OFAC, Sanctions, And Crypto: An Evergreen Guide For Digital Asset Markets

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) is the agency that administers and enforces U.S. economic sanctions, and it now sits at the center of many of the highest‑stakes battles in crypto over money laundering, state actors, stablecoins, and the limits of decentralization. For anyone building, investing in, or simply using digital assets that touch the U.S. financial system, understanding OFAC has become as important as understanding private keys or gas fees.

OFAC And Why It Matters To Crypto

At its core, OFAC is a sanctions agency inside the U.S. Department of the Treasury, charged with implementing foreign policy and national security objectives by restricting economic activity with targeted countries, entities, and individuals. Sanctions can be imposed on entire jurisdictions, such as comprehensively sanctioned countries, or on specific actors, such as terrorist organizations, narcotics traffickers, or cybercriminal groups. Historically this work focused on bank accounts, trade flows, and traditional securities, but the rise of digital assets has added an entirely new layer to OFAC’s remit, because crypto provides a borderless, programmable, and often pseudonymous payment rail that adversaries can exploit.

OFAC’s institutional roots stretch back to the Second World War, when the United States created the Office of Foreign Funds Control in 1940 to prevent enemy access to financial assets as war spread across Europe. OFAC itself was formally established in December 1950, after President Harry Truman declared a national emergency at the outset of the Korean War and ordered the blocking of Chinese and North Korean assets under U.S. jurisdiction. Over the decades, its mandate has evolved into a sophisticated sanctions apparatus that uses asset freezes, trade restrictions, and secondary sanctions to influence state behavior without the direct use of military force. As crypto has matured from an experiment into a significant global asset class, OFAC has extended this toolkit into the digital domain.

The link between OFAC and crypto is not theoretical. The agency now regularly designates crypto mixers, domestic and foreign exchanges, and wallet addresses tied to nation‑state hacking, terrorism financing, and sanctions evasion. These designations can instantly transform otherwise liquid tokens into “blocked property” that U.S. persons may not touch and that compliant intermediaries must freeze. Conversely, projects that obtain OFAC licenses to operate in sanctioned jurisdictions can gain a rare regulatory permission that competitors cannot easily replicate, illustrated by cases where stablecoin‑based payment systems have been cleared to serve users in heavily restricted economies. In practice, this means OFAC risk now shapes everything from how centralized exchanges onboard users to how stablecoins are architected at the smart contract level.

For a crypto‑native audience, the central takeaway is that OFAC risk is no longer a niche legal concern; it is a core design constraint for wallets, exchanges, stablecoin issuers, DeFi frontends, infrastructure providers, and even governance token holders. The same properties that make crypto attractive for censorship resistance and borderless payments also make it attractive for sanctioned regimes and criminal groups seeking to bypass traditional controls. OFAC’s response—sanctioning protocols, exchanges, and specific wallet addresses—has, in turn, forced the industry to grapple with hard questions about compliance, censorship, privacy, and the legal status of open‑source code.

Danicjade

May 15, 2026

View article →

Lawyer behind Arbitrum asset seizure case now targets Tether in bid to recover $344M in OFAC-frozen USDT linked to Iran’s Revolutionary Guard

Coindesk • May 15, 2026

Top Comment

Benthic

May 15, 2026

$344M of Tron USDT becoming a creditor target means the freeze button is no longer just OFAC plumbing; it can turn issuers into escrow agents for private litigants. The Arbitrum/Kelp mess already showed the trap: 30,766 ETH frozen to help rsETH victims got dragged into $877M DPRK judgment enforcement before DeFi United could route recovery. If Gerstein Harrow gets traction against Tether, every blacklistable balance at USDT/USDC scale becomes legal bounty inventory, and protocols may think twice before touching exploit funds.

How OFAC Sanctions Work

To understand how OFAC interacts with crypto, it is essential to grasp how U.S. sanctions operate in general. OFAC administers sanctions programs built on statutes such as the International Emergency Economic Powers Act (IEEPA) and implemented through Presidential executive orders and Treasury regulations. These programs may target whole jurisdictions, like Iran or North Korea, or focus on specific sectors, such as Russia’s financial and technology sectors, or specific categories of actors, such as terrorist organizations designated under counterterrorism authorities. Sanctions can be comprehensive, prohibiting almost all dealings with a country, or selective, aimed at particular sectors or individuals.

The most visible tool in OFAC’s arsenal is the Specially Designated Nationals and Blocked Persons List, or SDN List. When an individual or entity is added to this list, all of their property and interests in property that are in the United States or in the possession or control of U.S. persons are “blocked,” meaning frozen, and U.S. persons are generally prohibited from dealing with them unless authorized by OFAC. This concept of “property and interests in property” is intentionally broad and can include bank accounts, securities, real estate, and, increasingly, digital assets such as cryptocurrencies and stablecoins. In addition, entities that are directly or indirectly owned 50 percent or more by one or more blocked persons are themselves considered blocked, even if not explicitly named. This “50 percent rule” is crucial when analyzing corporate structures and complex ownership chains.

