies, and groups — like international drug traffickers or terrorists — that pose specific threats to U.S. interests.

Over the years, bad actors have tried a variety of tactics to evade OFAC’s sanctions. More recently, some have pivoted towards crypto, presuming that crypto transactions are anonymous or untraceable. Adapting to this tactic, OFAC began including cryptocurrency addresses as identifiers in sanctions designations. The first such instance occurred on November 28, 2018 when OFAC designated two Iran-based individuals tied to the SamSam ransomware scheme, which demanded ransom payments in Bitcoin. Since that first designation, OFAC has included many wallet addresses and even entire crypto services in its designations. In this article, we’ll discuss:

OFAC’s guidance on crypto-related sanctions compliance

In March of 2018, OFAC began answering questions about virtual currency on its website. The OFAC Frequently Asked Questions (FAQs)  also define what the terms “digital currency,” “digital currency wallet,” “digital currency address,” and “virtual currency” mean as they apply to OFAC’s sanctions programs. In October of 2021, OFAC went a step further, publishing Sanctions Compliance Guidance for the Virtual Currency Industry, a guide outlining how both companies and crypto users can mitigate the risk of facilitating crypto crime.

2023

• July 31 | ISIS and Al-Qaeda Operatives in Maldives: OFAC sanctioned several individuals and entities involved in the Maldives operations of terrorist groups Al-Qaeda, ISIS, and ISIS-Khorasan (ISIS-K). The notice included a crypto address as an SDN identifier for Ali Shafiu, one of the sanctioned individuals.
• May 23 | North Korean hackers and IT worker crypto payment schemes: OFAC and South Korea’s Ministry of Foreign Affairs (MOFA) sanctioned entities and individuals associated with illicit North Korean revenue generation schemes. One individual — Kim Sang Man — helped North Korean IT professionals find contract work overseas, and some of their proceeds were sent to North Korea in support of its weapons development programs. OFAC included six crypto addresses associated with Kim Sang Man in the designation. 
• May 19 | Dubai-based financial services firm and CEO involved in Russian sanctions evasion: OFAC sanctioned 22 individuals and 104 entities operating in 20 countries for their role in facilitating Russian sanctions evasion. This designation included a crypto address as an SDN identifier for John Desmond Hanafin, CEO of Dubai-based Huriya Private.
• May 16 | Russia-based ransomware developer: OFAC sanctioned Mikhail Matveev for launching cyberattacks on U.S. law enforcement, businesses, and critical infrastructure. While no crypto addresses were included in the designation of Matveev, Chainalysis has identified multiple addresses belonging to this actor.
• April 24 | Individuals facilitating money laundering, supporting DPRK weapons programs: OFAC sanctioned three China-based individuals for facilitating the Democratic People’s Republic of Korea (DPRK) cryptocurrency money laundering activities used to fund weapons of mass destruction and missile programs. OFAC included crypto addresses for two of the three individuals  in the designation — 17 for Wu Huihui and three for Sim Hyon Sop.
• April 14 | Chinese chemical businesses and Latin American drug cartel associates involved in fentanyl manufacture and trafficking: Chinese companies produced fentanyl precursor chemicals, which Latin America-based brokers purchased using Bitcoin, and sold to drug cartels. This OFAC designation included several entities and individuals, and a Bitcoin address controlled by Wang Hongfei who used it to accept payment for fentanyl precursors.
• April 5 | Fraud shop Genesis Market: OFAC sanctioned Genesis Market following Operation Cookie Monster, a coordinated international law enforcement effort in which authorities shut down the popular fraud shop and arrested hundreds of its users worldwide the previous day. Genesis Market’s online marketplace allowed the sale of stolen PII and received tens of millions of dollars worth of crypto during its lifetime. While no crypto addresses were included in the designation of Genesis Market, Chainalysis has identified multiple addresses belonging to this entity.
• Feb. 9 | Russia-based Trickbot cybercrime gang members: OFAC and the UK’s Office of Financial Sanctions Implementation (OFSI) jointly sanctioned seven members of the cybercrime gang Trickbot, who deploy a type of malware with the same name  used in cyber attacks on businesses and individuals worldwide. While no crypto addresses were included in the designation, Chainalysis has identified multiple addresses belonging to these actors.
• Feb. 1 | Supporters of Russia’s military-industrial complex: OFAC designated a network for Russian sanctions evasion led by Igor Vladimirovich Zimenkov, a Russia- and Cyprus-based arms dealer. The Zimenkov network enabled Russian defense sales to third-country governments. The notice included an entry for Jonatan Zimenkov, Igor’s son, and two cryptocurrency addresses Jonatan used to facilitate sales.

