Crime

OFAC and Crypto Crime: Every OFAC Specially Designated National with Identified Cryptocurrency Addresses

Gold bitcoin in front of a gavel and U.S. flag

As far back as the early 1800s, the U.S. Department of the Treasury has issued economic sanctions to achieve foreign policy and national security objectives. Today, the Treasury’s Office of Foreign Assets Control (OFAC) sanctions countries, individuals, companies, and groups — like international drug traffickers or terrorists — that pose specific threats to U.S. interests.

Over the years, bad actors have tried a variety of tactics to evade OFAC’s sanctions. More recently, some have pivoted towards crypto, presuming that crypto transactions are anonymous or untraceable. Adapting to this tactic, OFAC began including cryptocurrency addresses as identifiers in sanctions designations. The first such instance occurred on November 28, 2018 when OFAC designated two Iran-based individuals tied to the SamSam ransomware scheme, which demanded ransom payments in Bitcoin. Since that first designation, OFAC has included many wallet addresses and even entire crypto services in its designations. In this article, we’ll discuss:

OFAC’s guidance on crypto-related sanctions compliance

In March of 2018, OFAC began answering questions about virtual currency on its website. The OFAC Frequently Asked Questions (FAQs)  also define what the terms “digital currency,” “digital currency wallet,” “digital currency address,” and “virtual currency” mean as they apply to OFAC’s sanctions programs. In October of 2021, OFAC went a step further, publishing Sanctions Compliance Guidance for the Virtual Currency Industry, a guide outlining how both companies and crypto users can mitigate the risk of facilitating crypto crime.


OFAC’s crypto-related sanctions to date

2024

  • May 29 | “911 S5” botnet administrators: OFAC sanctioned multiple individuals and entities for their involvement with the residential proxy service known as “911 S5,” a botnet that distributed deceptive free VPN services to victims and hijacked their IP addresses through a backdoor. Cybercriminals frequently paid in cryptocurrencies like Bitcoin to use these IP addresses in order to carry out various forms of cybercrime. The DOJ also announced the arrest of Chinese national, Yunhe Wang, who allegedly controlled the botnet. Crypto addresses associated with Wang hold over $130 million in cryptocurrency, and OFAC included 49 crypto addresses as identifiers in its designation.
  • May 7 | Leader of cybercrime group LockBit: In collaboration with the United Kingdom’s National Crime Agency (NCA), the U.S. Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), and the Australian Federal Police, OFAC sanctioned Russian national Dmitry Yuryevich Khoroshev for developing and distributing ransomware through his Ransomware-as-a-Service (RaaS), LockBit, and included a single address associated with Khoroshev in the designation.
  • May 1 | Individuals and entities involved in Russia’s war machine: OFAC sanctioned roughly 300 individuals and entities for facilitating Russian weapons production and for sanctions evasion. The list included OKO Design Bureau, an organization that developed unmanned aerial vehicles (UAVs) and operated a Telegram channel where it solicited donations in crypto. The designation included three crypto addresses tied to OKO Design Bureau.
  • March 27 | Gaza Now and individuals and entities fundraising for Hamas: OFAC, in cooperation with the UK’s Office of Foreign Sanctions Implementation (OFSI), sanctioned two individuals and three entities for their role in fundraising for Hamas after the October 7 attacks on Israel. Among the sanctioned entities was Gaza Now, a Gaza-based social media news outlet that has posted pro-Hamas content, solicited donations for Hamas, and accepted funds in cryptocurrency. OFAC and OFSI included in their designations several cryptocurrency addresses controlled by the media outlet, which have been used in crypto donation campaigns. In total, those addresses have received nearly $4.5 million in crypto.
  • March 26 | Syria-based hawala operator: OFAC sanctioned Syria-based hawala operator Tawfiq Muhammad Said Al-Law, who Israel’s National Bureau for Counter Terror Financing (NBCTF) previously identified as having worked with Hezbollah operatives on crypto funding infrastructure. OFAC included a crypto address controlled by Al-Law as an identifier in the designation.
  • March 25 | Russia-based blockchain companies facilitating sanctions evasion: OFAC sanctioned twelve entities — including Netex24 and Bitpapa — and two individuals for helping to build or operate blockchain-based services to facilitate sanctions evasion on behalf of Russian nationals. While OFAC didn’t include any crypto addresses in the designation, Chainalysis identified two addresses associated with Netex24 and Bitpapa.
  • March 20 | Russian nationals facilitating disinformation for Russian government: OFAC sanctioned Russian nationals Ilya Andreevich Gambashidze and Nikolai Aleksandrovich Tupikin and their companies for assisting the Russian government in foreign malign campaigns, which involved deceiving voters worldwide to undermine trust in their governments. OFAC included two USDT addresses in the designation, and Tether has since frozen Gambashidze’s wallets.
  • Feb. 20 | LockBit ransomware group affiliates: OFAC sanctioned two Russian Nationals — Artur Sungatov and Ivan Kondratyev — who were affiliated with the Ransomware-as-a-Service (RaaS) group LockBit, and included ten crypto addresses as SDN List identifiers in the designation. On the same day, the U.K. National Crime Agency (NCA) and U.S. Department of Justice (DOJ) announced it had disrupted LockBit, and the DOJ charged Sungatov and Kondratyev with using the ransomware strain in attacks.