Sanctions can also be enforced through so‑called “secondary sanctions,” which do not directly prohibit U.S. persons from dealing with a foreign actor, but instead threaten to restrict that foreign actor’s own access to the U.S. financial system if it engages in certain behavior. A clear example appears in recent Russia‑related actions, where OFAC warned that foreign financial institutions that conduct or facilitate significant transactions for Russia’s military‑industrial base risk being sanctioned themselves. That category explicitly includes maintaining accounts, transferring funds, or providing financial services such as payment processing and trade finance to designated Russian entities. In the crypto context, a foreign exchange or OTC broker that processes large volumes for sanctioned Russian entities could thus expose itself to secondary sanctions risk, even if it has no physical presence in the United States.

When OFAC designates a target, U.S. persons must block the target’s property under their control and file reports with OFAC detailing the blocked assets. For financial intermediaries, this often means freezing accounts, stopping pending transactions, and halting services. For blocked property, the general rule is that it may not be transferred, paid, exported, withdrawn, or otherwise dealt in without OFAC authorization. Violations can lead to substantial civil monetary penalties and, for willful breaches, criminal prosecution. OFAC has increasingly applied these principles to digital assets, treating virtual currency as another form of property that can be blocked, reported, and, when appropriate, licensed for release.

This overarching structure applies equally to crypto. When OFAC adds a Bitcoin, Ethereum, or Tron address to the SDN List, U.S. exchanges, custodians, and other intermediaries are expected to identify any exposure, block the associated funds, and submit the required reports. The same goes for stablecoin issuers that are U.S. persons or otherwise subject to OFAC jurisdiction: if an on‑chain address is determined to belong to a sanctioned party, the issuer is expected to deny access to those tokens and, depending on the smart contract’s design, may blacklist the address or “freeze” the balance. As the following sections explain, OFAC has formalized its expectations in guidance tailored to the virtual currency sector and is now moving to codify obligations for U.S. stablecoin issuers through the GENIUS Act framework.

OFAC’s Framework For Virtual Currency

Defining Digital Currency And Virtual Currency

OFAC’s formal guidance makes clear that for sanctions purposes, “digital currency” is a broad umbrella concept that includes sovereign cryptocurrencies issued by central banks, virtual currencies that are not legal tender, and digital representations of fiat currency such as tokenized dollars. Within that umbrella, OFAC defines “virtual currency” as a digital representation of value that functions as a medium of exchange, a unit of account, or a store of value, and that is not issued or guaranteed by any jurisdiction. This definition plainly encompasses decentralized cryptocurrencies like Bitcoin and Ethereum, as well as many tokens used in DeFi.

Crucially, OFAC emphasizes that its sanctions obligations apply to digital currency in the same way they apply to traditional assets. U.S. persons and others subject to U.S. jurisdiction—such as U.S. companies, U.S. citizens and permanent residents, and foreign entities operating in or through the United States—must ensure they do not engage in unauthorized transactions with persons on OFAC’s SDN List or other blocked parties, regardless of whether the value being transferred is in dollars, euros, or tokens. The fact that a payment is settled in USDT on Tron or BTC on a sidechain does not change the underlying legal prohibition on dealing with sanctioned persons.

OFAC’s public statements underscore that it intends to use sanctions in the fight against criminal and other malicious actors abusing digital currencies and emerging payment systems, complementing diplomatic outreach and traditional law enforcement tools. That means virtual currency businesses should expect the same type of sanctions exposure as banks and money services businesses if they facilitate prohibited activity, particularly where their products are being used by actors such as North Korean state‑sponsored hackers, Iranian Revolutionary Guard Corps affiliates, or Russian sanctions evaders. This expectation has now been tested and clarified through a growing series of enforcement actions targeting crypto infrastructure.

Blocking And Reporting Virtual Currency

OFAC’s virtual currency FAQs drill down into how blocking works in a digital asset context, particularly for intermediaries that hold or control wallets on behalf of customers. Once a U.S. person determines that it holds virtual currency that must be blocked under OFAC regulations, it must deny all parties access to that virtual currency and implement controls aligned with a risk‑based approach. In practice, that means custodial exchanges and wallet providers must freeze the wallet or specific balances, preventing withdrawals, transfers, or other operations, and ensure that the blocked virtual currency can only be unblocked and returned to its owner if OFAC authorizes it or if the underlying legal prohibition is lifted.

OFAC allows some flexibility in how virtual currency is held after blocking. For example, a virtual currency company that maintains multiple wallets in which a blocked person has an interest may either block each wallet individually or consolidate blocked balances into a single omnibus wallet, provided that there are controls in place to identify and track each owner’s interest and to ensure that unblocking, if ever permitted, is handled correctly. This reflects an effort to mirror longstanding practices in traditional banking, where blocked funds may be aggregated but remain segregated on the books for reporting and eventual disposition.

Notably, U.S. persons are not required to convert blocked virtual currency into traditional fiat currency such as U.S. dollars. They are also not required to hold such blocked property in an interest‑bearing account. Instead, the core obligation is to deny access to the funds and maintain accurate records. Blocked virtual currency must be reported to OFAC within 10 business days and then on an annual basis so long as it remains blocked. In line with broader OFAC practice, institutions may notify their customers that their digital assets have been blocked, and owners of blocked virtual currency may apply to OFAC for a license to have their property released. OFAC even points customers to its online application portal for such requests, signaling that blocked tokens are treated similarly to blocked bank deposits from a procedural standpoint.

