OFAC and Crypto Crime: Every OFAC Specially Designated National with Identified Cryptocurrency Addresses

As far back as the early 1800s, the U.S. Department of the Treasury has issued economic sanctions to achieve foreign policy and national security objectives. Today, the Treasury’s Office of Foreign Assets Control (OFAC) sanctions countries, individuals, companies, and groups — like international drug traffickers or terrorists — that pose specific threats to U.S. interests.

Over the years, bad actors have tried a variety of tactics to evade OFAC’s sanctions. More recently, some have pivoted towards crypto, presuming that crypto transactions are anonymous or untraceable. Adapting to this tactic, OFAC began including cryptocurrency addresses as identifiers in sanctions designations. The first such instance occurred on November 28, 2018 when OFAC designated two Iran-based individuals tied to the SamSam ransomware scheme, which demanded ransom payments in Bitcoin. Since that first designation, OFAC has included many wallet addresses and even entire crypto services in its designations. In this article, we’ll discuss:

• OFAC’s guidance on crypto-related sanctions compliance
• OFAC’s crypto-related sanctions to date
  • 2025
  • 2024
  • 2023
  • 2022
  • 2021
  • 2020
  • 2019
  • 2018

• Sanctions screening challenges for crypto businesses

OFAC’s guidance on crypto-related sanctions compliance

In March of 2018, OFAC began answering questions about virtual currency on its website. The OFAC Frequently Asked Questions (FAQs)  also define what the terms “digital currency,” “digital currency wallet,” “digital currency address,” and “virtual currency” mean as they apply to OFAC’s sanctions programs. In October of 2021, OFAC went a step further, publishing Sanctions Compliance Guidance for the Virtual Currency Industry, a guide outlining how both companies and crypto users can mitigate the risk of facilitating crypto crime.

OFAC’s crypto-related sanctions to date

2025

• Nov. 19 | Russian cybercrime infrastructure & global drug-trafficking network: The U.S., U.K., and Australia jointly sanctioned Russian bulletproof hosting provider Media Land and its network for enabling ransomware, malware distribution, and other cybercriminal activity, including designating a Bitcoin address tied to operator Aleksandr “Yalishanda” Volosovik. On-chain analysis shows Yalishanda supported nearly every stage of the cyber kill chain and moved millions of dollars’ worth of cryptocurrency across thousands of addresses used by underground exchanges, laundering services, and ransomware affiliates. Separately, OFAC sanctioned former Canadian Olympian Ryan James Wedding and nine associates for laundering hundreds of millions in stablecoins tied to a multinational cocaine-trafficking ring, illustrating how stablecoins are increasingly leveraged and traceable within global narcotics supply chains.
• Nov. 12 | Burma-based cyber scam network and U.S. Scam Center Strike Force: The DOJ, FBI, and U.S. Secret Service launched the first Scam Center Strike Force to combat a Southeast Asian scam ecosystem responsible for stealing at least $10 billion from Americans in 2024, while OFAC concurrently sanctioned the Burma-based Democratic Karen Benevolent Army (DKBA) and affiliated companies for operating forced-labor scam compounds. Although no crypto addresses were named, these operations rely heavily on fraudulent investment platforms, with Chainalysis data showing extensive use of cryptocurrency rails, AI-enabled scam tooling, and regional service providers like Huione. The action reflects escalating U.S. efforts to dismantle the infrastructure behind large-scale pig-butchering schemes, which have resulted in over $401 million in seized cryptocurrency.

• Oct. 30 | U.S. and U.K. Target Massive Southeast Asian Crypto Scam Network: The DOJ announced the seizure of $15 Billion in Bitcoin linked to fraudulent schemes and also unsealed an indictment against Chen Zhi, the founder and chairman of Prince Group, which operates a Cambodia-based transnational criminal enterprise through online investment scams. OFAC and UK’s OFSI dually sanctioned Chen Zhi, Prince Group, and Jin Bei Group Co. Ltd, a Prince Group subsidiary that operates scam compounds throughout Cambodia linked to extortion and forced labor. Additionally, Huione Group was officially designated under FinCEN’s Special Measures as a primary money laundering concern under Section 311 of the USA PATRIOT Act. Authorities identified over $4 billion in illicit proceeds laundered through Huione group between August 2021 and January 2025, including $37 million from North Korean cyber heists, $36 million from crypto investment scams, and $300 million from other cyber scams.

