Crypto assets and Sanctions Compliance: Threats and Guidance for Compliance Professionals
The UK Office of Financial Sanctions Implementation (OFSI) has identified crypto assets as a growing vector for sanctions evasion. As with any asset class, UK sanctions laws apply equally to crypto: financial sanctions “do not differentiate between crypto assets and other forms of assets,” and using crypto to circumvent sanctions is itself a criminal offence.
Since 2022 (notably following Russia’s invasion of Ukraine), the crypto sector has been subject to new compliance obligations: crypto asset exchange providers and custodian wallet providers must register with the UK Financial Conduct Authority (FCA) and comply with anti-money laundering regulations, and since September 2023 the UK has implemented the “Travel Rule,” requiring crypto firms to collect and share identity information about senders and receivers of crypto transfers.
In August 2022, crypto firms were also added to the list of “relevant firms” under UK sanctions law, obliging them to report to OFSI whenever they know or suspect a designated person (DP) has been encountered or a sanctions breach has occurred. Reporting suspected sanctions breaches including those involving crypto assets is essential, it provides the government with “vital information about the activities of DPs and the presence of frozen assets ‘including crypto assets’ in the UK”.
Crypto’s pseudonymous and borderless nature has attracted targeted abuse by sanctioned actors. OFSI’s July 2025 Crypto assets Threat Assessment highlights several key findings:
Under‑reporting and compliance gaps - OFSI concludes it is “almost certain” that UK crypto firms have under‑reported suspected sanctions breaches since August 2022. Only about 7% of all sanctions breach reports to OFSI since January 2022 involved crypto firms, despite crypto’s popularity. Reporting has been uneven, the vast majority (90%) of those crypto-related reports were filed after April 2024, suggesting earlier lapses. OFSI attributes this largely to inadvertent failures for example, slow attribution of blockchain transactions and limited analytics rather than deliberate evasion. In practice, UK crypto firms often identify potentially sanctioned addresses after funds have moved (e.g. once blockchain analytics tools reveal the connection), leading to delayed OFSI reports.
Geographic focus Russia and Iran - Consistent with global patterns, Russian targets dominate crypto sanctions breaches. Over 90% of crypto-related breach reports to OFSI since 2022 have concerned the UK’s Russia regime (only 10% involved Iran). OFSI warns that while Russia-related risks remain highest, crypto firms must not ignore any sanctions regime, given crypto’s transnational use. Notably, OFSI reports that UK crypto firms have likely been directly or indirectly exposed to Garantex a designated Russian crypto exchange since its designation in 2023, causing actual breaches of UK sanctions. (Garantex was a conduit for illicit funds, including darknet and ransomware proceeds, and a global law enforcement takedown in March 2025 froze $26 million of its assets.) OFSI also flags the threat of sanctions evasion via non‑KYC Russian-language services (e.g. instant fiat-crypto exchanges operating with minimal due diligence).
North Korea (DPRK) cyber threats - DPRK-linked hackers represent “the most significant and persistent threat to the crypto assets sector”. State-affiliated cyber groups (e.g. Lazarus, BlueNoroff) have stolen vast sums most recently $1.5 billion from Bybit in Feb 2025 by breaching crypto exchanges and DeFi protocols. These attacks target private keys and customer wallets via phishing and malware. OFSI assesses it is “highly likely” that UK-based crypto firms are at risk of such theft or extortion attempts by DPRK actors. Even absent direct theft, DPRK operatives will seek to launder stolen crypto through global exchanges, mixers, stablecoins (e.g. USDT, DAI) and OTC platforms. OFSI notes DPRK actors use complex, multi-stage chain-hopping (mixers, bridges, no‑KYC exchanges) to “clear exposure” of stolen funds.
Iranian sanctions circumvention - Iran has built a crypto ecosystem (licensing mining, issuing a “digital Rial”) to evade sanctions. OFSI warns that UK crypto services may currently be unwittingly transmitting funds for Iranian entities. Many suspicious payments through UK crypto infrastructure have flowed to Nobitex, an Iranian exchange linked to Iran’s Islamic Revolutionary Guard Corps (IRGC, a designated entity), these flows could breach UK sanctions if no licence applies. Iranian crypto firms have also publicly shared tactics to evade sanctions, such as using crypto and privacy tools to move money around banking restrictions. OFSI advises UK firms to report any activity involving Iranian designated persons or crypto platforms suspected of sanctions evasion immediately.