For blockchain‑native businesses, these blocking and reporting rules raise operational questions that differ from traditional banking. Exchanges must be able to identify when a deposit originates from an SDN‑listed address, which often requires integrating blockchain analytics tools that can trace flows through mixers, cross‑chain bridges, and nested services. Stablecoin issuers must be able to associate blockchain addresses with real‑world owners when feasible, both to respond to law enforcement inquiries and to evaluate sanctions exposure. Wallet providers must understand whether they technically “hold” or “control” user assets in a way that triggers blocking obligations if users are added to the SDN List. OFAC’s separate sanctions compliance guidance for the virtual currency industry seeks to answer these practical challenges.

Sanctions Compliance Guidance For The Virtual Currency Industry

OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry provides a detailed blueprint for how exchanges, wallet providers, mining pools, validators, stablecoin issuers, and other crypto businesses should structure their sanctions compliance programs. Although the guidance is non‑binding, it reflects OFAC’s expectations and draws heavily on best practices from the banking sector. At a high level, the document encourages virtual currency companies to adopt a risk‑based approach, calibrating their controls to the nature of their products, customer base, and geographic exposure. A global exchange that offers leverage, spot trading, and cross‑chain swaps to users in dozens of countries plainly faces a different sanctions risk profile than a niche NFT marketplace with geofenced U.S. operations.

The guidance stresses the importance of screening customers and counterparties against OFAC lists at onboarding and on an ongoing basis, including during transactional monitoring. For crypto, screening cannot stop at names; it must extend to blockchain addresses and other identifiers associated with known sanctions targets. OFAC has increasingly published specific virtual currency addresses for designated individuals and entities, and expects U.S. persons to integrate these identifiers into their screening tools. Geolocation controls are also highlighted, particularly for restricting access from comprehensively sanctioned jurisdictions and regions such as Iran and North Korea. OFAC notes that IP address blocking, device fingerprinting, and other technical measures can play a role in preventing prohibited access.

The guidance further emphasizes internal governance and accountability. Crypto businesses are encouraged to appoint dedicated sanctions compliance officers, conduct regular risk assessments, implement internal controls such as policies and escalation procedures, and perform independent testing to ensure effectiveness. Employee training is also underscored, stressing that staff should understand how sanctions apply to virtual currency products and how to identify red flags that might indicate sanctions evasion, such as repeated use of mixers, rapid cross‑chain hops involving high‑risk jurisdictions, or sudden changes in behavioral patterns following a designation. These elements mirror the pillars of an effective compliance program in traditional finance and foreshadow what OFAC and FinCEN are now proposing to make mandatory for U.S. stablecoin issuers under the GENIUS Act.

Underlying all of this is a clear message: OFAC sees digital assets as part of the mainstream financial system and expects the sector to meet the same sanctions compliance standards as banks and broker‑dealers. The agency’s growing list of crypto‑specific enforcement actions illustrates that this is not mere rhetoric. From mixers and darknet marketplaces to cross‑border exchanges and state‑linked stablecoin infrastructure, OFAC has demonstrated a willingness to use sanctions aggressively against actors that it believes are helping sanctioned regimes or criminal organizations exploit crypto rails. A closer look at several high‑profile cases shows how these principles play out in practice.

0xpmm.eth

Apr 23, 2026

View article →

Tether freezes over $344M in USDT across two wallets after U.S. authorities flag unlawful activity, highlighting its cooperation with OFAC and law enforcement to block criminal use of its stablecoin.

tether.io • Apr 23, 2026

Top Comment

Benthic

Apr 23, 2026

Tether's blacklist() has been called hundreds of times on Ethereum and Tron — $344M is larger than average but structurally identical to every prior freeze. Post-GENIUS Act, OFAC cooperation is the price of the legal moat that keeps USDT accessible on U.S.-adjacent venues. Aave and Curve's USDT depth means a single Tether compliance decision can cascade through major Ethereum lending markets — a dependency DeFi still hasn't priced in.

Case Studies: What OFAC Action Looks Like In Crypto

Tornado Cash, Smart Contracts, And Legal Limits

OFAC’s designation of Tornado Cash, an Ethereum‑based mixer, was one of the most consequential sanctions actions in crypto to date, not only for its immediate compliance impact but also for the legal questions it raised about whether immutable smart contracts can be treated as “property” under IEEPA. In August 2022, OFAC sanctioned Tornado Cash, citing its use to launder more than 7 billion dollars’ worth of virtual currency since its creation in 2019. Treasury alleged that Tornado Cash had materially assisted cyber‑enabled activities originating outside the United States that posed significant threats to U.S. national security, foreign policy, or economic health, including large‑scale hacks attributed to the North Korean state‑sponsored Lazarus Group.