• Sept. 16 | Iranian shadow banking and crypto-based sanctions evasion network: OFAC sanctioned two Iranian financial facilitators — Alireza Derakhshan and Arash Estaki Alivand — and their network of front companies in Hong Kong and the UAE for coordinating cryptocurrency transactions tied to Iranian oil sales and benefiting the IRGC-QF and Iran’s Ministry of Defense. On-chain analysis shows the network handled over $600 million in inflows and executed more than $100 million in crypto purchases linked to sanctioned oil revenues, with additional connections to Hezbollah-linked money launderers and previously designated IRGC-QF proxy networks. The recent actions highlight Iran’s increasingly sophisticated use of cryptocurrency to evade sanctions and underscore how blockchain visibility enables investigators to map and disrupt complex shadow banking operations.
• Sept. 3 | Chinese chemical supplier trafficking synthetic opioids: OFAC, in coordination with the DEA and FBI, sanctioned Guangzhou Tengyue Chemical Co., Ltd. and two associates for supplying synthetic opioids and dangerous cutting agents to U.S. buyers, including designating a Bitcoin address tied to company representative Huang Xiaojun. On-chain analysis shows Xiaojun’s address received over $1.26 million from 2021–2025, with payments originating from crypto ATMs and darknet market vendors involved in illicit drug transactions. The action underscores U.S. efforts to disrupt crypto-enabled drug trafficking networks by targeting both chemical suppliers and their digital payment infrastructure.
• Aug. 27 | DPRK IT worker fraud network: OFAC sanctioned a Russia-linked facilitator network that funneled revenue from DPRK IT workers to support North Korea’s weapons of mass destruction and ballistic missile programs, including designating a crypto address tied to Russian national Vitaliy Andreyev. On-chain analysis shows how Andreyev, DPRK official Kim Ung Sun, and affiliated front companies helped launder more than $600,000 in IT worker proceeds through mainstream exchanges, bridges, DeFi protocols, and mixers, complementing earlier actions against Chinyong Information Technology Cooperation Company. The designation reinforces U.S. efforts to disrupt DPRK’s crypto-enabled revenue pipelines and the overseas labor schemes that underpin them.
• Aug. 14 | Garantex rebrand, Grinex, and ruble-backed token A7A5: OFAC re-designated the sanctioned Russian exchange Garantex and sanctioned its successor, Grinex, along with Kyrgyzstani issuer Old Vector and other affiliates tied to the ruble-backed token A7A5, a crypto instrument explicitly designed to facilitate Russian cross-border payments and sanctions evasion. On-chain analysis shows that A7A5 has processed more than $93.3 billion in volume, with liquidity, user migration, and token flows revealing direct continuity between Garantex and Grinex, as well as deep integration into Russia-linked financial networks and no-KYC exchanges. The action highlights Russia’s evolving strategy to construct alternative, crypto-based settlement rails and illustrates how blockchain transparency enables investigators to uncover and disrupt these sanctions evasion ecosystems.
• July 1 | Aeza Group bulletproof hosting network: OFAC sanctioned Russia-based Aeza Group LLC and its international affiliates for providing bulletproof hosting services that enabled ransomware operations, data theft, and other cybercriminal activity, including designating a TRON address tied to its payment infrastructure. On-chain analysis shows the wallet received more than $350,000 and funneled funds to multiple exchanges, with additional links to Garantex, darknet malware vendors, and other high-risk entities — indicating Aeza’s deep integration into the cybercrime supply chain. The action underscores OFAC’s continued strategy of targeting the infrastructure underpinning global cyber threats, following earlier designations of similar providers.
• May 29 | Funnull Technology Inc. and pig butchering infrastructure: OFAC sanctioned Philippines-based Funnull Technology Inc. and its administrator, Liu Lizhi, for enabling large-scale pig butchering investment scams that defrauded U.S. victims of more than $200 million. The firm purchased IP addresses in bulk and resold them to scam operators, supporting a vast malicious infrastructure known as the “Triad Nexus,” while the designated crypto addresses show on-chain exposure to Huione Group and other entities linked to fraud. The action reflects the United States government’s growing focus on dismantling the technical and financial enablers behind crypto-enabled fraud schemes.
• Apr. 2 | Iran-backed Houthi weapons procurement network: OFAC sanctioned a Russia-linked financial and logistics network that facilitated weapons shipments, stolen Ukrainian grain transfers, and sanctions evasion on behalf of the Houthis, identifying eight cryptocurrency wallets tied to nearly $1 billion in illicit flows. On-chain analysis shows heavy fund movement between Houthi wallets, previously sanctioned financier Sa’id al-Jamal, Russian intermediaries, and OFAC-sanctioned exchange Garantex, with mainstream exchanges receiving more than $200 million in cash-outs. The action underscores growing U.S. efforts to disrupt terrorist financing networks that increasingly rely on cryptocurrency and global shipping infrastructure to support destabilizing activities in Yemen and the Red Sea region.
• Mar. 4 | Nemesis darknet marketplace administrator: OFAC designated Iran-based Behrouz Parsarad — the sole administrator of the Nemesis darknet marketplace — along with 49 cryptocurrency addresses for facilitating global fentanyl and narcotics sales, including to U.S. buyers. On-chain analysis shows Nemesis processed nearly $30 million in drug transactions before its 2024 takedown, while Parsarad moved more than $1.6 million across DNMs, exchanges, and mixers, doubling the value of his BTC holdings as he attempted to obscure activity from inside Iran. The action broadens OFAC’s global fentanyl disruption efforts and marks its first designation as part of the FBI-led Joint Criminal Opioid and Darknet Enforcement Team.
• Feb. 11 | Zservers bulletproof hosting provider: OFAC, the UK’s FCDO, and Australia’s DFAT jointly sanctioned Zservers — a Russia-based bulletproof hosting service — along with associated individuals and multiple crypto addresses for enabling ransomware operations by LockBit and other affiliates. Chainalysis data shows Zservers received payments from numerous ransomware actors and funneled at least $5.2 million through high-risk channels, including sanctioned exchange Garantex and no-KYC services. The coordinated action underscores the growing international focus on dismantling the infrastructure that sustains global ransomware activity.

