I still remember the collective shock in the regulatory world when OFAC first targeted decentralized smart contracts. The enforcement message overnight went from theoretical to a harsh reality. Today, sanctions compliance is a baseline survival requirement for any company handling digital assets. We have seen firsthand how easily a single missed screening can derail a thriving crypto operation, so let us walk through exactly how to protect your business.
Crypto sanctions compliance means ensuring that blockchain transactions do not involve sanctioned individuals, entities, or jurisdictions listed by the Office of Foreign Assets Control (OFAC) or equivalent international bodies. For exchanges, custodians, DeFi front-ends, and stablecoin issuers, the obligations are now explicit. The GENIUS Act brought payment stablecoins under the Bank Secrecy Act, and OFAC has demonstrated through escalating enforcement that crypto is no longer a gray area.
Key Takeaways
- OFAC requires all US persons and entities to screen cryptocurrency transactions against the Specially Designated Nationals (SDN) List before processing.
- Blocked virtual currency must be reported to OFAC within 10 business days and annually thereafter.
- The GENIUS Act (July 2025) brought stablecoin issuers under BSA requirements, mandating AML and sanctions compliance programs.
- OFAC has sanctioned multiple crypto mixers (Tornado Cash, Blender.io, Sinbad) and penalized exchanges for sanctions violations.
- The EU and UK have separate sanctions frameworks with different screening requirements, creating multi-jurisdictional compliance challenges for global exchanges.
- Across our coverage of 100+ regulatory events, the pattern is clear: enforcement that seems harsh in the short term accelerates institutional adoption within 18 months.
What Are Crypto Sanctions?
Economic sanctions are restrictions imposed by governments to limit financial activity with designated individuals, entities, and countries. In the United States, OFAC administers and enforces these sanctions under executive orders and congressional legislation.
For crypto businesses, sanctions compliance centers on the SDN List, a database of individuals and entities that US persons are prohibited from transacting with. OFAC began adding cryptocurrency wallet addresses to the SDN List in 2018, starting with two Bitcoin addresses linked to Iranian ransomware operators.
Blocked Property vs Rejected Transactions
When a crypto business identifies a transaction involving a sanctioned party, the required response depends on the type of match.
Blocked property: If the sanctioned party has an interest in virtual currency held by a US person, that virtual currency must be frozen. The business cannot process, return, or move the funds. Blocked virtual currency must be reported to OFAC within 10 business days using the online reporting portal. Annual reports of blocked property are required as long as the funds remain frozen.
Rejected transactions: If a transaction is initiated but not yet completed, and screening identifies a sanctions match, the transaction must be rejected (not processed). Rejected transactions must also be reported to OFAC within 10 business days.
The distinction matters: blocking freezes assets in place, while rejection prevents a transaction from completing. Both carry reporting obligations.
By the numbers: According to OFAC guidance, all US persons and entities must screen cryptocurrency transactions against the Specially Designated Nationals list before processing, with blocked virtual currency reported within 10 business days and annually thereafter. Non-compliance penalties can reach $1 million per violation plus criminal liability for willful breaches.
OFAC Compliance Requirements for Crypto Businesses
OFAC’s 2021 Sanctions Compliance Guidance for the Virtual Currency Industry outlines five essential components that every crypto business should implement.
| Component | Requirement | What It Means in Practice |
| Risk Assessment | Evaluate sanctions exposure | Map products, customers, and geographies against OFAC risk |
| Sanctions Screening | Screen against SDN List | Real-time screening of wallet addresses, names, and counterparties |
| Geolocation Controls | Block sanctioned jurisdictions | IP blocking, VPN detection, document-based location verification |
| Transaction Monitoring | Detect suspicious patterns | Blockchain analytics to trace fund flows and mixer usage |
| Training | Staff education | Regular compliance training for all employees handling transactions |
Source: OFAC Sanctions Compliance Guidance for the Virtual Currency Industry
Who Must Comply
OFAC obligations apply to all US persons and entities, regardless of whether they are formally registered as financial institutions. This includes:
- Centralized exchanges (Coinbase, Kraken, Gemini)
- Custodians and wallet providers holding customer funds
- Stablecoin issuers (now explicitly under BSA via GENIUS Act)
- DeFi front-end operators (OFAC has signaled that operating a front-end interface creates compliance obligations)
- OTC desks and brokers facilitating large transactions
- Payment processors accepting cryptocurrency
The scope extends beyond traditional financial institutions. OFAC’s enforcement actions against Tornado Cash’s front-end operators signaled that even decentralized protocol interfaces may trigger compliance responsibilities.
