In 2024, sanctions shifted in both scope and strategy, reflecting a broader evolution in illicit on-chain activity in response to increasing geopolitical tension. As sanctioned entities turn to alternative financial channels like cryptocurrency, the United States (U.S.) Treasury’s Office of Foreign Assets Control (OFAC) has intensified efforts to dismantle the financial infrastructure sustaining sanctioned states, moving beyond traditional banking. The U.S. and its allies continued to take aim at Russia’s wartime economy, while actions against Iran’s Islamic Revolutionary Guard Corps (IRGC) escalated, affirming a deeper commitment to curbing state-backed financing.
Sanctioned jurisdictions and entities received $15.8 billion in cryptocurrency in 2024, accounting for about 39% of all illicit crypto transactions. In total, OFAC issued 13 designations that included cryptocurrency addresses — slightly fewer than in 2023 — but still the second-highest amount in the last seven years.
In a departure from prior years, sanctioned jurisdictions accounted for a record share of total sanctions-related activity compared to individual entities, commanding nearly 60% of value by the end of 2024, as we see below.
This shift was largely driven by Iran’s growing use of cryptocurrency. As we’ll explore further down, Iranian centralized exchanges (CEXs) saw a surge in both usage and outflows, with transaction patterns suggesting capital flight. This reflects a broader trend among residents of sanctioned jurisdictions, who turn to cryptocurrency as an alternative system in restrictive economic environments.
Sanctions in 2024 take aim at core financial networks
In 2024, OFAC’s crypto-related sanctions moved beyond mostly targeting individuals and small groups, taking direct aim at the financial infrastructure supporting illicit activity. While fewer new sanctions involving crypto were issued, the financial footprint of targeted entities remained substantial.
In the chart below, we can see how the composition of OFAC’s crypto-related sanctions has evolved over time, mapped by Executive Order (EO) and sanctions program.
This focus was most evident in the increased use of EO 14024, with Respect to Specified Harmful Foreign Activities of the Government of the Russian Federation, which became the dominant program for crypto-linked sanctions as the U.S. and its allies escalated efforts to weaken Russia’s financial infrastructure. Sanctions efforts primarily focused on networks facilitating sanctions evasion, cybercrime, and military procurement.
Major actions targeting Russian crypto activity
In 2024, Western agencies launched a series of major crackdowns on Russian-linked crypto entities that played key roles supporting Russia’s war economy, illicit cyber activities, and organized crime networks.
August 23, 2024
OFAC sanctioned KB Vostok OOO, a Russian UAV developer supplying drones to Russian forces in Ukraine, as part of a broader action targeting nearly 400 entities supporting Russia’s military supply chain. Like OKO Design Bureau, another UAV developer sanctioned earlier in the year with a smaller on-chain footprint, KB Vostok solicited cryptocurrency donations and likely facilitated UAV sales using crypto.
Our on-chain analysis revealed that a single counterparty of KB Vostok accounted for 16 of 24 transactions with KB Vostok’s sanctioned address, with transfer amounts closely matching the price of its Scalpel UAVs. This counterparty has processed nearly $40 million in transfers and used multiple deposit addresses at the sanctioned Russian exchange Garantex, which has handled over $100 million in cryptocurrency, suggesting potential involvement of Russia’s military procurement network.
September 19, 2024
The German Federal Criminal Police (BKA) seized the infrastructure of 47 Russian-language no-KYC crypto exchanges in “Operation Final Exchange.” These platforms, which lacked Know Your Customer (KYC) protocols, were exploited for ransomware payments, darknet transactions, and sanctions evasion.
Our analysis of the targeted platforms revealed extensive illicit activity. Many received significant inflows from darknet markets, stolen funds, and sanctioned entities, demonstrating their deep integration into the cybercrime ecosystem. These services also enabled Russian nationals to evade sanctions, offering on- and off-ramps to and from sanctioned Russian banks. Despite using servers based in Germany, the exchanges primarily catered to Russian users, with default language settings in Russian and fiat transaction options tied to sanctioned banks like Sberbank.