2024

• Dec. 19 | IRGC-connected Houthi financier Sa’id al-Jamal: OFAC sanctioned twelve individuals and entities tied to Houthi arms trafficking, illicit shipping, and money laundering, and expanded its designation of Sa’id al-Jamal — a key IRGC-QF–aligned financier — to include five cryptocurrency addresses. On-chain analysis shows al-Jamal’s wallets moved more than $178 million in roughly a year, with numerous high-value stablecoin transfers exceeding $500,000 and patterns consistent with laundering through informal networks. The action underscores OFAC’s continued efforts to disrupt Iran-aligned proxies’ use of crypto for regional destabilization and highlights the Houthis’ broader commercial and geopolitical ties across China, Russia, and the Middle East.
• Oct. 1 | Evil Corp cybercrime syndicate: OFAC, the UK’s FCDO, and Australia’s DFAT jointly designated key members of Evil Corp — the Russia-based syndicate behind Dridex malware and BitPaymer ransomware — as part of a coordinated global effort to disrupt its long-running cybercriminal operations. The actions build on prior 2019 sanctions and reveal extensive ties between Evil Corp, LockBit affiliates, and Russian intelligence networks, with on-chain evidence showing overlapping ransomware infrastructure and shared exchange deposit addresses. Concurrent law enforcement operations across Europe further dismantled LockBit-linked infrastructure, underscoring growing multilateral pressure to degrade Russia-based cybercrime ecosystems that rely on cryptocurrency.
• Sept. 26 | Cryptex, UAPS (Ivanov), and PM2BTC: OFAC sanctioned Russian exchange Cryptex and designated Sergey Sergeevich Ivanov (a.k.a. UAPS/TALEON) for laundering funds tied to fraud shops, ransomware actors, darknet markets, and other cybercriminals, while FinCEN named the associated no-KYC exchange PM2BTC — which has processed over $1 billion — a “primary money laundering concern” under Section 9714(a) of the Combating Russian Money Laundering Act. Cryptex alone has processed more than $5.88 billion since 2018, and on-chain analysis shows deep connections among Cryptex, UAPS, and PM2BTC, including hundreds of millions in illicit flows and links to sanctioned Russian actors. These actions coincided with coordinated U.S.–Dutch seizures of infrastructure and assets and formed part of Operation Endgame, a multilateral crackdown on financial enablers of transnational cybercrime.
• Aug. 23 | Russian UAV developer KB Vostok: OFAC sanctioned KB Vostok, a Russian drone developer supporting military operations in Ukraine, as part of a broader action targeting nearly 400 entities linked to Russia’s war machine. KB Vostok had solicited crypto donations and the TRON address included in the designation shows on-chain activity consistent with potential purchases of its low-cost Scalpel UAVs, with most deposits coming from a single high-volume counterparty tied to the sanctioned exchange Garantex. Chainalysis analysis indicates the counterparty has processed tens of millions of dollars, suggesting links to a larger node within Russia’s military supply chain.
• June 14 | Nordic Resistance Movement: OFAC designated the Nordic Resistance Movement and three affiliated individuals as Specially Designated Global Terrorists (SDGTs) for their involvement in violent extremism. The organization had publicly solicited crypto donations for nearly a decade across multiple branches and assets — including Bitcoin, Ethereum, Litecoin, and others — accumulating roughly $92,000 in contributions that more than doubled in value before being cashed out through mainstream exchanges. Following the designation, the group removed crypto addresses from portions of its website, and Chainalysis has tracked and labeled all associated addresses in its platform.
