OFAC Sanctions and Cryptocurrency

The Office of Foreign Assets Control (OFAC) is one of the most powerful financial enforcement agencies in the world, and its authority now extends deeply into cryptocurrency markets. For anyone operating in crypto — whether exchanges, DeFi protocol developers, payment processors, or individual holders — understanding how OFAC sanctions apply to digital assets is not optional. Violations carry severe civil and criminal penalties, even when unintentional.

What Is OFAC?

OFAC is a division of the US Department of the Treasury responsible for administering and enforcing economic and trade sanctions based on US foreign policy and national security objectives. The agency maintains several sanctions lists, the most significant being the Specially Designated Nationals and Blocked Persons List (SDN List).

The SDN List identifies individuals, entities, and organizations that US persons are prohibited from transacting with. When a person or entity is designated, all of their property and interests in property within US jurisdiction are blocked (frozen), and US persons are generally prohibited from dealing with them. Penalties are severe: civil fines can reach millions of dollars per violation, and criminal convictions carry up to 20 years in prison.

OFAC's jurisdiction is broad. It covers all US persons — citizens, permanent residents, and entities organized under US law — as well as any transaction that touches the US financial system. Because the US dollar underpins much of global finance, and because major stablecoins like USDT and USDC are issued by US-connected entities, OFAC's reach into cryptocurrency is substantial.

The SDN List and Cryptocurrency Addresses

In November 2018, OFAC made regulatory history by adding cryptocurrency addresses to the SDN List for the first time. Two Bitcoin addresses associated with Iranian nationals were designated, marking the beginning of direct enforcement against blockchain-based assets. Since then, OFAC has designated hundreds of cryptocurrency addresses across multiple blockchains.

When OFAC designates a cryptocurrency address, the consequences are immediate. All US persons must block (freeze) any assets associated with that address. Exchanges must freeze linked accounts, stablecoin issuers must blacklist the address, and individuals must not send or receive cryptocurrency from it.

Designations cover a wide range of illicit activities: North Korean state-sponsored hacking groups (notably the Lazarus Group), Russian ransomware operators, Iranian sanctions evaders, and criminal organizations worldwide. OFAC regularly updates the SDN List with new cryptocurrency addresses as investigations progress.

The Tornado Cash Case

The Treasury Department's August 8, 2022 designation of Tornado Cash stands as one of the most significant and controversial OFAC actions in cryptocurrency. Tornado Cash is an Ethereum-based mixing protocol that allows users to deposit assets and withdraw them to a different address, breaking the on-chain link between sender and receiver.

OFAC added Tornado Cash smart-contract addresses to the SDN List, with Treasury stating the protocol had been used to launder more than $7 billion since 2019, including funds linked to North Korea's Lazarus Group. The industry treated this as a major escalation. Circle blacklisted USDC held in Tornado Cash-related addresses, GitHub removed the project's repositories, and many DeFi front ends blocked associated addresses.

The legal picture then shifted. In November 2024, the Fifth Circuit ruled that OFAC had exceeded its statutory authority with respect to Tornado Cash's immutable smart contracts. On March 21, 2025, Treasury removed the Tornado Cash addresses from the SDN List.

The episode remains significant despite the delisting. It demonstrated how rapidly exchanges, issuers, wallet providers, and developers respond when OFAC advances a novel sanctions theory — and it permanently changed how compliance teams assess mixer exposure and smart-contract risk.

Compliance Obligations for US Persons

OFAC sanctions apply to all US persons, not just financial institutions. Individual cryptocurrency holders have the same legal obligation to comply as exchanges and businesses. Key obligations include:

Screening transactions. OFAC does not prescribe an identical workflow for every wallet user. In practice, businesses screen counterparties and monitor exposure to designated persons. Individual users reduce risk by checking destinations against current sanctions data before large or recurring transfers.

Blocking property. If you discover that you hold cryptocurrency associated with a sanctioned person or entity, you must freeze it and notify OFAC within 10 business days. For individual wallet holders, this means you cannot move the funds. For exchanges, it means freezing the account.