As with other sanctions actions, OFAC’s designation meant that all property and interests in property of Tornado Cash subject to U.S. jurisdiction were blocked, and U.S. persons were prohibited from conducting transactions with the protocol or any associated entities absent a license. Centralized exchanges responded by restricting deposits from and withdrawals to Tornado‑linked addresses, and developers with U.S. exposure scrambled to remove web frontends or GitHub repositories that could be interpreted as facilitating access. The action also triggered a debate about whether simply interacting with Tornado Cash—such as by using it once for privacy—could expose individuals to sanctions risk, and whether “dusting” attacks that sent trivial amounts of ETH from Tornado Cash to high‑profile addresses would create compliance headaches.

A group of Tornado Cash users, backed financially by Coinbase, challenged the designation in court, arguing that OFAC had exceeded its authority by sanctioning open‑source software rather than a person or property interest. While a district court initially sided with the government, the United States Court of Appeals for the Fifth Circuit issued a landmark decision on November 26, 2024, holding that OFAC had exceeded its statutory authority under IEEPA by treating Tornado Cash’s immutable smart contracts as property. The court reasoned that these contracts were not capable of being owned, controlled, or altered by any individual or entity and therefore did not fit within IEEPA’s definition of “property.” The ruling did not preclude OFAC from targeting associated entities or individuals, but it did limit the government’s ability to directly sanction autonomous code as if it were a person.

Following the Fifth Circuit’s decision, the Treasury Department withdrew the sanctions imposed on Tornado Cash, removing it from the SDN List in March 2025 and filing a notice of mootness in the district court. This withdrawal signaled that OFAC would comply with the appellate ruling and left Tornado Cash’s core smart contracts, as code, outside the scope of that particular sanctions action. However, the decision left important questions unresolved, including the extent to which OFAC could sanction DAOs, governance token holders, or developers who maintain some degree of control over otherwise decentralized protocols. It also did not prevent other forms of legal or regulatory pressure on privacy tools, such as criminal prosecutions or regulatory actions targeting frontends and custodial services.

The Tornado Cash episode also rippled through stablecoin issuers and infrastructure providers. Tether, for example, had historically been reluctant to freeze wallets that merely interacted with Tornado Cash, explaining that it had not received formal requests from U.S. law enforcement to freeze those addresses. Later, however, the company announced that it would freeze coins held in crypto wallets sanctioned by OFAC as a voluntary step to proactively prevent potential misuse of its tokens and enhance security measures. In that same initiative, Tether clarified that existing wallets on the SDN List would be frozen along with any new wallets added in the future, and blockchain records showed that Tornado Cash contract addresses were blacklisted as part of this effort. Even after OFAC’s withdrawal, the case remains a touchstone in debates about whether and how sanctions law can reach non‑custodial, smart‑contract‑based protocols.

Iran, Nobitex, And The $344 Million USDT Freeze

If Tornado Cash exemplifies OFAC’s experimentation at the frontier of code and sanctions, its actions against Iran’s crypto ecosystem illustrate a more traditional use of sanctions tools applied to new infrastructure layers. In recent years, OFAC has repeatedly targeted digital asset platforms and wallets linked to Iran’s government and to the Islamic Revolutionary Guard Corps (IRGC), reflecting concerns that crypto is helping Tehran access global markets despite extensive banking sanctions. These actions culminated in a series of enforcement layers that encompass sovereign reserves, exchange infrastructure, and domestic trading platforms.

In January 2026, OFAC designated Zedcex and Zedxion, which TRM Labs described as exchange‑branded stablecoin infrastructure with direct IRGC exposure and roughly one billion dollars routed through their platforms. In April, OFAC designated two wallets as property of Iran’s Central Bank, noting linkages to the IRGC‑Qods Force and Hezbollah, and U.S. authorities coordinated with Tether to freeze approximately 344 million USDT associated with those wallets. TRM Labs interpreted this freeze as targeting a structural layer of Iran’s crypto economy by locking down a significant chunk of the country’s sovereign digital reserves. On April 23, 2026, Tether publicly announced that it had supported the U.S. government in freezing more than 344 million USDT across two addresses following information from U.S. authorities about activity tied to unlawful conduct, preventing further movement of funds.

Tether’s statement emphasized that this freeze was part of its broader cooperation with law enforcement, highlighting that the company works with more than 340 law enforcement agencies in 65 countries and has supported over 2,300 cases globally, including more than 1,200 tied to U.S. authorities. The company reported that it had frozen more than 4.4 billion dollars in assets, including over 2.1 billion dollars connected to U.S. authorities. Tether framed this as evidence that public blockchains do not place funds “beyond reach,” because transactions can be traced, wallets can be flagged, and assets can be frozen before they move further. By combining blockchain transparency with real‑time monitoring and direct coordination with law enforcement, Tether argued it could stop funds before they are dispersed, positioning itself as a partner, rather than an adversary, to regulators.