• May 29 | “911 S5” botnet administrators: OFAC sanctioned multiple individuals and entities for their involvement with the residential proxy service known as “911 S5,” a botnet that distributed deceptive free VPN services to victims and hijacked their IP addresses through a backdoor. Cybercriminals frequently paid in cryptocurrencies like Bitcoin to use these IP addresses in order to carry out various forms of cybercrime. The DOJ also announced the arrest of Chinese national, Yunhe Wang, who allegedly controlled the botnet. Crypto addresses associated with Wang hold over $130 million in cryptocurrency, and OFAC included 49 crypto addresses as identifiers in its designation.
• May 7 | Leader of cybercrime group LockBit: In collaboration with the United Kingdom’s National Crime Agency (NCA), the U.S. Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), and the Australian Federal Police, OFAC sanctioned Russian national Dmitry Yuryevich Khoroshev for developing and distributing ransomware through his Ransomware-as-a-Service (RaaS), LockBit, and included a single address associated with Khoroshev in the designation.
• May 1 | Individuals and entities involved in Russia’s war machine: OFAC sanctioned roughly 300 individuals and entities for facilitating Russian weapons production and for sanctions evasion. The list included OKO Design Bureau, an organization that developed unmanned aerial vehicles (UAVs) and operated a Telegram channel where it solicited donations in crypto. The designation included three crypto addresses tied to OKO Design Bureau.
• March 27 | Gaza Now and individuals and entities fundraising for Hamas: OFAC, in cooperation with the UK’s Office of Foreign Sanctions Implementation (OFSI), sanctioned two individuals and three entities for their role in fundraising for Hamas after the October 7 attacks on Israel. Among the sanctioned entities was Gaza Now, a Gaza-based social media news outlet that has posted pro-Hamas content, solicited donations for Hamas, and accepted funds in cryptocurrency. OFAC and OFSI included in their designations several cryptocurrency addresses controlled by the media outlet, which have been used in crypto donation campaigns. In total, those addresses have received nearly $4.5 million in crypto.
• March 26 | Syria-based hawala operator: OFAC sanctioned Syria-based hawala operator Tawfiq Muhammad Said Al-Law, who Israel’s National Bureau for Counter Terror Financing (NBCTF) had previously identified as having worked with Hezbollah operatives on crypto funding infrastructure. OFAC included a crypto address controlled by Al-Law as an identifier in the designation.
• March 25 | Russia-based blockchain companies facilitating sanctions evasion: OFAC sanctioned twelve entities — including Netex24 and Bitpapa — and two individuals for helping to build or operate blockchain-based services to facilitate sanctions evasion on behalf of Russian nationals. While OFAC didn’t include any crypto addresses in the designation, Chainalysis has identified multiple addresses associated with Netex24 and Bitpapa.
• March 20 | Russian nationals facilitating disinformation for Russian government: OFAC sanctioned Russian nationals Ilya Andreevich Gambashidze and Nikolai Aleksandrovich Tupikin and their companies for assisting the Russian government in foreign malign campaigns, which involved deceiving voters worldwide to undermine trust in their governments. OFAC included two USDT addresses in the designation, and Tether has since frozen Gambashidze’s wallets.
• Feb. 20 | LockBit ransomware group affiliates: OFAC sanctioned two Russian nationals — Artur Sungatov and Ivan Kondratyev — who were affiliated with the Ransomware-as-a-Service (RaaS) group LockBit, and included ten crypto addresses as SDN List identifiers in the designation. On the same day, the U.K. National Crime Agency (NCA) and U.S. Department of Justice (DOJ) announced it had disrupted LockBit, and the DOJ charged Sungatov and Kondratyev with using the ransomware strain in attacks.