September 26, 2024
OFAC sanctioned Russia-based crypto exchange Cryptex and its operator, Sergey Sergeevich Ivanov, for laundering funds linked to fraud shops, ransomware, and darknet markets. Cryptex processed over $5.88 billion in transactions since 2018, serving as a financial intermediary for illicit actors. Concurrently, FinCEN labeled the no-KYC exchange PM2BTC, which processed over $1 billion, as a primary money laundering concern under the Combating Russian Money Laundering Act. These sanctions were part of Operation Endgame, a broader, coordinated effort between U.S. and European authorities to dismantle financial enablers of cybercrime. Dutch and U.S. law enforcement seized related domains and infrastructure, while the U.S. State Department issued a $10 million reward for information leading to Ivanov’s arrest. Additionally, Dutch law enforcement, with support from Chainalysis and Tether, seized €7 million worth of funds.
Cryptex, PM2BTC, and UAPS — a payment processor operated by Ivanov that catered primarily to fraud shops — handled billions in transactions for cybercriminals, including ransomware groups and fraud shops. Our on-chain analysis shows that in 2024 alone, UAPS funneled over $97 million to Cryptex, demonstrating its deep financial ties.
December 4, 2024
The UK’s National Crime Agency (NCA) dismantled a multi-billion dollar Russian-speaking money laundering network in Operation Destabilise, an action that led to 84 arrests and the seizure of over €20 million in cash and cryptocurrency. The networks, Smart and TGR, laundered funds for Russian elites, cybercriminals, and organized crime syndicates.
The operation was an internationally coordinated effort, involving agencies from the UK, EU, and U.S., including OFAC, the DEA, and the FBI. As part of the crackdown, OFAC sanctioned four entities and five individuals tied to TGR, including TGR founder George Rossi and his associates, who facilitated illicit transactions through corporate structures in the UK, UAE, Thailand, and the U.S. OFAC also identified cryptocurrency wallets linked to TGR members, including one belonging to the sanctioned individual Khadzhi Murat Dalgatovich Magomedov that processed over $200 million in illicit funds.
Smart and TGR operated across 30 countries, moving illicit funds through cash-to-crypto swaps and facilitating ransomware payments, sanctions evasion, and drug trafficking. Notably, Smart directly funded Russian espionage operations and laundered funds for the Ryuk ransomware group, according to the NCA.
Russian-language no-KYC exchanges continue to operate
Despite enforcement actions disrupting major players, new no-KYC exchanges continue to emerge, often as rebrands of previously dismantled services.
While the number of active no-KYC exchanges has increased, as smaller start-up exchanges and rebrands fill in the gaps left by takedowns, overall inflows have declined, reflecting the disruptive impact of U.S. and international sanctions measures.
It’s important to note that while these platforms operate in Russian language and service sanctioned Russian banks, they often lack incorporation or registration details, making it difficult to determine their actual jurisdiction.
As enforcement agencies gain more insight into these networks, further disruptions are likely to curb the financial flows sustaining cybercrime, drug trafficking, and sanctioned state operations. Industry-wide controls and tools like Chainalysis can enable ecosystem participants to monitor their exposure in real-time, helping to prevent illicit funds from infiltrating legitimate financial systems.
Sanctioned jurisdictions set sights on alternative payment rails, including cryptocurrency
As Western restrictions tighten, sanctioned nations are turning to cryptocurrencies and alternative financial systems to sustain trade and access capital. Russia and Iran in particular have deepened financial ties with BRICS nations — Brazil, Russia, India, China, and South Africa — to develop payment mechanisms outside the U.S. dollar (USD) and traditional banking networks. BRICS members have explored the possibility of a shared digital currency, while Russia has pushed for trade settlements with China and India using stablecoins and central bank digital currencies (CBDCs) instead of the USD.