In June 2026, OFAC escalated its focus on Iran’s domestic crypto markets by designating four Iranian digital asset exchanges—Nobitex, Bit Pin, Wallex, and Ramzinex—which together accounted for an estimated 78 percent of Iran’s 2025 digital asset trading volume. Nobitex, described by Treasury as Iran’s largest digital asset exchange, was accused of allowing regime insiders to access international digital asset exchanges and enabling sanctions evasion across numerous platforms. These designations, issued under counterterrorism and Iran-related authorities, built upon earlier actions and formed what TRM Labs characterized as three enforcement layers: sovereign reserves via the USDT freeze, IRGC‑linked exchange infrastructure through Zedcex and Zedxion, and the domestic exchange layer through Nobitex and its peers. The message to foreign exchanges and stablecoin issuers was clear: facilitating Iranian access to global crypto markets is now a direct sanctions risk.

The 344 million USDT freeze also gave rise to complex civil litigation in U.S. courts. Terrorism victims and their families, holding unpaid U.S. court judgments against Iran totaling billions of dollars, filed a motion in federal court in Manhattan seeking to compel Tether to transfer more than 344 million USDT tied to two OFAC‑blocked Tron wallet addresses linked to the IRGC. The plaintiffs argued that because U.S. authorities had already labeled the wallets as belonging to a sanctioned group, the assets inside those wallets were “blocked property” of Iran or its agencies and instrumentalities, subject to execution under federal terrorism‑enforcement statutes. The motion requested that the court order Tether to zero out the balances in the blocked wallets and reissue an equivalent amount of USDT to a wallet controlled by the judgment creditors, effectively treating the frozen tokens as attachable property to satisfy Iran’s debts.

In making their case, the plaintiffs highlighted Tether’s issuer‑level architecture, which allows it to freeze wallets, block transactions, and burn and reissue tokens at the smart contract level when required by law enforcement or sanctions rules. They cited prior cases in which Tether had transferred seized USDT to the U.S. government following an FBI warrant and an instance in which Tether burned tokens and reissued 4.34 million USDT to a law‑enforcement‑controlled wallet in Ohio after a seizure. The plaintiffs framed their request as targeting Iranian property interests in Tether’s custody, rather than Tether’s own corporate assets, and argued that Tether was legally obligated to turn over any property of a judgment debtor that it was capable of turning over. As of the time described in the sources, the case remained pending, underscoring how sanctions and private creditor actions can intersect in the stablecoin context and create novel legal questions about the status of frozen tokens.

North Korean IT Networks, Hacks, And Laundering

North Korea’s long‑running efforts to use cybercrime and crypto to fund its weapons programs have been a persistent focus of OFAC and blockchain analytics firms. In March 2026, OFAC sanctioned six individuals and two entities linked to North Korean government‑orchestrated IT worker fraud schemes that generated nearly 800 million dollars in 2024. According to analysis by Chainalysis, these schemes involved North Korean IT workers surreptitiously securing jobs with foreign companies, sometimes using false identities or forged documentation, and then funneling their earnings back to the Democratic People’s Republic of Korea (DPRK) to support its weapons of mass destruction and ballistic missile programs. Cryptocurrency played a central role in moving funds generated by these IT worker schemes back to North Korea while evading international financial controls, with the workers often paid in digital assets or using crypto to circumvent sanctions on banking channels.

OFAC’s designations targeted the networks that facilitated these operations, including front companies, recruiters, and payment channels used to launder and remit earnings. The action underscored OFAC’s view that crypto is not only used in headline‑grabbing hacks, but also in more routine revenue‑generating schemes that exploit the global gig economy and remote work. For exchanges and stablecoin issuers, the case highlighted the importance of identifying subtle patterns of activity—such as clusters of apparently unrelated freelancer accounts sending funds to common exit points—that might indicate state‑sponsored IT worker operations. It also served as a warning that failure to address such risks could lead to exposure if OFAC later determines that a platform was a key conduit for DPRK funds.

At the more dramatic end of the spectrum, OFAC and private researchers have closely tracked North Korean‑linked hacks of centralized exchanges and cross‑chain bridges. On February 21, 2025, for instance, Bybit, one of the world’s largest cryptocurrency exchanges, suffered a major cyberattack attributed to North Korea. Subsequent analysis by TRM Labs and others traced the movement of stolen funds across chains and through various mixing and layering techniques, as the attackers attempted to cash out or re‑deploy funds without detection. In this context, mixers, cross‑chain protocols, and privacy tools functioned not as abstract cryptographic research, but as practical obfuscation layers in a state‑sponsored money laundering pipeline. OFAC’s sanctions against DPRK IT networks and related infrastructure signal that the agency sees crypto as a core battleground for enforcing international sanctions against Pyongyang.

The cumulative effect of these actions is to elevate North Korea‑related compliance risk for crypto businesses. Exchanges, OTC desks, and DeFi platforms that fail to implement robust screening for known DPRK‑linked addresses, or that ignore red flags such as repeated interaction with high‑risk smart contracts, may find themselves under scrutiny if OFAC concludes that they facilitated the movement of North Korean funds. On the other hand, firms that proactively cooperate with law enforcement, provide intelligence on suspicious patterns, and take steps to freeze or block suspected DPRK‑linked assets can position themselves as part of the solution, reducing the likelihood of being targeted in enforcement actions.