2023

  • Nov. 30 | North Korea hacking group Kimsuky: OFAC and Japan’s Ministry of Foreign Affairs joined South Korea’s Ministry of Foreign Affairs in sanctioning Kimsuky for its cyber espionage activity and support of North Korea’s nuclear weapons program. While South Korea’s June sanctions designation included crypto addresses, OFAC’s SDN list entry for Kimsuky did not, but did include identifying websites and email addresses.
  • Nov. 29 | Crypto mixer Sinbad.io used in North Korean laundering activities: OFAC sanctioned cryptocurrency mixer Sinbad for its use by Lazarus Group to launder millions of dollars in stolen crypto. In a multi-agency effort that included the FBI and the Netherlands’ Fiscal Information and Investigation Service (FIOD), authorities also seized Sinbad.io and took it offline. The designation included two bitcoin addresses linked to Sinbad.
  • Nov. 3 | Russian national who used crypto to money launder on behalf of Russian elites: OFAC sanctioned Russian national Ekaterina Zhdanova for cryptocurrency-based money laundering on behalf of Russian elites and ransomware groups. The designation included three bitcoin addresses Zhdanova used to facilitate these illicit activities.
  • Oct. 18 | Gaza-based MSB Buy Cash: Following the terrorist attack on Israel, OFAC sanctioned Hamas operatives and financial facilitators including Buy Cash Money and Money Transfer Company, a Gaza-based money services business that’s been used to transfer funds to Hamas affiliates and other terrorist groups.
  • Oct. 3 | China-based network of illicit drug producers: OFAC sanctioned several individuals and companies in a China-based network for their role in manufacturing and distributing fentanyl and other drugs, and included 17 cryptocurrency addresses as identifiers in the SDN List entries for five individuals and one entity.
  • Sept. 26 | Individuals drug trafficking for the Sinaloa cartel: In coordination with the U.S. Drug Enforcement Administration (DEA), Mexico’s Financial Intelligence Unit, and the Colombia Counternarcotics Working Group, OFAC sanctioned 10 individuals affiliated with Mexico’s Sinaloa cartel for trafficking illegal fentanyl, cocaine, and methamphetamine into the United States. The designation included an Ethereum address as an identifier on one individual’s SDN List entry.
  • Sept. 7 | Individuals affiliated with Russian-based ransomware group Trickbot: In a joint action, the U.K. HM Treasury Office of Financial Sanctions Implementation (OFSI) and OFAC sanctioned eleven individuals associated with Trickbot, including well-known actors Maksim Galochkin and Mikhail Tsarev. Earlier this year, the U.K. and U.S. jointly sanctioned seven other members of the Trickbot group.
  • Aug. 23 | Co-founder of previously sanctioned Ethereum mixer Tornado Cash: Two days after a federal judge upheld OFAC’s Tornado Cash designation from last year, OFAC sanctioned Roman Semenov for his role in supporting Lazarus Group and included eight cryptocurrency addresses as identifiers on his SDN list entry. The U.S. Department of Justice (DOJ) also charged him and fellow co-founder Roman Storm for conspiracy to commit money laundering, operate an unlicensed money transmitting business, and commit sanctions violations.
  • July 31 | ISIS and Al-Qaeda Operatives in Maldives: OFAC sanctioned several individuals and entities involved in the Maldives operations of terrorist groups Al-Qaeda, ISIS, and ISIS-Khorasan (ISIS-K). The notice included a crypto address as an SDN identifier for Ali Shafiu, one of the sanctioned individuals.
