OFSI Publishes Cryptoassets Threat Assessment Highlighting Key Sanctions Risks for the Sector

HM Treasury’s Office of Financial Sanctions Implementation (“OFSI”) has published its first Cryptoassets Threat Assessment Report (the “Assessment”) as part of a series of sector-specific assessments surveying trends in the UK’s financial sanctions landscape and identifying threats to compliance.  The purpose of the Assessment is to aid UK cryptoasset businesses in identifying and prioritising sanctions risks as part of their risk-based sanctions compliance efforts.  The Assessment focuses on three key areas: (1) inadvertent non-compliance involving designated persons; (2) threats posed by exposure to Iranian, North Korean, and Russian designated persons; and (3) reporting issues.  While principally targeted at UK cryptoasset firms, many of the insights in the Assessment will be of broader relevance to businesses when developing, reviewing, and enhancing their sanctions compliance controls.

The Assessment

The Assessment focusses on threats to UK financial sanctions compliance involving UK cryptoasset firms since January 2022.  The Assessment adopts the definition of “cryptoassets” set out in the Financial Services and Markets Act 2023 (i.e., cryptoassets are cryptographically secured digital representations of value or rights that are transferable electronically).  

The Assessment specifically covers UK businesses registered with the Financial Conduct Authority (“FCA”), the anti-money laundering and counter-terrorist financing supervisor for cryptoasset firms in the UK, which conduct the following business activities:

• exchanging, arranging, or making arrangements with a view to the exchange of, one cryptoasset for another, cryptoassets for fiat or vice-versa (e.g., centralised exchanges, Peer-to-Peer Providers, and firms issuing new cryptoassets);
• operating a crypto ATM; and
• custodian wallet providers.

Since August 2022, cryptoasset firms have been subject to mandatory reporting obligations under UK financial sanctions regimes, which require them to report certain information to OFSI as soon as practicable when (within the course of their business) they know or have reasonable cause to suspect that they (i) have encountered a UK designated person, and/or (ii) that a breach of UK financial sanctions has occurred.

Preventing Financial Sanctions Breaches

According to the Assessment, most breaches of UK financial sanctions since 2022 by UK cryptoasset businesses have been inadvertent and typically have involved direct or indirect dealings with UK sanctioned wallets or exchanges, or failure to timely implement asset freezes due to attribution delays.      

As civil penalties for breaches of financial sanctions can be imposed on a strict liability basis, and to assist cryptoasset firms in meeting their compliance obligations, OFSI recommends that they consider:

• strengthening due diligence to detect direct and indirect exposure to UK designated persons;
• deploying blockchain analytics tools to monitor multiple transaction hops;
• reviewing exposure to high-risk jurisdictions and exchanges; and
• promptly reporting suspected breaches (when relevant) to OFSI, the FCA, and the National Crime Agency in line with their legal obligations under the UK’s sanctions and anti-money laundering regimes.

Key Threats

According to the Assessment, UK designated persons have increasingly used cryptoassets to bypass sanctions since 2022, generally exploiting the pseudonymous and borderless nature of blockchain transactions.  In particular, OFSI has identified three key threats to the integrity of UK financial sanctions from designated Russian exchanges, North Korean-linked hackers and IT workers, and Iranian cryptoasset firms with suspected links to UK designated persons.

Exposure to Russian Designated Persons

The Assessment states that almost all transfers from UK cryptoasset firms to designated persons since 2022 involved Garantex Europe OU (“Garantex”), a Russian exchange designated by the UK in 2022 for supporting Russian state interests.  While the main services interacting with Garantex pre-designation were centralised cryptoasset exchanges, post-designation the types of services have diversified with a rise in interactions with merchant services.  During the same timeframe, indirect flows from UK entities to Garantex also increased. 

Although Garantex was disrupted in March 2025, it has since rebranded as Grinex, continuing operations via Ruble-backed stablecoins and USDT with over $1.2 billion in transactional volume by May 2025.  Garantex (and now Grinex) exploit layered transactions and chain hopping to disguise Russian oil proceeds and other illicit funds.  The Assessment recommends that cryptoasset firms should proceed with caution in transactions involving Grinex addresses.

North Korean Cyber Activity

The most significant and persistent threat to the cryptoasset sector at present is posed by North Korean-linked hackers and IT workers targeting cryptoasset firms and the wider sector via large-scale thefts and money laundering operations.  The involved groups employ sophisticated money laundering strategies, including chain hopping, mixers, privacy bridges, OTC desks, and fake exchanges.  Additionally, North Korean IT workers infiltrate firms as remote contractors to generate funds for the North Korean regime and obtain sensitive data.  Given the prevalence of these strategies, OFSI has issued standalone guidance on the threat posed by North Korean IT workers.