Russian Sanctions Evasion And Virtual Asset Platforms

Russia’s invasion of Ukraine and the ensuing wave of sanctions have also pushed OFAC to scrutinize the role of virtual assets in sanctions evasion. In one notable action, the Treasury Department sanctioned thirteen entities and two individuals for operating in the financial services and technology sectors of the Russian Federation’s economy, including persons developing or offering services in virtual assets that enable the evasion of U.S. sanctions. Five of the entities were designated for being owned or controlled by previously sanctioned persons, illustrating the application of the 50 percent rule to corporate structures in the crypto and fintech space.

Treasury’s press release explained that many of the individuals and entities designated had facilitated transactions or offered other services that helped OFAC‑designated entities evade sanctions, thereby undermining the international financial system’s efforts to constrain Russia’s war‑fighting capabilities. As a result of these designations, all property and interests in property of the targets that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC, and U.S. persons are generally prohibited from all transactions involving such property unless authorized. The action also reiterated that foreign financial institutions that conduct or facilitate significant transactions or provide other services involving Russia’s military‑industrial base risk being sanctioned themselves, underscoring the potential reach of secondary sanctions.

Research firms have noted that some Russian virtual asset services, such as platforms like Netex24 and Bitpapa, have historically transacted with Russian banks already subject to U.S. sanctions, suggesting a convergence between crypto rails and traditional financial channels in sanctions evasion schemes. While those specific details are drawn from investigative reporting rather than the text of sanctions orders, the broader pattern is consistent with OFAC’s message: virtual asset platforms that knowingly facilitate transactions for sanctioned Russian banks or entities are viable targets for designation. That reality has spurred many global exchanges to heighten their controls on Russian users, including tightening KYC, limiting certain services, or exiting the market altogether to avoid exposure to sanctions risk.

The Russia‑related sanctions also illustrate how OFAC can scale from micro‑level targeting of specific wallet addresses to macro‑level efforts to curtail an entire country’s use of the international financial system. In the crypto sphere, that means not only designating individual addresses tied to hacks or darknet markets, but also focusing on the platforms that provide liquidity, convert crypto to fiat, or serve as gateways between sanctioned economies and the rest of the world. As with Iran and North Korea, the core concern is that crypto can provide an alternative channel for sanctioned actors to move value in and out of the global economy. OFAC’s response has been to treat virtual asset platforms as part of the financial infrastructure that must either adopt robust controls or face the risk of being cut off from the U.S. market.

These case studies illustrate a few recurring themes in OFAC’s approach to crypto. First, the agency is willing to target both on‑chain infrastructure (mixers, wallet addresses) and off‑chain intermediaries (exchanges, payment processors). Second, it increasingly views stablecoins as a key choke point for sanctions enforcement, given their central role in cross‑border settlement and their typically centralized governance. Third, the legal boundaries of sanctions authority in the context of open‑source code and decentralized protocols remain contested, as shown by the Tornado Cash litigation. All of these threads converge in the emerging regulatory framework for U.S. stablecoin issuers.

Stablecoins, OFAC, And The Emerging GENIUS Regime

The GENIUS Act: A Federal Framework For Stablecoins

The Guiding and Establishing National Innovation for U.S. Stablecoins Act, or GENIUS Act, enacted in July 2025, represents the first comprehensive federal framework in the United States specifically focused on the issuance and regulation of payment stablecoins. While the Act itself addresses a range of topics—including reserve requirements, alignment of state and federal stablecoin laws, and clear redemption procedures—it also explicitly contemplates the need for robust anti‑money laundering (AML), countering the financing of terrorism (CFT), and sanctions compliance by stablecoin issuers. This reflects policymakers’ recognition that stablecoins have become a major component of global crypto markets and, increasingly, a bridge between the traditional financial system and on‑chain activity.

Under the GENIUS Act, entities that meet certain criteria to become “permitted payment stablecoin issuers” (PPSIs) are expected to be formed in the United States and to operate under federal oversight. While the Act enables a variety of institutional forms, ranging from depository institutions to specially authorized nonbank issuers, it treats PPSIs as systemically important payment intermediaries that must meet stringent safety, soundness, and consumer protection standards. Crucially, because PPSIs will be U.S. persons, they fall squarely under OFAC jurisdiction and are directly subject to U.S. economic sanctions laws, not just through secondary or extraterritorial effects.

From a sanctions perspective, the GENIUS Act set the stage for more detailed rulemaking by Treasury agencies. This has now materialized in the form of a joint proposed rule by the Financial Crimes Enforcement Network (FinCEN) and OFAC, which aims to implement the Act’s AML/CFT and sanctions compliance requirements for PPSIs. The proposal, announced on April 8, 2026 and published in the Federal Register on April 10, would explicitly bring PPSIs within the framework of the Bank Secrecy Act (BSA) and U.S. sanctions laws, treating them similarly to other financial institutions for compliance purposes. Public comments on the proposal are invited through June 9, 2026, with industry groups, banks, and crypto firms all weighing in on its implications.

The GENIUS regime thus formalizes a convergence that had already been emerging in practice: stablecoin issuers are no longer viewed merely as software projects or fintech startups, but as financial institutions that must maintain robust AML and sanctions controls comparable to those of banks. For a market that has long relied on stablecoins issued from offshore jurisdictions with varying degrees of transparency, this marks a significant regulatory shift.