  • May 23 | North Korean hackers and IT worker crypto payment schemes: OFAC and South Korea’s Ministry of Foreign Affairs (MOFA) sanctioned entities and individuals associated with illicit North Korean revenue generation schemes. One individual — Kim Sang Man — helped North Korean IT professionals find contract work overseas, and some of their proceeds were sent to North Korea in support of its weapons development programs. OFAC included six crypto addresses associated with Kim Sang Man in the designation. 
  • May 19 | Dubai-based financial services firm and CEO involved in Russian sanctions evasion: OFAC sanctioned 22 individuals and 104 entities operating in 20 countries for their role in facilitating Russian sanctions evasion. This designation included a crypto address as an SDN identifier for John Desmond Hanafin, CEO of Dubai-based Huriya Private.
  • May 16 | Russia-based ransomware developer: OFAC sanctioned Mikhail Matveev for launching cyberattacks on U.S. law enforcement, businesses, and critical infrastructure. While no crypto addresses were included in the designation of Matveev, Chainalysis has identified multiple addresses belonging to this actor.
  • April 24 | Individuals facilitating money laundering, supporting DPRK weapons programs: OFAC sanctioned three China-based individuals for facilitating the Democratic People’s Republic of Korea (DPRK) cryptocurrency money laundering activities used to fund weapons of mass destruction and missile programs. OFAC included crypto addresses for two of the three individuals  in the designation — 17 for Wu Huihui and three for Sim Hyon Sop.
  • April 14 | Chinese chemical businesses and Latin American drug cartel associates involved in fentanyl manufacture and trafficking: Chinese companies produced fentanyl precursor chemicals, which Latin America-based brokers purchased using Bitcoin, and sold to drug cartels. This OFAC designation included several entities and individuals, and a Bitcoin address controlled by Wang Hongfei who used it to accept payment for fentanyl precursors.
  • April 5 | Fraud shop Genesis Market: OFAC sanctioned Genesis Market following Operation Cookie Monster, a coordinated international law enforcement effort in which authorities shut down the popular fraud shop and arrested hundreds of its users worldwide the previous day. Genesis Market’s online marketplace allowed the sale of stolen PII and received tens of millions of dollars worth of crypto during its lifetime. While no crypto addresses were included in the designation of Genesis Market, Chainalysis has identified multiple addresses belonging to this entity.
  • Feb. 9 | Russia-based Trickbot cybercrime gang members: OFAC and the UK’s Office of Financial Sanctions Implementation (OFSI) jointly sanctioned seven members of the cybercrime gang Trickbot, who deploy a type of malware with the same name  used in cyber attacks on businesses and individuals worldwide. While no crypto addresses were included in the designation, Chainalysis has identified multiple addresses belonging to these actors.
  • Feb. 1 | Supporters of Russia’s military-industrial complex: OFAC designated a network for Russian sanctions evasion led by Igor Vladimirovich Zimenkov, a Russia- and Cyprus-based arms dealer. The Zimenkov network enabled Russian defense sales to third-country governments. The notice included an entry for Jonatan Zimenkov, Igor’s son, and two cryptocurrency addresses Jonatan used to facilitate sales.