• Nov. 9 | Internet-based suppliers of illicit fentanyl and other synthetic drugs: OFAC sanctioned three individuals and nine entities associated with darknet marketplaces and research chemicals sites for supplying illicit synthetic substances to U.S. markets through internet sales and a host of shell companies. OFAC included 66 crypto addresses as identifiers for Matthew Simon Grimm and Alex Adrianus Martinus Peijnenburg in the designation.
• Nov. 8 | Tornado Cash redesignated with ties to DPRK: OFAC delisted and relisted crypto mixer Tornado Cash, replacing the previous action on August 8, 2022. The redesignation included an additional Executive Order, stating Tornado Cash not only facilitated money laundering for the Lazarus Group, but also had a role in enabling malicious cyber activities that supported DPRK’s weapons of mass destruction program. OFAC added 90 crypto addresses as identifiers for Tornado Cash in the redesignation.
• Sept. 15 | Individuals and entities facilitating Russia’s war in Ukraine: OFAC designated individuals and entities, including Task Force Rusich, for furthering the Government of the Russian Federation’s (GoR) objectives in Ukraine, before and during Russia’s 2022 invasion of Ukraine. Task Force Rusich is a neo-Nazi paramilitary group that participated in the war in Ukraine alongside Russia’s military. OFAC included five cryptocurrency addresses controlled by Task Force Rusich in the designation.
• Sept. 14 | Iranian nationals involved in cyber attacks including ransomware: On September 14, OFAC sanctioned ten Iranian nationals and two businesses associated with designated terrorist organization Iran’s Islamic Revolutionary Guard Corps (IRGC). Two of the individuals — Ahmad Khatibi Aghada and Amir Hossein Nikaeen Ravari — had six cryptocurrency addresses included as identifiers in their designation. 
• Aug. 8 | Ethereum mixer Tornado Cash: OFAC sanctioned the popular mixer Tornado Cash, adding it to the SDN List with 38 unique cryptocurrency addresses included as identifiers. Tornado Cash facilitated laundering over $455 million worth of cryptocurrency stolen from Axie Infinity’s Ronin Bridge protocol by the North Korea-affiliated hacking organization, Lazarus Group.
• May 6 | Crypto mixer Blender.io: OFAC sanctioned the first-ever cryptocurrency mixer — Blender.io — which DPRK used to support its malicious cyber activities and money-laundering of stolen cryptocurrency. Blender was used to process over $20.5 million in illicit proceeds from the March 23, 2022 Axie Infinity hack by Lazarus Group. OFAC added 46 cryptocurrency addresses controlled by Blender and 12 crypto addresses associated with Lazarus Group to its SDN List.
• April 22 | More Lazarus Group addresses from Ronin Bridge hack: OFAC updated its SDN entry for Lazarus Group to add five new crypto addresses as identifiers.
• April 20 | Entities and individuals facilitating Russian sanctions evasion: OFAC designated more than 40 individuals and entities for attempting to evade sanctions the United States and international partners imposed on Russia. Among the entities, Bitriver, a cryptocurrency mining company, was designated for helping Russia monetize its natural resources. While no crypto addresses were included in this designation, Chainalysis has identified multiple addresses belonging to this entity.
• April 14 | Lazarus Group tied to Ronin Bridge hack: OFAC added a new ETH address to Lazarus Group’s SDN entry, an address that was involved in the Ronin hack and received 173,600 ETH and 25.5 million during the attack.
• April 5 | Darknet market Hydra and Russian exchange Garantex: OFAC sanctioned Russia-based Hydra Market — the world’s largest darknet market by revenue at that time —  along with Russian cryptocurrency exchange Garantex. The designation added 117 of Hydra’s cryptocurrency addresses and three Garantex crypto addresses to the SDN List, and followed a joint operation in which several U.S. law enforcement agencies and Germany’s federal police shut down Hydra.

2021

• Nov. 8 | P2P crypto exchange and Russian nationals involved in ransomware operations: OFAC designated P2P crypto exchange Chatex for facilitating financial transactions for ransomware actors. OFAC also sanctioned two cybercriminals — Ukrainian Yaroslav Vasinskyi and Russian Yevgeniy Polyanin — for ransomware attacks on U.S. companies. The designation included 41 cryptocurrency addresses controlled by Chatex, Vasinskyi, and Polyanin.
• Sept. 22 | Russian cryptocurrency OTC Suex: OFAC sanctioned Russian cryptocurrency Over The Counter (OTC) broker Suex and added 25 of its crypto addresses to the SDN List. Suex received over $160 million from ransomware attackers, scammers, and darknet markets.
• July 28 | Financial facilitators for Al-Qa’ida in Turkey and Syria: OFAC designated individuals based in Turkey and Syria for materially assisting al-Qa’ida. One of the individuals — Farrukh Furkatovitch Fayzimatov — solicited donations for Hay’et Tahrir Al-Sham (HTS), a Syrian affiliate of al-Qa’ida. OFAC included one cryptocurrency address in the designation.
• April 15 | Individuals and entities attempting to influence U.S. elections: Following a six-count federal indictment from the DOJ, OFAC sanctioned 16 entities and 16 individuals for attempting to influence the 2020 U.S. presidential election, directed by the Russian Government. OFAC’s designation included 28 cryptocurrency addresses for three entities and one individual: SouthFront, The Association for Free Research and International Cooperation (AFRIC), Secondeye Solution (SES), and SES owner/operator Mujtaba Ali Raza.

2019

• Sept. 13 | Lazarus Group and other hacking entities: OFAC sanctioned Lazarus Group, along with two other state-sponsored North Korean entities, for malicious cyber activity on critical infrastructure. Cyber attacks by the three hacking groups supported illicit weapon and missile programs. While no crypto addresses were included in the designation of Lazarus Group, Chainalysis identified addresses belonging to this entity.
• Aug. 21 | Chinese nationals fueling the opioid crisis: Pursuant to the Foreign Narcotics Kingpin Designation Act (Kingpin Act), OFAC designated Fujing Zheng, Guanghua Zheng, and Xiaobing Yan, along with several entities, for their role in an international narcotics trafficking operation that manufactured and sold lethal drugs. OFAC included 12 cryptocurrency addresses for the individuals on the notice.

Sanctions screening challenges for crypto businesses

A Thomson Reuters survey found sanctions screening to be a top challenge for financial services organizations. Here’s why: sanctions lists are updated frequently, customers’ KYC information can change over time, list designees resort to sophisticated tactics to fly under the radar, and some sanctions are complex in scope, making them difficult to follow. The burden of mining historical transactions to find connections to previously sanctioned addresses is also considerable. Yet, failure to maintain sanctions compliance could result in significant fines and criminal penalties.