Reporting. Blocked property must be reported to OFAC annually. Rejected transactions — those stopped because they involved a sanctioned party — must be reported within 10 business days.

Strict liability. OFAC enforces civil penalties on a strict liability basis. Intent is not required. Transacting with a sanctioned address can result in penalties even if you did not know the address was designated. This makes proactive screening essential, as OFAC emphasizes in its virtual currency industry guidance.

Compliance Obligations for Crypto Businesses

Cryptocurrency businesses face heightened compliance obligations. Exchanges, custodians, payment processors, and other virtual asset service providers (VASPs) must implement comprehensive sanctions compliance programs. OFAC's 2021 virtual currency guidance outlines five elements of an effective program:

Management commitment. Senior leadership must support and resource the compliance program, including appointing a dedicated compliance officer and allocating sufficient budget for screening tools and training.

Risk assessment. Businesses must evaluate their specific sanctions risk based on their customer base, geographic exposure, and the products and services they offer. A global exchange serving customers in high-risk jurisdictions faces greater risk than a domestic-only service.

Internal controls. These are the policies, procedures, and tools that operationalize compliance: automated screening of deposits and withdrawals, transaction monitoring for patterns suggestive of sanctions evasion, and procedures for escalating and investigating alerts.

Testing and auditing. Regular testing of screening systems, independent audits, and gap assessments help identify weaknesses before they lead to violations.

Training. All relevant personnel must understand their obligations and know how to identify and report potential sanctions issues. Training should be ongoing and updated as the regulatory landscape evolves.

Beyond the SDN List: Secondary Sanctions and Emerging Risks

OFAC's reach extends beyond the SDN List. Secondary sanctions can target non-US persons who facilitate significant transactions for sanctioned entities. This means even non-US exchanges can face US sanctions exposure if they process transactions for designated persons.

Emerging risks include the use of decentralized exchanges and cross-chain bridges to evade sanctions. As regulators develop greater sophistication in understanding DeFi, enforcement actions will likely expand. The Tornado Cash case — even after the Fifth Circuit ruling and the March 2025 delisting — demonstrated both OFAC's willingness to test novel enforcement theories and the limits courts may impose.

For crypto businesses operating globally, the intersection of OFAC sanctions with EU, UK, and UN sanctions regimes adds complexity. Addresses sanctioned by one jurisdiction may not be sanctioned by another, requiring businesses to maintain compliance across multiple overlapping frameworks.

Staying ahead of OFAC enforcement requires continuous monitoring — not just of the SDN List, but of the broader blockchain ecosystem. Addresses associated with sanctioned entities change constantly as funds move to new wallets. Effective compliance demands monitoring fund flows in real time and updating risk assessments as the on-chain landscape shifts.

Frequently Asked Questions

What is OFAC in cryptocurrency?
OFAC is the Office of Foreign Assets Control, a US Treasury division that enforces economic sanctions. In the crypto context, OFAC designates blockchain addresses on the SDN List, requiring US persons to block transactions with those addresses and freeze any associated assets.

Can individuals be penalized for OFAC sanctions violations in crypto?
Yes. OFAC operates on a strict liability basis for civil penalties, meaning individuals can face fines even without knowing an address was sanctioned. Criminal penalties for willful violations can include up to 20 years in prison.

Is Tornado Cash still sanctioned by OFAC?
No. Treasury removed Tornado Cash addresses from the SDN List on March 21, 2025, following a Fifth Circuit ruling that OFAC exceeded its authority in designating immutable smart contracts. However, the case set precedent for how compliance teams now assess mixer-related risk.

What should crypto businesses do to comply with OFAC sanctions?
OFAC's 2021 guidance outlines five program elements: management commitment, risk assessment, internal controls, testing and auditing, and training. Businesses should screen all deposits and withdrawals against the SDN List, monitor for evasion patterns, and maintain audit-ready records.