2023

• Nov. 30 | North Korea hacking group Kimsuky: OFAC and Japan’s Ministry of Foreign Affairs joined South Korea’s Ministry of Foreign Affairs in sanctioning Kimsuky for its cyber espionage activity and support of North Korea’s nuclear weapons program. While South Korea’s June sanctions designation included crypto addresses, OFAC’s SDN list entry for Kimsuky did not, but did include identifying websites and email addresses.
• Nov. 29 | Crypto mixer Sinbad.io used in North Korean laundering activities: OFAC sanctioned cryptocurrency mixer Sinbad for its use by Lazarus Group to launder millions of dollars in stolen crypto. In a multi-agency effort that included the FBI and the Netherlands’ Fiscal Information and Investigation Service (FIOD), authorities also seized Sinbad.io and took it offline. The designation included two bitcoin addresses linked to Sinbad.
• Nov. 3 | Russian national who used crypto to money launder on behalf of Russian elites: OFAC sanctioned Russian national Ekaterina Zhdanova for cryptocurrency-based money laundering on behalf of Russian elites and ransomware groups. The designation included three bitcoin addresses Zhdanova used to facilitate these illicit activities.
• Oct. 18 | Gaza-based MSB Buy Cash: Following the terrorist attack on Israel, OFAC sanctioned Hamas operatives and financial facilitators including Buy Cash Money and Money Transfer Company, a Gaza-based money services business that’s been used to transfer funds to Hamas affiliates and other terrorist groups.
• Oct. 3 | China-based network of illicit drug producers: OFAC sanctioned several individuals and companies in a China-based network for their role in manufacturing and distributing fentanyl and other drugs, and included 17 cryptocurrency addresses as identifiers in the SDN List entries for five individuals and one entity.
• Sept. 26 | Individuals drug trafficking for the Sinaloa cartel: In coordination with the U.S. Drug Enforcement Administration (DEA), Mexico’s Financial Intelligence Unit, and the Colombia Counternarcotics Working Group, OFAC sanctioned 10 individuals affiliated with Mexico’s Sinaloa cartel for trafficking illegal fentanyl, cocaine, and methamphetamine into the United States. The designation included an Ethereum address as an identifier on one individual’s SDN List entry.
• Sept. 7 | Individuals affiliated with Russian-based ransomware group Trickbot: In a joint action, the U.K. HM Treasury Office of Financial Sanctions Implementation (OFSI) and OFAC sanctioned eleven individuals associated with Trickbot, including well-known actors Maksim Galochkin and Mikhail Tsarev. Earlier this year, the U.K. and U.S. jointly sanctioned seven other members of the Trickbot group.
• Aug. 23 | Co-founder of previously sanctioned Ethereum mixer Tornado Cash: Two days after a federal judge upheld OFAC’s Tornado Cash designation from last year, OFAC sanctioned Roman Semenov for his role in supporting Lazarus Group and included eight cryptocurrency addresses as identifiers on his SDN list entry. The U.S. Department of Justice (DOJ) also charged him and fellow co-founder Roman Storm for conspiracy to commit money laundering, operate an unlicensed money transmitting business, and commit sanctions violations.
• July 31 | ISIS and Al-Qaeda Operatives in Maldives: OFAC sanctioned several individuals and entities involved in the Maldives operations of terrorist groups Al-Qaeda, ISIS, and ISIS-Khorasan (ISIS-K). The notice included a crypto address as an SDN identifier for Ali Shafiu, one of the sanctioned individuals.