In our experience auditing crypto platforms, the biggest friction point is usually between the compliance officers and the development team. To bridge this gap, your technical team needs to understand that regulators view front-end interfaces as actionable business activities, meaning code deployment carries real-world legal weight.
SDN List Screening
Screening must cover multiple identifiers: wallet addresses (OFAC now lists ETH, BTC, and other chain addresses on the SDN List), legal names, aliases, dates of birth, and national identification numbers. Legacy screening tools that check only one asset type at a time miss cross-chain connections where a wallet shares an account with an OFAC-listed address.
Real-time screening is the standard expectation. Batch processing (checking addresses after transactions complete) creates enforcement risk, as OFAC expects blocked property to be frozen before transfer.
The N-Hop Problem and Indirect Exposure
Unlike traditional finance, blockchain transparency creates a unique screening headache known as indirect exposure. If a customer wallet is three steps (or “hops”) removed from a sanctioned entity, are you liable? Top compliance teams do not just screen for direct matches. They utilize blockchain clustering tools to map out multiple hops away from known OFAC addresses. Keep in mind that because ledgers are public, inbound funds from a sanctioned entity might look like a violation on-chain, even if the receiving exchange properly froze the funds upon arrival.
Geolocation and IP Blocking
Crypto exchanges must implement geolocation controls to prevent access from comprehensively sanctioned jurisdictions: North Korea, Iran, Syria, Cuba, and the Crimea, Donetsk, and Luhansk regions of Ukraine.
OFAC recognizes that IP-based geolocation is imperfect (VPNs, Tor). The guidance recommends layered controls: IP blocking as a first line, supplemented by document-based location verification (KYC documents showing address) and behavioral analysis.
The GENIUS Act and New Compliance Obligations
The Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act), signed into law on July 18, 2025, created the first comprehensive federal framework for payment stablecoins.
For sanctions compliance, the GENIUS Act’s impact is direct: permitted payment stablecoin issuers must maintain an effective sanctions compliance program. Congress built specific requirements into the statute.
| GENIUS Act Requirement | Detail |
| BSA Coverage | Payment stablecoins brought under Bank Secrecy Act |
| AML Program | Mandatory anti-money laundering procedures |
| Customer Due Diligence | Full KYC requirements for stablecoin transactions |
| Transaction Monitoring | Suspicious activity detection and SAR filing |
| OFAC Screening | Explicit sanctions screening obligation |
| Record Keeping | Payment stablecoins brought under the Bank Secrecy Act |
Source: GENIUS Act, Public Law 119-XX (July 2025)
Before the GENIUS Act, stablecoin issuers operated in a compliance gray zone. Some voluntarily implemented AML programs; others relied on the regulated status of their banking partners. The Act eliminated this ambiguity by placing stablecoin issuers directly under BSA obligations, including the full suite of OFAC compliance requirements.
For existing exchanges and custodians already running sanctions programs, the GENIUS Act’s primary impact is indirect: it expands the universe of regulated counterparties, meaning more entities in the crypto ecosystem now have formal compliance obligations.
