What Sanctions Compliance Looks Like for Crypto Firms

Sanctions compliance was not a concept that occupied much space in the early crypto industry. The asset class was small, pseudonymous, and largely off the radar of the government agencies responsible for enforcing economic sanctions. That changed as crypto markets grew to a scale where they became relevant to national security objectives, and as regulators began applying the same enforcement expectations to crypto firms that they had long applied to banks.

The result is a compliance discipline that has developed rapidly, with significant enforcement actions establishing the boundaries and a growing ecosystem of technology tools enabling firms to meet their obligations. What sanctions compliance looks like for a crypto firm in 2026 is substantively different from what it looked like in 2018, and the gap reflects both regulatory pressure and genuine technical progress.

The Sanctions Framework That Applies to Crypto

The primary sanctions authority in the United States is the Office of Foreign Assets Control, a division of the Treasury Department. OFAC administers economic sanctions against foreign countries, individuals, and entities through a maintained list of designated parties known as the Specially Designated Nationals and Blocked Persons list, or SDN list. US persons, including US companies and foreign companies with US operations or counterparties, are prohibited from transacting with SDN-listed parties.

OFAC began designating cryptocurrency addresses on the SDN list in 2018, starting with specific addresses associated with the Iranian individuals sanctioned in that year. The practical implication was that a crypto exchange which processed a transaction from a designated address had potentially committed a sanctions violation, regardless of whether it knew the address belonged to a sanctioned entity.

The EU and UK maintain their own sanctions regimes with broadly similar structures. The EU's consolidated sanctions list and the UK's OFSI (Office of Financial Sanctions Implementation) list both include crypto addresses in their designations. For firms operating in multiple jurisdictions, the compliance obligation is additive: they must screen against all relevant sanctions lists, not just the one from their primary regulator.

The Tornado Cash Precedent

The most significant sanctions development in crypto's history was OFAC's designation of Tornado Cash in August 2022. Tornado Cash was not a company or an individual. It was a smart contract protocol, a piece of open-source code deployed on the Ethereum blockchain that provided transaction mixing services, obscuring the link between sending and receiving addresses.

OFAC's designation of Tornado Cash's smart contract addresses was unprecedented. It was the first time OFAC had designated immutable code rather than a legal entity or individual. The implications were immediate: any interaction with the designated Tornado Cash smart contracts, including by US persons, was potentially a sanctions violation.

The designation was challenged in court. The Fifth Circuit Court of Appeals ruled in November 2024 that OFAC had exceeded its authority by designating immutable smart contracts that no one controlled, distinguishing them from property owned by a foreign national or entity. The ruling was significant but narrow: it addressed the immutable contracts specifically and did not prevent OFAC from designating Tornado Cash-associated addresses, wallets, or the individuals behind the protocol.

The case established that the boundaries of sanctions enforcement in crypto are still being defined through litigation as well as regulation. For compliance officers at crypto firms, the lesson was that the regulatory environment can shift rapidly and that activities previously considered outside the sanctions perimeter may enter it.

Major Enforcement Actions and What They Established

Several significant enforcement actions against crypto firms have defined the practical expectations for sanctions compliance.

Kraken settled with OFAC in 2022 for $362,000 over transactions processed for users in sanctioned jurisdictions, primarily Iran. The settlement was notable for the relatively modest penalty amount, which OFAC attributed to Kraken's voluntary self-disclosure and subsequent remediation. The message was that self-disclosure and genuine remediation efforts reduce exposure significantly.

Binance's $4.3 billion settlement with US authorities in 2023, which covered multiple compliance failures including sanctions violations, was the largest crypto enforcement action in history. The investigation found that Binance had processed transactions for users in sanctioned countries including Iran and had served sanctioned entities. The settlement required a monitored compliance programme and demonstrated that OFAC was prepared to pursue criminal consequences for egregious sanctions failures at systemically important firms.

BitPay settled with OFAC in 2021 for $507,375 over transactions processed for users in Cuba, Iran, North Korea, Sudan, and the Crimea region of Ukraine. The BitPay case illustrated that even payment processors without traditional financial institution characteristics were subject to full sanctions obligations when processing crypto transactions.

What Compliant Firms Actually Do

The mechanics of sanctions compliance at a regulated crypto exchange or crypto financial services firm in 2026 involve several distinct components operating simultaneously.

Address screening against the SDN list and equivalent international lists is the baseline requirement. OFAC provides the SDN list in machine-readable format, and crypto firms integrate this into their transaction processing systems. Before processing a withdrawal or completing a trade, the firm's system checks whether the sending or receiving address appears on the relevant sanctions lists. Blockchain analytics providers maintain updated databases of addresses associated with sanctioned entities, extending beyond the addresses OFAC has formally designated to include addresses connected to sanctioned entities through transaction history.