• May 23 | North Korean hackers and IT worker crypto payment schemes: OFAC and South Korea’s Ministry of Foreign Affairs (MOFA) sanctioned entities and individuals associated with illicit North Korean revenue generation schemes. One individual — Kim Sang Man — helped North Korean IT professionals find contract work overseas, and some of their proceeds were sent to North Korea in support of its weapons development programs. OFAC included six crypto addresses associated with Kim Sang Man in the designation. 
• May 19 | Dubai-based financial services firm and CEO involved in Russian sanctions evasion: OFAC sanctioned 22 individuals and 104 entities operating in 20 countries for their role in facilitating Russian sanctions evasion. This designation included a crypto address as an SDN identifier for John Desmond Hanafin, CEO of Dubai-based Huriya Private.
• May 16 | Russia-based ransomware developer: OFAC sanctioned Mikhail Matveev for launching cyberattacks on U.S. law enforcement, businesses, and critical infrastructure. While no crypto addresses were included in the designation of Matveev, Chainalysis has identified multiple addresses belonging to this actor.
• April 24 | Individuals facilitating money laundering, supporting DPRK weapons programs: OFAC sanctioned three China-based individuals for facilitating the Democratic People’s Republic of Korea (DPRK) cryptocurrency money laundering activities used to fund weapons of mass destruction and missile programs. OFAC included crypto addresses for two of the three individuals  in the designation — 17 for Wu Huihui and three for Sim Hyon Sop.
• April 14 | Chinese chemical businesses and Latin American drug cartel associates involved in fentanyl manufacture and trafficking: Chinese companies produced fentanyl precursor chemicals, which Latin America-based brokers purchased using Bitcoin, and sold to drug cartels. This OFAC designation included several entities and individuals, and a Bitcoin address controlled by Wang Hongfei who used it to accept payment for fentanyl precursors.
• April 5 | Fraud shop Genesis Market: OFAC sanctioned Genesis Market following Operation Cookie Monster, a coordinated international law enforcement effort in which authorities shut down the popular fraud shop and arrested hundreds of its users worldwide the previous day. Genesis Market’s online marketplace allowed the sale of stolen PII and received tens of millions of dollars worth of crypto during its lifetime. While no crypto addresses were included in the designation of Genesis Market, Chainalysis has identified multiple addresses belonging to this entity.
• Feb. 9 | Russia-based Trickbot cybercrime gang members: OFAC and the UK’s Office of Financial Sanctions Implementation (OFSI) jointly sanctioned seven members of the cybercrime gang Trickbot, who deploy a type of malware with the same name  used in cyber attacks on businesses and individuals worldwide. While no crypto addresses were included in the designation, Chainalysis has identified multiple addresses belonging to these actors.
• Feb. 1 | Supporters of Russia’s military-industrial complex: OFAC designated a network for Russian sanctions evasion led by Igor Vladimirovich Zimenkov, a Russia- and Cyprus-based arms dealer. The Zimenkov network enabled Russian defense sales to third-country governments. The notice included an entry for Jonatan Zimenkov, Igor’s son, and two cryptocurrency addresses Jonatan used to facilitate sales.