Amid mounting financial pressure from Western sanctions, Russia enacted legislation this past fall legalizing cryptocurrency mining and allowing crypto for international payments — a stark shift from its previous stance of an outright ban on cryptocurrency. The strategic policy shift aims to ease the financial pressure of Western sanctions and enable global trade using cryptocurrencies.
Despite maintaining a ban on domestic crypto payments, Russia remains one of the top-ranking countries on our Global Crypto Adoption Index. Even before the legislation, banks like Rosbank had begun experimenting with crypto-based cross-border transactions. Now the Central Bank of Russia is driving efforts to integrate cryptocurrency into the country’s financial system under regulatory oversight.
Weighing legitimate crypto activity in sanctioned jurisdictions
While cryptocurrency use in sanctioned jurisdictions may be associated with illicit state-controlled finance, it also represents an important financial lifeline for ordinary citizens facing economic hardship under restrictive regimes. Many individuals and businesses in these regions turn to cryptocurrency to preserve wealth, move funds across borders, and circumvent government-imposed financial controls — an adaptation we have identified in Iran, which we’ll explore in detail below.
From a regulatory standpoint, the distinction between state-directed sanctions evasion and individual use has little impact, as broad sanctions prohibit nearly all financial interactions between U.S. persons and entities in sanctioned jurisdictions, regardless of intent. However, when considering the broader impact of cryptocurrency in these economies, it is important to recognize that individuals and businesses often turn to crypto without illicit intent, demonstrating the tension between financial enforcement and humanitarian considerations.
Additionally, decentralized platforms remain operational despite sanctions, complicating enforcement efforts. Unlike traditional financial institutions, these networks cannot be easily seized or shut down — requiring a wider ecosystem-level approach to compliance. As enforcement continues, addressing sanctions risks holistically — through cooperation between governments, compliance tools like Chainalysis, and Virtual Asset Service Providers — will be critical to managing illicit finance risk while preserving legitimate access to crypto.
Tornado Cash endures in the wake of sanctions and legal action
As we’ve called out before, crypto mixer Tornado Cash is a prime example of the challenges regulators face in enforcing sanctions against decentralized platforms. Despite OFAC sanctions, legal action, and the arrests of its developers, Tornado Cash continues to process illicit transactions.
Sanctioned by OFAC in 2022 for facilitating the laundering of over $455 million in stolen funds — primarily linked to North Korea’s Lazarus Group — the core infrastructure of the platform has proven difficult to shut down. In August 2023, U.S. prosecutors indicted Tornado Cash co-founder Roman Semenov for conspiracy to commit money laundering and sanctions violations. Meanwhile, Dutch authorities convicted fellow co-founder Alexey Pertsev in 2024, sentencing him to more than five years in prison.
Although Tornado Cash’s transaction volume initially dropped nearly 90% when its centralized web-based interface was taken offline, its decentralized smart contracts allowed it to continue operating. In 2024, inflows surged by 108% compared to the previous year, continuing the rebound trend we first identified in last year’s Crypto Crime Report.
While inflows have yet to return to pre-sanction levels, Tornado Cash still facilitates hundreds of millions of dollars in transactions each month.
Stolen funds drive Tornado Cash’s resurgence
The increase in Tornado Cash usage in 2024 was largely driven by stolen funds, which reached a three-year high, accounting for 24.4% of total inflows, as seen below.
One of the most significant incidents driving these inflows was the HECO Bridge exploit, in which hackers funneled $145 million in ETH through Tornado Cash in an effort to launder the proceeds.
Since 2019, we have linked over 25% of the funds processed through Tornado Cash to illicit activity, with the Lazarus Group among its highest value users. It is important to consider that although the platform has undeniably played a major role in laundering stolen funds, crypto mixers like Tornado Cash are not solely tools for criminal activity. For example, Ethereum co-founder Vitalik Buterin publicly stated that he used Tornado Cash to anonymize a donation to Ukraine following Russia’s full-scale invasion in 2022, showing how these services can also be used for financial privacy in legitimate contexts.