Geofencing, which uses IP address, account registration information, and payment method location data to block users from sanctioned jurisdictions, addresses the geographic dimension of sanctions compliance. A US-sanctioned country's citizens accessing the platform from that country represents sanctions exposure regardless of whether the specific individual is on the SDN list.

Transaction monitoring goes beyond point-in-time address screening to identify patterns associated with sanctions evasion. A series of small transactions from a cluster of addresses that collectively aggregate to a larger transfer, designed to obscure the origin, is a pattern that transaction monitoring systems flag for review. Blockchain analytics tools from providers including Chainalysis, Elliptic, and TRM Labs provide the underlying transaction graph analysis that makes this monitoring possible.

Enhanced due diligence for higher-risk transactions involves human review of flagged activity rather than automated clearance. Transactions above defined thresholds, transactions involving counterparties in higher-risk jurisdictions, or transactions with unusual patterns will trigger review by a compliance team before being processed.

The DeFi Compliance Challenge

The Tornado Cash case highlighted a broader compliance challenge that remains unresolved: how sanctions obligations apply to decentralised protocols and their users.

A centralised exchange can screen addresses before processing transactions. A DeFi protocol executes transactions automatically based on smart contract logic without a compliance team reviewing each interaction. The protocol has no mechanism to check whether a particular address is on the SDN list before executing the transaction the user has submitted.

The regulatory approach to this has been to focus on the front-end interfaces that provide user access to DeFi protocols, rather than the underlying smart contracts. The teams that operate front-end websites for DeFi protocols can implement address screening at the interface level, blocking users whose addresses match sanctions lists from accessing the interface even if the underlying protocol remains technically accessible.

Several major DeFi front-ends have implemented this approach following the Tornado Cash developments. Uniswap's web interface blocks addresses flagged by its analytics partners. Aave's interface similarly implements address screening. The underlying protocols remain accessible through direct smart contract interaction for technically sophisticated users, but the regulatory risk for the teams operating the primary interfaces has been materially reduced.

The residual exposure for protocol front-end operators who implement good-faith address screening, while the underlying protocol remains accessible, is an open legal question. Regulators have not provided definitive guidance on whether good-faith interface-level screening is sufficient to discharge the obligations of US persons connected to the protocol's operation.

Compliance Technology Infrastructure

The ecosystem of technology tools serving crypto sanctions compliance has matured substantially. Blockchain analytics has moved from a research capability to operational infrastructure.

The major providers can trace transaction flows across multiple blockchains, cluster addresses associated with the same wallet, identify addresses connected to sanctioned entities, and score transactions by risk profile based on the entities they have interacted with historically. This capability allows compliance teams to make risk-based decisions about transactions rather than relying solely on exact-match screening against official lists.

The limitation of these tools is that their accuracy depends on the quality of their attribution data, which is derived from a combination of proprietary research, law enforcement cooperation, and public information. A sophisticated actor who has taken steps to obscure the connection between their operational addresses and their identity may not appear in analytics databases even if their primary addresses are on the SDN list.

This creates an inherent tension in crypto sanctions compliance: the system is designed to catch most sanctioned activity but cannot guarantee it catches all of it, particularly where deliberate evasion techniques are employed. Regulators generally acknowledge this limitation in enforcement, focusing on whether firms have implemented reasonable and good-faith compliance programmes rather than requiring perfect detection.

What the Compliance Expectation Is

Regulatory expectations for sanctions compliance at crypto firms are calibrated to the firm's size, the nature of its activities, and the risk profile of its customer base and transaction flows.

A large exchange with global operations serving retail customers across many jurisdictions is expected to maintain comprehensive sanctions screening, robust transaction monitoring, dedicated compliance personnel, and regular third-party audits of its compliance programme. The expectations are closer to those applied to a mid-size bank than to a technology startup.

A smaller firm with a more limited product offering and customer base is expected to implement proportionate controls: address screening, basic transaction monitoring, and clear escalation procedures for flagged activity. The absolute standard is lower, but the principle is the same: a good-faith, documented programme that demonstrates genuine effort to comply.

What regulators have consistently penalised is not imperfect detection but wilful blindness: firms that knew or should have known that their systems were inadequate and chose not to address the gap. The distinction between imperfect compliance and deliberate non-compliance is where enforcement discretion tends to focus, and firms that invest genuinely in their compliance infrastructure and document that investment are materially better positioned when regulators investigate than those that treat compliance as a box-checking exercise.