2022

• Nov. 9 | Internet-based suppliers of illicit fentanyl and other synthetic drugs: OFAC sanctioned three individuals and nine entities associated with darknet marketplaces and research chemicals sites for supplying illicit synthetic substances to U.S. markets through internet sales and a host of shell companies. OFAC included 66 crypto addresses as identifiers for Matthew Simon Grimm and Alex Adrianus Martinus Peijnenburg in the designation.
• Nov. 8 | Tornado Cash redesignated with ties to DPRK: OFAC delisted and relisted crypto mixer Tornado Cash, replacing the previous action on August 8, 2022. The redesignation included an additional Executive Order, stating Tornado Cash not only facilitated money laundering for the Lazarus Group, but also had a role in enabling malicious cyber activities that supported DPRK’s weapons of mass destruction program. OFAC added 90 crypto addresses as identifiers for Tornado Cash in the redesignation.
• Sept. 15 | Individuals and entities facilitating Russia’s war in Ukraine: OFAC designated individuals and entities, including Task Force Rusich, for furthering the Government of the Russian Federation’s (GoR) objectives in Ukraine, before and during Russia’s 2022 invasion of Ukraine. Task Force Rusich is a neo-Nazi paramilitary group that participated in the war in Ukraine alongside Russia’s military. OFAC included five cryptocurrency addresses controlled by Task Force Rusich in the designation.
• Sept. 14 | Iranian nationals involved in cyber attacks including ransomware: On September 14, OFAC sanctioned ten Iranian nationals and two businesses associated with designated terrorist organization Iran’s Islamic Revolutionary Guard Corps (IRGC). Two of the individuals — Ahmad Khatibi Aghada and Amir Hossein Nikaeen Ravari — had six cryptocurrency addresses included as identifiers in their designation. 
• Aug. 8 | Ethereum mixer Tornado Cash: OFAC sanctioned the popular mixer Tornado Cash, adding it to the SDN List with 38 unique cryptocurrency addresses included as identifiers. Tornado Cash facilitated laundering over $455 million worth of cryptocurrency stolen from Axie Infinity’s Ronin Bridge protocol by the North Korea-affiliated hacking organization, Lazarus Group.
• May 6 | Crypto mixer Blender.io: OFAC sanctioned the first-ever cryptocurrency mixer — Blender.io — which DPRK used to support its malicious cyber activities and money-laundering of stolen cryptocurrency. Blender was used to process over $20.5 million in illicit proceeds from the March 23, 2022 Axie Infinity hack by Lazarus Group. OFAC added 46 cryptocurrency addresses controlled by Blender and four crypto addresses associated with Lazarus Group to its SDN List.
• April 22 | More Lazarus Group addresses from Ronin Bridge hack: OFAC updated its SDN entry for Lazarus Group to add five new crypto addresses as identifiers.
• April 20 | Entities and individuals facilitating Russian sanctions evasion: OFAC designated more than 40 individuals and entities for attempting to evade sanctions the United States and international partners imposed on Russia. Among the entities, Bitriver, a cryptocurrency mining company, was designated for helping Russia monetize its natural resources. While no crypto addresses were included in this designation, Chainalysis has identified multiple addresses belonging to this entity.
• April 14 | Lazarus Group tied to Ronin Bridge hack: OFAC added a new ETH address to Lazarus Group’s SDN entry, an address that was involved in the Ronin hack and received 173,600 ETH and 25.5 million during the attack.
• April 5 | Darknet market Hydra and Russian exchange Garantex: OFAC sanctioned Russia-based Hydra Market — the world’s largest darknet market by revenue at that time —  along with Russian cryptocurrency exchange Garantex. The designation added 117 of Hydra’s cryptocurrency addresses and three Garantex crypto addresses to the SDN List, and followed a joint operation in which several U.S. law enforcement agencies and Germany’s federal police shut down Hydra.

2021

• Nov. 8 | P2P crypto exchange and Russian nationals involved in ransomware operations: OFAC designated P2P crypto exchange Chatex for facilitating financial transactions for ransomware actors. OFAC also sanctioned two cybercriminals — Ukrainian Yaroslav Vasinskyi and Russian Yevgeniy Polyanin — for ransomware attacks on U.S. companies. The designation included 41 cryptocurrency addresses controlled by Chatex, Vasinskyi, and Polyanin.
• Sept. 22 | Russian cryptocurrency OTC Suex: OFAC sanctioned Russian cryptocurrency Over The Counter (OTC) broker Suex and added 25 of its crypto addresses to the SDN List. Suex received over $160 million from ransomware attackers, scammers, and darknet markets.
• July 28 | Financial facilitators for Al-Qa’ida in Turkey and Syria: OFAC designated individuals based in Turkey and Syria for materially assisting al-Qa’ida. One of the individuals — Farrukh Furkatovitch Fayzimatov — solicited donations for Hay’et Tahrir Al-Sham (HTS), a Syrian affiliate of al-Qa’ida. OFAC included one cryptocurrency address in the designation.
• April 15 | Individuals and entities attempting to influence U.S. elections: Following a six-count federal indictment from the DOJ, OFAC sanctioned 16 entities and 16 individuals for attempting to influence the 2020 U.S. presidential election, directed by the Russian Government. OFAC’s designation included 28 cryptocurrency addresses for three entities and one individual: SouthFront, The Association for Free Research and International Cooperation (AFRIC), Secondeye Solution (SES), and SES owner/operator Mujtaba Ali Raza.