Other sector vulnerabilities - Beyond these cases, OFSI notes general trends: use of privacy coins and wallets, dark-net markets for crypto trading, and rapid cross-border crypto payments can all facilitate evasion. Nested exchange structures (one verified account controlling multiple withdrawal wallets) and chain-hopping through DeFi or mixers increase detection difficulty. Frequent small transactions, multiple wallet changes, and reliance on unregulated services (DEXs, OTC desks) are often observed in crypto-borne sanctions evasion schemes. OFSI highlights that even sanctioned customers’ indirect flows – e.g. an innocent customer receiving coins earlier held by a DP – can breach sanctions.
Compliance Vulnerabilities and Red Flags
OFSI’s analysis uncovers common compliance gaps in the crypto sector. Firms must assume that any exposure to a designated person (DP) ‘even indirectly’ can constitute a breach. Direct exposure means transacting with a wallet or entity known to be owned or controlled by a DP (e.g. a designated exchange, or an address on the UK Sanctions Lists). Indirect exposure includes any path through which DP-controlled crypto might reach the firm: funds passing through intermediaries or mixers after leaving a DP’s wallet, customers whose funds originated from a DP, or services (cloud, exchanges) used by sanctioned entities. Both direct and indirect exposures are now recognised as leading to sanctions breaches. OFSI emphasizes that mixing/tumbling (“chain-hopping”) never eliminates the sanctions risk, it only spreads it out. Firms should therefore trace at least 3–5 hops of transaction history (or until reaching an identifiable service provider) and report any suspicions.
Common red flags in crypto transactions (either alone or in combination) should trigger enhanced due diligence. These include:
Transactions just after sanctions changes: Large or unusual crypto flows immediately following new sanctions announcements.
Link to known DPs: Transfers involving counterparties or addresses known (or suspected) to be affiliated with designated persons.
Evasive transaction patterns: Rapid re-routing of funds through many wallets, sudden shifts to DEXs or privacy coins, or frequent address clustering/shuffling.
Multiple small transfers: Repeated micropayments from or to the same addresses or building a large position through many small trades (below £10,000).
Non-compliant services: Use of non-KYC/anonymous exchanges or mixers; VPN use hiding true locations; AI-generated IDs or false KYC (as seen in some Iranian platforms).
High-risk regions: Transactions through countries not aligned with UK sanctions regimes (often indicated by local peer-to-peer trading or offshore exchanges).
Firms should update their transaction monitoring datasets to train your system’s algorithm to catch these indicators/typologies. OFSI notes many crypto breaches were only detected retrospectively (e.g. after a cluster analysis tool flagged an address). Hence, continuous blockchain analytics including alerts when a known DP’s address appears in a transaction history are critical. Because blockchain records are immutable, firms must also monitor new wallet addresses that may be created by sanctioned actors after designation. Any connection (direct or via chain) to a DP that appears (even if the transaction was “legitimate” at the time) should be reported to OFSI once it is discovered.
Reporting Obligations and Best Practices
All UK crypto asset firms (and any entity dealing with crypto for UK clients) must ensure full compliance with sanctions reporting obligations. Specifically:
Immediate blocking and reporting - If a crypto transaction is linked to a DP (even indirectly), the firm must freeze the assets and block transfers. Even though crypto transfers cannot be reversed, firms should restrict the user’s account and prevent further withdrawals. Any incoming crypto suspected of sanctions evasion should also be frozen and reported. Without an applicable license or exemption, such funds remain “frozen funds” under UK sanctions law; the firm must file a frozen asset report to OFSI as soon as possible. Similarly, if a firm suspects a sanctions-linked transaction chain, it should make a suspicious activity report (SAR) to the National Crime Agency (NCA) and, if within regulation, to the FCA. In all OFSI reports and SARs, firms are asked to include the reference “OFSI Crypto assets Threat Assessment – 0725” to aid analysis.
Detailed reporting - When a suspicious crypto transaction is reported to OFSI, it should include as much information as possible: all involved wallet addresses (including any intermediary and DP-associated addresses), transaction hashes, crypto amounts, currency equivalents, and any linking evidence (e.g. chain analytics justifying a DP connection). If a transaction involves multiple small hops or related addresses, bundle them into a single report with an explanation of their grouping (so long as this does not unduly delay filing). Clearly identify the DP(s) involved, even if the transaction was indirect, and describe the route (e.g. “Address X → mixer → Address Y → exchange”). If a sanctioned transaction was erroneously allowed through (e.g. KYC failed to flag it), explain the screening breakdown. Also report any mitigating actions taken (account freezes, reversals via wallet recovery, etc). Providing complete context, including KYC details of clients and a summary of the screening controls used will make OFSI’s analysis more effective.