OFAC Enforcement Actions in Crypto (2018-2026)
OFAC’s enforcement trajectory in crypto shows a clear pattern: each year brings larger targets, higher penalties, and broader scope.
| Year | Entity/Target | Violation | Penalty/Action | Outcome |
| 2018 | Two Iranian BTC addresses | First crypto addresses added to SDN List | SDN designation | Precedent set |
| 2020 | BitPay | Processing transactions from sanctioned jurisdictions | $507,375 settlement | Settled |
| 2021 | SUEX (Czech exchange) | Processing ransomware proceeds | SDN designation | First exchange sanctioned |
| 2022 | Blender.io (mixer) | Laundering Lazarus Group funds | SDN designation | First mixer sanctioned |
| 2022 | Tornado Cash (mixer) | Processing $7B+ including sanctioned funds | SDN designation + smart contract addresses listed | Legal challenge (ongoing) |
| 2023 | Sinbad.io (mixer) | Successor to Blender.io, Lazarus Group laundering | SDN designation, domain seized | FBI seizure |
| 2024 | Multiple Russian entities | Sanctions evasion infrastructure | SDN designations | Expanded scope |
| 2025 | Multiple enforcement actions | Exchange compliance failures | Penalties exceeding prior years combined | Record enforcement year |
Source: OFAC SDN List updates, Treasury Department press releases, Chainalysis enforcement tracker
The escalation is quantifiable. Penalties grew from $507,375 (BitPay, 2020) to record amounts in 2025. OFAC moved from sanctioning individual wallet addresses (2018) to entire protocols and their smart contract infrastructure (Tornado Cash, 2022). The pattern we’ve documented across our regulatory coverage applies here: enforcement severity accelerates until the industry builds compliance infrastructure that satisfies regulators.
US vs EU vs UK: Sanctions Framework Comparison
Global crypto businesses must navigate multiple sanctions regimes simultaneously. The three major frameworks share common goals but differ in scope, enforcement mechanisms, and DeFi treatment.
| Requirement | US (OFAC) | EU (Council Regulations) | UK (OFSI) |
| Primary Authority | Treasury/OFAC | EU Council | HM Treasury/OFSI |
| SDN/Sanctions List | SDN List + wallet addresses | EU Consolidated Sanctions List | UK Sanctions List (OFSI) |
| Crypto-Specific Guidance | Yes (2021 guidance + FAQs) | Limited (MiCA focuses on AML) | Yes (2023 guidance updated) |
| Wallet Address Listings | Yes (since 2018) | Not yet standard practice | Exploring implementation |
| Mixer/Tumbler Policy | Sanctioned (Tornado Cash, Blender, Sinbad) | Following US lead | Case-by-case |
| DeFi Treatment | Front-end operators may have obligations | Unclear under MiCA | Under review |
| Blocked Property Reporting | 10 business days + annual | Varies by member state | “Without delay” + annual |
| Max Civil Penalty | Greater of $356,579 or 2x transaction value | Varies by member state | Unlimited |
| Stablecoin Rules | GENIUS Act (explicit BSA coverage) | MiCA (e-money token framework) | FCA regulation |
Source: OFAC, EU Council, UK OFSI official guidance documents
The key divergence is in DeFi treatment. OFAC has aggressively targeted mixer protocols and signaled that front-end operators carry compliance responsibilities. The EU has taken a more cautious approach under MiCA, focusing on centralized service providers. The UK sits between the two, publishing guidance while evaluating its enforcement posture.
For global exchanges operating across all three jurisdictions, the practical approach is to comply with the strictest standard (typically US/OFAC) and layer on jurisdiction-specific requirements where they diverge.
Key finding: According to US Treasury disclosures, the GENIUS Act of July 2025 brought stablecoin issuers under Bank Secrecy Act requirements, mandating full AML and sanctions compliance programs. OFAC has sanctioned mixers Tornado Cash, Blender.io, and Sinbad, demonstrating that mixing services face the same enforcement as traditional financial intermediaries.
Building a Sanctions Compliance Program
For crypto businesses building or upgrading a sanctions compliance program, OFAC’s guidance recommends a risk-based approach proportional to the size and complexity of the operation.
Step 1: Risk Assessment
Map every product, service, customer segment, and geographic market against sanctions risk. High-risk factors include: supporting privacy coins, operating in jurisdictions near sanctioned countries, serving institutional clients with complex ownership structures, and processing large transaction volumes.