2020

• Sept. 16 | Russian cyber actors involved in phishing scheme crypto theft: OFAC sanctioned two Russian nationals — Danil Potekhin and Dmitrii Karasavidi — in connection with a phishing campaign that robbed crypto exchange customers of at least $16.8 million between 2017 and 2018. The OFAC notice included 12 crypto addresses tied to these individuals. 
• Sept. 10 | Russia-linked individuals interfering with U.S. election: OFAC designated four Russia-linked individuals for attempting to influence the U.S. electoral process, two of which — Anton Nikolaeyvich Andreyev and Artem Mikhaylovich Lifshits — supported cryptocurrency accounts for the previously designated Internet Research Agency (IRA). OFAC included 23 cryptocurrency addresses affiliated with the pair in the notice.
• March 2 | North Korea-linked cryptocurrency laundering scheme: OFAC sanctioned two Chinese nationals, Tian Yinyin and Li Jiadong, for helping Lazarus Group launder funds stolen in four cryptocurrency exchange hacks between 2017 and 2019. The designation included 20 crypto addresses associated with the individuals.

2019

• Sept. 13 | Lazarus Group and other hacking entities: OFAC sanctioned Lazarus Group, along with two other state-sponsored North Korean entities, for malicious cyber activity on critical infrastructure. Cyber attacks by the three hacking groups supported illicit weapon and missile programs. While no crypto addresses were included in the designation of Lazarus Group, Chainalysis identified addresses belonging to this entity.
• Aug. 21 | Chinese nationals fueling the opioid crisis: Pursuant to the Foreign Narcotics Kingpin Designation Act (Kingpin Act), OFAC designated Fujing Zheng, Guanghua Zheng, and Xiaobing Yan, along with several entities, for their role in an international narcotics trafficking operation that manufactured and sold lethal drugs. OFAC included 12 cryptocurrency addresses for the individuals on the notice.

2018

• Nov. 28 | Iran-based individuals facilitating bitcoin ransom payments: OFAC added two individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan, to its SDN list for their role in facilitating bitcoin ransom payments tied to the SamSam ransomware scheme. For the first time ever, the designation included two bitcoin addresses controlled by the pair.

Sanctions screening challenges for crypto businesses

A Thomson Reuters survey found sanctions screening to be a top challenge for financial services organizations. Here’s why: sanctions lists are updated frequently, customers’ KYC information can change over time, list designees resort to sophisticated tactics to fly under the radar, and some sanctions are complex in scope, making them difficult to follow. The burden of mining historical transactions to find connections to previously sanctioned addresses is also considerable. Yet, failure to maintain sanctions compliance could result in significant fines and criminal penalties.

That’s why organizations need risk management solutions. Where centralized crypto exchanges can prevent bad actors from signing up for their services, decentralized protocols need different ways to help them manage risk without hindering growth. Chainalysis offers a free on-chain oracle and API to help DeFi protocols automatically detect crypto wallets associated with sanctioned individuals or entities. These free offerings leverage addresses listed on the OFAC SDN list only and do not include additional Chainalysis data, or any future intelligence we may collect on these entities. For those seeking more support, our wallet screening capabilites combine industry-leading blockchain intelligence and customizable risk rules to help them identify and prevent illicit services from interacting with their platforms, with specific solutions to help DeFi groups build risk programs and shield themselves from bad actors so they can safely grow their projects. Learn more about the challenges and opportunities related to crypto sanctions and how Chainalysis can help.

Free crypto sanctions screening API

Screen addresses before letting them connect with your service

Request now