Risk-based monitoring - Firms should adopt a thorough risk assessment process. This means mapping all crypto products and customer profiles against sanctions risk and designing controls accordingly. Industry best practice (as emphasised by the U.S. Treasury’s Office of Foreign Assets Control) is to conduct ongoing sanctions risk assessments tailored to your business model. For crypto firms, this involves knowing which countries and tokens are high-risk; tracking activity on less-regulated exchanges and OTC markets; and continuously reviewing counterparty risk. Screening must be applied both at onboarding and transactions. Use industry tools (blockchain analytics, IP geolocation, clustering algorithms) to detect indirect exposure. Since new DPs can emerge at any time, implement automated updates to sanction lists and addresses. Train staff to recognize the red flags above, and to escalate suspicious patterns (e.g. a new wallet suddenly receiving large transfers) without delay.
Coordination with international measures - Compliance should align with global standards. Beyond UK law, firms are expected to meet FATF requirements (e.g. Travel Rule, KYC/AML by exchanges, reporting thresholds) and any relevant EU/US regimes. For example, OFAC guidance similarly urges crypto firms to embed “effective compliance policies, procedures, and controls” into their operations, including transaction monitoring and internal audits. Crypto businesses should also be aware of non‑UK sanctions lists (e.g. US SDN list includes crypto addresses, OFAC issues public advisories on crypto threats) and coordinate with international enforcement. Engaging in global information-sharing (between compliance, law enforcement, and blockchain analysis communities) can help identify cross-border schemes early.
Practical Recommendations
Firms may wish to consider the following steps to mitigate crypto asset sanctions risk:
Strengthen screening and analytics: Deploy or enhance blockchain monitoring software to flag sanctioned addresses up to 3–5 hops out. Incorporate address clustering, DeFi bridge tracking, and privacy-coin detection. Integrate IP geolocation and device fingerprinting to catch VPN usage or accounts created from sanctioned jurisdictions.
Enforce strict KYC/AML for crypto services: Ensure all exchanges, OTC desks, and wallet providers have rigorous customer identification, transaction limits, and ongoing monitoring. Vet business customers for ownership by foreign nationals or entities that could mask DP control. Beware of complex corporate/crypto ownership structures that obscure real owners.
Monitor counterparties’ practices: Check whether any foreign crypto partners (exchanges, custodians, tech vendors) have weak AML controls or links to sanctioned jurisdictions. Confirm they enforce travel-rule information sharing and sanctions screening consistent with UK policy. If dealing with crypto firms in other countries, ensure they adhere to equivalent sanctions (e.g. aligned with EU/US regimes) to avoid loopholes.
Report comprehensively and promptly: Develop clear internal procedures for sanction-hit scenarios. Require immediate internal escalation when a potential DP hit is identified. File OFSI reports and SARs as soon as possible as delays can hamper enforcement. ‘When in doubt, report it’ if an address is later designated as a DP, your retrospective detection may already qualify as a reportable breach.
Document and test controls: Maintain up-to-date policies showing how crypto transactions are screened. Regularly test your sanctions controls (e.g. by simulating transfers through tagged addresses) and update the risk assessment. Audit any incidents or near-misses to identify control gaps. Keep records of all reports, including the “OFSI – CTA – 0725” reference, to demonstrate compliance efforts.
By following a risk-based approach and leveraging technology, crypto firms and their partners can close the gaps highlighted by OFSI’s assessment. The threat assessment underscores that many past breaches were due to inadvertent failures, but these can be fixed. Enhancing due diligence, addressing red flags, and meeting reporting obligations will not only satisfy UK law, but also help safeguard the global financial system against illicit crypto flows.
Author - Manmeet Lotay, Global Sanctions Advisor, Ferrer Consultancy Services
Ferrer Consultancy Services empowers clients to stay ahead of sanctions risk through proactive, data-driven controls that build resilience and agility in an evolving global landscape. By enhancing sanctions frameworks and implementing proactive risk mitigation strategies, Ferrer Consultancy Services enables organisations to anticipate and manage sanctions exposure not just react to it, ensuring confidence in a constantly shifting regulatory ecosystem.
If you're ready to turn compliance into a competitive advantage, contact us today to learn how we can help your organisation proactively manage and mitigate sanctions risks.
Office: (+44) 0208 797 0396
Mobile: (+44) 07595292295
Email: info@ferrer-consultancy.com