Iranian Cryptoasset Activity

Since its legalisation of cryptoasset mining in 2019 and the introduction of the digital Rial in 2024, Iran has developed a complex cryptoasset ecosystem.  Since 2022, Iran has increased its usage of cryptoassets as payment in foreign trade in response to international sanctions.  According to the Assessment, cryptoasset firms with suspected links to designated persons are facilitating payments through the UK’s cryptoasset infrastructure.  The majority of such payments reported to OFSI have to date been made to unknown end users using exchanges such as Nobitex, which has suspected links to the Islamic Revolutionary Guard Corps.  Certain Iranian-linked cryptoasset platforms have also issued public guidance on using cryptoassets to evade banking restrictions and have even offered AI-generated IDs to circumvent Know-Your-Customer (“KYC”) controls.

Complying with Reporting Obligations

The Assessment states that UK cryptoasset firms are almost certain to have under-reported suspected breaches of UK financial sanctions to OFSI since they became subject to a mandatory reporting requirement in August 2022. 

The Assessment states that around 7% of all suspected financial sanctions breaches reported to OFSI have involved cryptoasset firms in some capacity.  Russia has accounted for over 90% of cryptoasset-related suspected breach reports to OFSI, with Iran comprising most of the remainder.  While reporting has risen significantly since April 2024, it has been “inconsistent” and (in some cases) severely delayed.

OFSI sets out its expectation in the Assessment that cryptoasset firms treat financial sanctions compliance and reporting obligations with the same seriousness as traditional financial institutions.  When making reports of suspected breaches, OFSI recommends that UK cryptoasset firms consider:

• grouping reports involving multiple small-value transactions involving the same actors or addresses in a single timely report with an explanation of why they were grouped;
• including KYC details for the individuals involved in a suspected offending transaction, including as a priority name, date of birth, and account number;
• including a brief summary of the crypto screening process used, and any action taken by the firm (e.g., any account closure or other restrictions imposed);
• with respect to specific transactions, listing transaction routes, intermediary addresses, transaction hashes and crypto quantities (with USD / GBP value) and, where the value of transactions exceeds £1,000, including involved addresses at a minimum;
• specifically identifying the UK designated person when a transfer is suspected to have originated from, or been made to, a UK designated person and the rationale for linking the specified addresses to that person;
• explaining any screening failures as well as any steps taken to prevent onward transmission if a transaction with a UK designated person has taken place;
• explaining the steps taken to prevent onward transmission / access where a transaction with a UK designated person has been blocked;
• explaining any delay in reporting transactions that took place considerably before reporting; and
• including details of the assets involved in a suspicious transaction (i.e., whether they have been frozen or moved elsewhere).

Sanctions Evasion Typologies

To assist UK cryptoasset firms in complying with UK financial sanctions, the Assessment also highlights multiple sanctions evasion typologies that cryptoasset firms should be aware of.  These include:

• cross-border crypto payments bypassing traditional banking restrictions;
• layering and mixing techniques such as tumblers, privacy wallets, use of VPNs, and chain hopping to obscure origins;
• minimal KYC or Non-KYC exchanges offering anonymity;
• nested exchanges using host platform infrastructure without approval;
• centralised exchanges with links to UK designated persons, which operate by sharing services with UK designated cryptoasset exchanges to hide transfers that violate sanctions;
• use of decentralised exchanges enabling pseudonymous transactions without central compliance oversight (particularly Russian-language exchange services which do not collect customer information);
• darknet markets facilitating illicit sales and laundering; and
• over-the-counter brokers exchanging cash for cryptoassets beyond regulated platforms to move cash between jurisdictions that should be prohibited.

The Assessment identified several other emerging evasion typologies, including the use of non-fungible tokens (NFTs), meme coins, and new stablecoins to bypass controls, as well as identifying a range of indicative sanctions evasion red flags that cryptoasset firms should be alert to.  While not determinative of evasion, the Assessment recommends that the presence of multiple red flags in connection with a transaction should prompt UK cryptoasset firms to undertake enhanced due diligence before proceeding.

Conclusion

The Assessment provides additional clarity to cryptoasset businesses on some of the indicators of financial sanctions breaches and strategies being used to evade UK financial sanctions, which OFSI expects businesses to be alert to in designing and implementing their sanctions compliance programmes.  While the Assessment’s guidance is primarily targeted at cryptoasset businesses, much of the Assessment has broader applicability to businesses whose activities expose them to sanctions risk.  Cryptoasset businesses that are required to comply with UK sanctions should review their existing financial sanctions compliance programme in light of the Assessment to identify any necessary enhancements to policies, procedures, and controls.  For more information on these developments, contact the authors of this post, Alexandra Melia or Elliot Letts, in Steptoe’s Economic Sanctions team in London.