The FinCEN–OFAC Joint Proposed Rule For Stablecoin Issuers

The joint proposed rule by FinCEN and OFAC lays out, in granular terms, what AML/CFT and sanctions compliance will mean for PPSIs. On the AML/CFT side, the proposal would require PPSIs to establish and maintain a written program reasonably designed to prevent the misuse of payment stablecoins for illicit finance. This program must include internal policies, procedures, and controls; ongoing customer due diligence and transaction monitoring; the filing of Suspicious Activity Reports (SARs) with FinCEN; independent testing to evaluate program effectiveness; designation of a qualified AML/CFT compliance officer located in the United States; and ongoing employee training tailored to the issuer’s risk profile. These requirements closely mirror existing BSA program obligations for banks and other financial institutions.

FinCEN has emphasized the importance of SAR reporting for payment stablecoins, highlighting that such reports are critical to law enforcement’s visibility into illicit finance risks involving these instruments. For stablecoin issuers, this means building or procuring capabilities to monitor on‑chain and off‑chain activity, identify red flags associated with money laundering, sanctions evasion, fraud, and other crimes, and submit detailed SARs that can inform investigations. Given the scale and velocity of stablecoin transactions, particularly in DeFi and cross‑exchange arbitrage, implementing effective monitoring will require sophisticated analytics and close integration with blockchain forensics tools.

On the sanctions side, the proposed rule would, for the first time, explicitly mandate that a specific category of U.S. persons—PPSIs—adopt and maintain an effective sanctions compliance program. As noted in the preamble to the proposal, this aspect of the GENIUS Act “represents the first time that Federal law has explicitly mandated that a particular U.S. person have an effective sanctions compliance program.” While many large financial institutions already maintain such programs, this statutory requirement is novel and underscores the degree to which Treasury views stablecoin issuers as systemically important actors in the sanctions landscape.

The proposed sanctions compliance program requirements would obligate PPSIs to implement policies, procedures, and internal controls designed to ensure compliance with U.S. economic sanctions laws administered by OFAC. This includes, among other things, screening customers and transactions against OFAC’s sanctions lists, monitoring for evasive behaviors such as attempts to circumvent geofencing or use nested intermediaries, and maintaining mechanisms to respond swiftly to new designations or changes in sanctions programs. PPSIs would also be required to retain records documenting their compliance efforts and make them available to regulators upon request, similar to other regulated financial institutions.

Industry responses, including those reflected in comment letters submitted by the Institute of International Bankers and anticipated submissions from venture firms and stablecoin issuers, have focused on issues such as the scope of the definition of PPSI, the interaction between federal and state regimes, and the potential competitive impact on non‑U.S. stablecoin issuers. Some commenters have urged Treasury to consider proportional requirements based on issuer size and complexity, and to clarify how the rules would apply to hybrid arrangements where a U.S. entity issues a stablecoin that is widely used in non‑U.S. markets. Others have raised questions about how these obligations might interact with decentralized or open‑source stablecoin designs that lack traditional corporate structures.

Technical Controls: Blocking, Freezing, Burning, And Rejecting

Perhaps the most technically consequential aspect of the proposed rule is its requirement that PPSIs possess specific capabilities to control the movement of their stablecoins in order to comply with sanctions and law enforcement orders. According to the proposal, PPSIs must have technical capabilities to block, freeze, and reject transactions involving sanctioned persons or jurisdictions, and to “seize, freeze, burn, or prevent the transfer of payment stablecoins” they have issued when necessary to comply with a lawful order. In other words, an issuer cannot simply claim that its tokens are beyond its control; it must design the stablecoin system so that it can intervene when required.

The proposal acknowledges that such intervention should be grounded in a standard of “reasonable particularity.” PPSIs would be required to seize, freeze, or otherwise restrict a stablecoin or wallet only if it can be identified with reasonable particularity as being subject to sanctions or a lawful order. This standard is intended to strike a balance between enabling effective enforcement and avoiding overbroad freezes based on tenuous or speculative associations. It also recognizes that while blockchain analytics can provide powerful insights, tracing complex transaction chains with absolute certainty is not always possible.

In practice, the technical controls contemplated by the rule align with the capabilities that many centralized stablecoin issuers already possess. Smart contracts for tokens like USDT and USDC typically include administrative functions that allow the issuer to blacklist addresses, freeze balances, or even destroy and re‑mint tokens. Tether, for instance, has demonstrated these capabilities by freezing USDT associated with OFAC‑designated wallet addresses and, in some cases, burning tokens and reissuing them to law enforcement‑controlled wallets after seizures. Tether has also indicated that it can respond in real time to law enforcement requests, leveraging blockchain transparency to track and immobilize funds before they move further.

From a design perspective, the GENIUS proposal effectively enshrines these types of control functions as regulatory expectations for U.S. PPSIs. Stablecoins that lack such controls—for example, fully decentralized protocols that cannot freeze or blacklist specific addresses at the contract level—would face significant hurdles in qualifying as PPSIs, given that they would be unable to meet the requirement to “seize, freeze, burn, or prevent the transfer” of tokens in response to lawful orders. This does not mean such projects are illegal, but it does suggest they may be excluded from the regulatory category of permitted U.S. payment stablecoins, limiting their ability to be used in certain regulated contexts such as bank‑integrated payment systems or large U.S. financial institutions.