Decentralized platforms introduce unique enforcement challenges
Unlike centralized services that can be seized or shut down, Tornado Cash operates through smart contracts on a decentralized blockchain network, making enforcement far more difficult. While the transparency of blockchain enables authorities to track illicit flows, regulators have limited power to actually dismantle decentralized infrastructure. On November 26, 2024, a U.S. court ruled that OFAC had exceeded its authority in sanctioning Tornado Cash’s smart contract addresses. The decision raises broader questions about the limits of enforcement against DeFi protocols and speaks to the need for international cooperation and robust compliance at the protocol and service level. The industry has decidedly made some strides in compliance over the last few years, which we’ll explore in detail further down.
The Tornado Cash case illustrates the delicate dance between innovation, financial privacy and compliance in decentralized protocols. As DeFi expands globally, developers must navigate increasing pressure to implement safeguards that prevent illicit activity while preserving legitimate use cases for privacy. Ensuring compliance without compromising the ethos of decentralization and privacy is an overarching challenge for an industry built on decentralized technology. Proactive monitoring and risk mitigation are essential as regulatory expectations evolve. Chainalysis provides solutions to help address these challenges in real-time.
Cryptocurrency enables capital flight in Iran amidst geopolitical tensions
Since the 1979 seizure of the U.S. Embassy in Tehran, the U.S. has imposed extensive financial restrictions on Iran. Despite sanctions, access to the international financial system remains paramount for Iran due to the stability and liquidity it provides. In countries like Iran, where local currencies have been volatile and devalued, the inability to engage with global banks severely limits financial mobility — driving individuals and businesses to seek alternatives.
In 2024, Iranian services occupied a significantly larger share of sanctions-related crypto activity, fueled by rising distrust in the government and ongoing geopolitical instability.
In 2024, outflows surged to $4.18 billion — up about 70% year-over-year.
While cryptocurrency adoption in these regions is often viewed primarily through the lens of sanctions evasion, it is also a broader reflection of the fundamental need for reliable financial tools in economies cut off from the global banking system.
Government control and capital flight
Iran’s government maintains extensive control over the country’s financial system, including cryptocurrency infrastructure. This reality became especially apparent in December 2024, when authorities abruptly halted withdrawals from Iranian exchanges in response to the record decline in value for the Iranian rial (IRR). This move demonstrated the government’s ability to restrict financial outflows at will to prevent capital flight — a growing concern as inflation hovers around 40-50% and the rial continues on a downward trajectory. Since the U.S. withdrew from JCPOA in 2018 and imposed sanctions on Iranian oil, the currency has shed approximately 90% of its value, with depreciation accelerating amid escalating tension in 2023 and 2024.
For many Iranians, cryptocurrency represents an alternative financial system, and the increasing use of Iranian crypto exchanges suggests that more individuals and institutions are resorting to crypto to safeguard wealth and circumvent financial restrictions. A closer examination of these outflows suggests they are not necessarily driven by illicit finance or state-sponsored activity, but rather by Iranian citizens’ deepening distrust in the government and a pressing need to move funds out of the country.
Geopolitical flashpoints drive crypto outflows in Iran
During periods of heightened geopolitical instability involving Iran, we found that cryptocurrency outflows from Iranian exchanges spiked — particularly on the day of, or immediately following events of conflict.
Google Trends data reinforces this connection, showing global spikes in search interest for “Iran Israel” on April 14th and October 1st — dates closely aligned with conflict escalation. This pattern aligns with broader financial developments in Iran, where the rial’s parallel market rate fluctuates sharply in response to political and military developments.
Interestingly, while increased outflows were observed across all assets, including stablecoins, we noted a significantly higher volume in bitcoin. The timeline below contextualizes bitcoin outflows in relation to key geopolitical events.