2022

  • Nov. 9 | Internet-based suppliers of illicit fentanyl and other synthetic drugs: OFAC sanctioned three individuals and nine entities associated with darknet marketplaces and research chemicals sites for supplying illicit synthetic substances to U.S. markets through internet sales and a host of shell companies. OFAC included 66 crypto addresses as identifiers for Matthew Simon Grimm and Alex Adrianus Martinus Peijnenburg in the designation.
  • Nov. 8 | Tornado Cash redesignated with ties to DPRK: OFAC delisted and relisted crypto mixer Tornado Cash, replacing the previous action on August 8, 2022. The redesignation included an additional Executive Order, stating Tornado Cash not only facilitated money laundering for the Lazarus Group, but also had a role in enabling malicious cyber activities that supported DPRK’s weapons of mass destruction program. OFAC added 90 crypto addresses as identifiers for Tornado Cash in the redesignation.
  • Sept. 15 | Individuals and entities facilitating Russia’s war in Ukraine: OFAC designated individuals and entities, including Task Force Rusich, for furthering the Government of the Russian Federation’s (GoR) objectives in Ukraine, before and during Russia’s 2022 invasion of Ukraine. Task Force Rusich is a neo-Nazi paramilitary group that participated in the war in Ukraine alongside Russia’s military. OFAC included five cryptocurrency addresses controlled by Task Force Rusich in the designation.
  • Sept. 14 | Iranian nationals involved in cyber attacks including ransomware: On September 14, OFAC sanctioned ten Iranian nationals and two businesses associated with designated terrorist organization Iran’s Islamic Revolutionary Guard Corps (IRGC). Two of the individuals — Ahmad Khatibi Aghada and Amir Hossein Nikaeen Ravari — had six cryptocurrency addresses included as identifiers in their designation. 
  • Aug. 8 | Ethereum mixer Tornado Cash: OFAC sanctioned the popular mixer Tornado Cash, adding it to the SDN List with 38 unique cryptocurrency addresses included as identifiers. Tornado Cash facilitated laundering over $455 million worth of cryptocurrency stolen from Axie Infinity’s Ronin Bridge protocol by the North Korea-affiliated hacking organization, Lazarus Group.
  • May 6 | Crypto mixer Blender.io: OFAC sanctioned the first-ever cryptocurrency mixer — Blender.io — which DPRK used to support its malicious cyber activities and money-laundering of stolen cryptocurrency. Blender was used to process over $20.5 million in illicit proceeds from the March 23, 2022 Axie Infinity hack by Lazarus Group. OFAC added 46 cryptocurrency addresses controlled by Blender and four crypto addresses associated with Lazarus Group to its SDN List.
  • April 22 | More Lazarus Group addresses from Ronin Bridge hack: OFAC updated its SDN entry for Lazarus Group to add five new crypto addresses as identifiers.
  • April 20 | Entities and individuals facilitating Russian sanctions evasion: OFAC designated more than 40 individuals and entities for attempting to evade sanctions the United States and international partners imposed on Russia. Among the entities, Bitriver, a cryptocurrency mining company, was designated for helping Russia monetize its natural resources. While no crypto addresses were included in this designation, Chainalysis has identified multiple addresses belonging to this entity.
  • April 14 | Lazarus Group tied to Ronin Bridge hack: OFAC added a new ETH address to Lazarus Group’s SDN entry, an address that was involved in the Ronin hack and received 173,600 ETH and 25.5 million during the attack.
  • April 5 | Darknet market Hydra and Russian exchange Garantex: OFAC sanctioned Russia-based Hydra Market — the world’s largest darknet market by revenue at that time —  along with Russian cryptocurrency exchange Garantex. The designation added 117 of Hydra’s cryptocurrency addresses and three Garantex crypto addresses to the SDN List, and followed a joint operation in which several U.S. law enforcement agencies and Germany’s federal police shut down Hydra.

2021

2020

2019

  • Sept. 13 | Lazarus Group and other hacking entities: OFAC sanctioned Lazarus Group, along with two other state-sponsored North Korean entities, for malicious cyber activity on critical infrastructure. Cyber attacks by the three hacking groups supported illicit weapon and missile programs. While no crypto addresses were included in the designation of Lazarus Group, Chainalysis identified addresses belonging to this entity.
  • Aug. 21 | Chinese nationals fueling the opioid crisis: Pursuant to the Foreign Narcotics Kingpin Designation Act (Kingpin Act), OFAC designated Fujing Zheng, Guanghua Zheng, and Xiaobing Yan, along with several entities, for their role in an international narcotics trafficking operation that manufactured and sold lethal drugs. OFAC included 12 cryptocurrency addresses for the individuals on the notice.

2018

Sanctions screening challenges for crypto businesses

A Thomson Reuters survey found sanctions screening to be a top challenge for financial services organizations. Here’s why: sanctions lists are updated frequently, customers’ KYC information can change over time, list designees resort to sophisticated tactics to fly under the radar, and some sanctions are complex in scope, making them difficult to follow. The burden of mining historical transactions to find connections to previously sanctioned addresses is also considerable. Yet, failure to maintain sanctions compliance could result in significant fines and criminal penalties.

That’s why organizations need risk management solutions. Where centralized crypto exchanges can prevent bad actors from signing up for their services, decentralized protocols need different ways to help them manage risk without hindering growth. Chainalysis offers a free on-chain oracle and API to help DeFi protocols automatically detect crypto wallets associated with sanctioned individuals or entities. These free offerings leverage addresses listed on the OFAC SDN list only and do not include additional Chainalysis data, or any future intelligence we may collect on these entities. For those seeking more support, our wallet screening capabilites combine industry-leading blockchain intelligence and customizable risk rules to help them identify and prevent illicit services from interacting with their platforms, with specific solutions to help DeFi groups build risk programs and shield themselves from bad actors so they can safely grow their projects. Learn more about the challenges and opportunities related to crypto sanctions and how Chainalysis can help.