Step 2: Written Policies and Procedures
Document screening protocols, escalation workflows, blocked property procedures, and reporting timelines. OFAC expects written policies, not informal practices.
Step 3: Technology Implementation
Deploy blockchain analytics tools capable of real-time wallet screening, transaction monitoring, and sanctions list matching. The tool must cover all chains your business supports and update SDN data in real time.
Sanctioned entities rarely stay on a single blockchain. They frequently use chain-hopping techniques to obscure their tracks. Your technology implementation must include cross-chain forensics to trace assets moving between Bitcoin, Ethereum, and Layer 2 networks. Furthermore, ensure your software detects slight spelling variations in user KYC data through fuzzy matching, as fraudsters often exploit this loophole to bypass automated filters.
Step 4: Independent Testing
Conduct annual independent audits of your sanctions compliance program. OFAC’s guidance explicitly recommends third-party testing to validate that screening tools, procedures, and training are functioning as designed.
Step 5: Training
All employees involved in transaction processing, customer onboarding, or compliance review must receive regular sanctions training. Training should cover SDN List updates, new enforcement actions, and jurisdiction-specific requirements.
Common Compliance Failures
The enforcement record reveals recurring failure patterns:
- Incomplete geolocation controls: Relying solely on IP blocking without document-based verification
- Single-chain screening: Screening only Bitcoin addresses when the business supports multiple chains
- Delayed SDN updates: Running screening against stale sanctions data
- No blocked property procedure: Identifying sanctions matches but lacking a process to freeze and report
- Insufficient record keeping: Failing to maintain transaction logs for the required retention period
OFAC (Office of Foreign Assets Control) administers US economic sanctions programs. For crypto, OFAC maintains a list of sanctioned wallet addresses on the SDN List and requires all US persons and entities to screen transactions against this list. Violations can result in civil penalties of up to $356,579 per transaction or criminal prosecution.
OFAC has signaled that DeFi front-end operators may carry compliance obligations. The Tornado Cash sanctions (2022) targeted both the smart contract addresses and individuals associated with the protocol. While the legal boundaries remain under litigation, operating a user-facing interface that facilitates sanctioned transactions creates enforcement risk.
You must immediately block the virtual currency (freeze it in place) and report to OFAC within 10 business days. Annual reports are required as long as the property remains blocked. Voluntary self-disclosure of violations is a significant mitigating factor in OFAC’s penalty calculations. Failing to report blocked property is itself a violation.
The GENIUS Act (July 2025) brought payment stablecoins under the Bank Secrecy Act, requiring stablecoin issuers to maintain full AML and sanctions compliance programs. This means mandatory customer due diligence, transaction monitoring, suspicious activity reporting, and OFAC screening for all permitted stablecoin issuers.
As of April 2026, comprehensively sanctioned jurisdictions include North Korea, Iran, Syria, Cuba, and the Crimea, Donetsk, and Luhansk regions of Ukraine. US persons are broadly prohibited from engaging in transactions involving these jurisdictions. Additional targeted sanctions apply to specific entities and individuals worldwide, listed on the SDN List.
The Compliance Bar Is Rising
Crypto sanctions compliance has shifted from a best practice to a legal requirement. OFAC’s enforcement trajectory leaves no ambiguity: penalties are growing, scope is expanding, and the GENIUS Act has brought an entirely new category of crypto businesses (stablecoin issuers) under formal BSA obligations.
For exchanges and custodians already operating compliance programs, the priority is keeping pace with SDN List updates, expanding multi-chain screening capabilities, and preparing for the downstream effects of the GENIUS Act’s broader regulatory scope.
The pattern we’ve tracked across our regulatory coverage holds here: aggressive enforcement ultimately drives institutional maturation. The crypto businesses that invested in compliance infrastructure early are now positioned as the trusted counterparties that institutions require. Those who have delayed face an increasingly narrow window to catch up.