Spikes in bitcoin outflows occurred around the time it became known that Iran was likely to launch missiles, as well as within a few days after the events, as we see above on April 9th and 14th, 2024 — and similarly in late September and into early October of 2024.
This suggests that heightened public concern over geopolitical strife was mirrored in financial behavior, with individuals turning to crypto as a hedge against geopolitical or economic uncertainty. The demand for crypto will likely remain high as sanctions pressure intensifies and Iran’s economic uncertainty persists.
Bitcoin’s role in uncertain times
While these trends are pronounced in Iran, we have also observed similar patterns globally during times of war, economic turmoil, or government crackdowns. Bitcoin’s censorship-resistant, self-custodial nature makes it an appealing option during crises. Unlike traditional assets, bitcoin can be transferred across borders, held on-chain as a hedge against instability, and require only the storage of a seed phrase — offering financial flexibility in situations where individuals may need to flee. This makes it uniquely suited for those in jurisdictions facing geopolitical volatility and financial restrictions.
Looking ahead: Holistic compliance at the ecosystem level
Although many Iranians have relied on cryptocurrency for capital flight, compliance programs across the global crypto ecosystem are closing off these avenues. As compliance takes center stage, exchange exposure to Iranian services continues to decline each year, dropping by about 23% between 2022 and 2024.
A closer look at transfer sizes between Iranian platforms and other exchanges reveals that the number of exchanges interacting with Iranian exchanges has declined across almost all transaction brackets between 2023 and 2024.
The largest drop occurred in the <$1000 bracket, which saw a 33.33% decline from 2023. The >=$1 million bracket also saw a sizable reduction by 22.73%.
The measurable decline in exchange interactions with Iranian services speaks to the tangible impact of compliance measures in limiting exposure to sanctioned jurisdictions. Exchanges have a growing responsibility to mitigate financial activity associated with sanctioned regions.
Global policy pressure on Iran raises financial risks
Iran’s actions have heightened the stakes of doing business with its financial ecosystem, both on- and off-chain. Over the past 12-18 months, Iran has deepened its economic and military ties with Russia — which presently has the most targeted sanctions in the world — raising additional red flags for global regulators. As one of just three countries on the FATF blacklist (alongside North Korea and Myanmar), Iran continues to face scrutiny for its weak anti-money laundering (AML) and countering the financing of terrorism (CFT) controls. Additionally, Iran continues to provide material support to groups such as Hezbollah and Hamas, further amplifying regulatory and national security concerns.
In February 2025, the new U.S. administration introduced the National Security Presidential Memorandum (NSPM-2), reinstating the “maximum pressure” campaign on Iran. The directive mandates a more aggressive enforcement posture, outlining specific measures for the U.S. Department of Justice (DOJ), including:
- Investigating and prosecuting Iranian-linked financial and logistical networks, as well as operatives or front groups within the United States that are sponsored by Iran or Iranian proxies.
- Impounding illicit Iranian oil cargoes.
- Identifying Iranian governmental assets for seizure in the U.S. and abroad.
- Indicting and prosecuting leaders of Iranian funded terrorist groups.
- Leveraging criminal, regulatory, cyber tools and authorities to disrupt Iran’s espionage, sanctions evasion, and malign financial activities.
With the sustained intensity of targeted and sectoral sanctions, along with the crackdown on Iranian oil and shipping, the situation remains acute and is likely to further drive demand for cryptocurrency and other financial workarounds. As sanctioned actors adapt to a crypto-activated world, enforcement will increasingly rely on blockchain intelligence to track illicit financial flows, identify sanctioned entities, and mitigate exposure to restricted jurisdictions like Iran.
Blockchain analysis ensures a compliance-forward future
Decentralized technologies introduce complex enforcement challenges, making compliance at both the protocol and service level essential. Chainalysis supports exchanges, DeFi platforms, regulators, and enforcement agencies by providing real-time transaction monitoring, wallet screening, and risk-based controls to help detect and prevent exposure to sanctioned entities. As regulatory expectations increase, proactive compliance measures will be critical to maintain financial integrity while also preserving legitimate access.
By leveraging on-chain analytics, crypto service providers can assess counterparty risk and intercept illicit transactions before they access the broader financial system. Improved compliance programs supported by blockchain analysis have contributed to a measurable decline in exchange interactions with sanctioned entities, demonstrating the effectiveness of data-driven de-risking strategies.
As sanctioned nations explore alternative financial channels, close collaboration between ecosystem participants as well as private and public sector partners is essential. A risk-based approach that differentiates between state-directed sanctions evasion and individual financial lifelines will be critical in shaping fair and effective regulatory frameworks. A combination of regulatory oversight, industry-wide cooperation, and advanced blockchain analytics tools can ensure that cryptocurrency remains a viable and legitimate financial system while eliminating channels for illicit actors and states.
Crypto-linked entities sanctioned in 2024
The table below includes various sanctions events and coordinated law enforcement takedowns with a cryptocurrency nexus that occurred throughout 2024.
| Name | Reason for Sanction | Date Sanctioned | Designation Type |
| Artur Sungatov and Ivan Kondratyev | Two Russian nationals accused of acting affiliates for LockBit RaaS | February 20, 2024 | Ransomware |
| Ilya Andreevich Gambashidze and Nikolai Aleksandrovich Tupikin | Facilitating disinformation campaigns on behalf of the Russian government, using cryptocurrency for funding | March 20, 2024 | Disinformation and financial facilitation |
| Netex24 and Bitpapa | Assisting in building or operating blockchain-based services to facilitate potential sanctions evasion for Russian nationals | March 25, 2024 | Sanctions evasion through cryptocurrency |
| Tawfiq Muhammad Said Al-Law | Syria-based hawala operator who was previously identified by NBCTF as having worked with Hezbollah operatives on cryptocurrency funding infrastructure | March 26, 2024 | Terrorism financing |
| Gaza Now and several associated individuals | Social media news outlet and associates for their role in raising money for Hamas following the October 7 attacks against Israel | March 27, 2024 | Terrorism financing |
| OKO Design Bureau and approximately 300 individuals and entities involved in Russia’s war machine | Facilitating Russian weapons production and sanctions evasion, with one entity known to have accepted cryptocurrency | May 1, 2024 | Weapons procurement and sanctions evasion |
| Dmitry Yuryevich Khoroshev | Leader of the LockBit RaaS group, for developing and distributing ransomware | May 7, 2024 | Ransomware |
| Yunhe Wang and multiple individuals connected to 911 S5 botnet | For alleged control of a botnet of infected computers associated with the residential proxy service | May 29, 2024 | Cybercrime and botnet operations |
| Individuals linked to Nordic Resistance Movement | Involvement in violent extremism and terrorism, funded through cryptocurrency donations | June 14, 2024 | Terorrism financing and extremism |
| KB Vostok OOO | A Russian unmanned aerial vehicle (UAV) developer known for designing UAVs used by Russian forces in Ukraine | August 21, 2024 | Arms development |
| Sergey Sergeevich Ivanov and Cryptex | Laundering hundreds of millions in cryptocurrency for cybercriminals and darknet vendors | September 26, 2024 | Money laundering and cybercrime |
| Members of Evil Corp | Developing and distributing Dridex malware, leading to significant financial losses globally | October 1, 2024 | Cybercrime and fraud |
| Smart and TGR Networks | Operating extensive Russian money laundering networks with links to drugs, ransomware, and espionage, resulting in 84 arrests | December 4, 2024 | Money laundering and organized crime |
| Sa’id al-Jamal | Iran-based Houthi financier involved in arms trafficking, money laundering, and illicit shipping of Iranian oil, using cryptocurrency | December 19, 2024 | Terrorism financing and arms trafficking |
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with the use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.