For developers and architects, this raises fundamental tradeoffs. Embedding issuer controls can facilitate compliance and integration with regulated institutions but may undermine claims of censorship resistance and decentralization. Conversely, avoiding such controls may preserve some aspects of permissionless design but restrict the project’s ability to operate in mainstream U.S. markets and make it more vulnerable to ad hoc enforcement. The Tether experience shows that even non‑U.S. issuers face pressure to implement robust controls if they want to engage with U.S. authorities and retain listings on exchanges that are themselves subject to OFAC’s jurisdiction.

Tether, OFAC, And The Politics Of Proactive Freezes

Tether’s evolving relationship with sanctions enforcement offers a real‑world illustration of how stablecoin issuers are navigating these tradeoffs. Historically, Tether had frozen funds related to unlawful activity on a case‑by‑case basis, often in response to specific law enforcement requests tied to hacks, fraud schemes, or other crimes. At the same time, the company had been reluctant to freeze wallets that merely interacted with sanctioned protocols like Tornado Cash, stating that it had not received direct requests from U.S. law enforcement to do so and expressing concerns about overstepping or unfairly penalizing users.

That posture shifted when Tether announced that it had frozen all coins held in crypto wallets sanctioned by OFAC, describing the move as a voluntary step to proactively prevent potential misuse of Tether tokens and enhance security measures. Tether framed this as aligning with its commitment to maintaining high safety standards and strengthening its working relationship with global law enforcement and regulators. In its statement, the company emphasized that it would freeze existing wallets on the SDN List as well as any new wallets added in the future, effectively implementing a rolling compliance mechanism that tracks OFAC’s updates. Following the announcement, blockchain records showed that Tether blacklisted Tornado Cash contract addresses, signaling a more aggressive approach to sanctions compliance even where legal obligations were contested or evolving.

Tether’s subsequent cooperation in freezing the 344 million USDT linked to Iran’s Central Bank and IRGC‑associated wallets further underscored this proactive stance. The company highlighted its work with more than 340 law enforcement agencies in 65 countries, its role in supporting over 2,300 cases globally, and its contributions to freezing more than 4.4 billion dollars in assets, including over 2.1 billion dollars connected to U.S. authorities. The U.S. Department of Justice has acknowledged Tether’s assistance in enforcement actions that resulted in the seizure of tens of millions of dollars tied to criminal schemes, such as so‑called “pig butchering” frauds. For regulators, this cooperation demonstrates that centralized stablecoins can be powerful tools for asset recovery and sanctions enforcement when issuers and authorities work together.

At the same time, Tether’s growing role as a sanctions and law‑enforcement partner has attracted political and legal scrutiny. The lawsuit brought by terrorism victims seeking to compel Tether to transfer frozen USDT to satisfy judgments against Iran highlights the potential for private parties to view stablecoin issuers as custodians of state‑linked assets rather than as neutral service providers. The case raises difficult questions about how blocked property should be handled when multiple claimants—including governments, victims, and other creditors—have potential legal interests, and about the extent to which stablecoin issuers can or must take sides in geopolitical disputes. As OFAC and the courts wrestle with these issues, stablecoin issuers face the challenge of balancing regulatory cooperation with a desire to maintain some degree of neutrality and predictability for users.

Licensed Use Cases And Humanitarian Carve‑Outs

While much of the public discussion around OFAC and crypto focuses on designations and freezes, an important part of OFAC’s toolkit involves granting licenses that authorize certain types of transactions that would otherwise be prohibited. These can take the form of general licenses, which allow broad categories of activity, or specific licenses, which allow a particular person or entity to transact under defined conditions. In the crypto context, licensing has emerged as a way to enable humanitarian aid, remittances, and limited financial services in sanctioned jurisdictions without materially benefiting sanctioned regimes.

OFAC’s virtual currency FAQs note that owners of blocked virtual currency can apply for licenses to have their assets unblocked and released, and that institutions can notify customers of blocking actions to facilitate such applications. That same mechanism can be used by projects seeking to operate in or serve users in sanctioned countries for legitimate purposes, such as humanitarian projects, diaspora remittances, or technology services exempt from comprehensive sanctions. For example, stablecoin‑based payment protocols have sought and, in some cases, obtained OFAC authorization to operate in heavily sanctioned economies like Venezuela, enabling dollar‑denominated transactions that bypass dysfunctional local banking systems while staying within the confines of U.S. sanctions policy.

These licensed operations are not without risk or controversy. Critics worry that even well‑intentioned projects can inadvertently provide sanctioned regimes with new channels for evasion or surveillance. Proponents argue that carefully structured, OFAC‑licensed crypto systems can provide life‑saving access to stable value and cross‑border payments in places where traditional banks have collapsed or disengaged. From OFAC’s perspective, licensing allows it to calibrate sanctions, minimizing harm to civilians while maintaining pressure on regimes, and to gather data on the practical impact of sanctions in digital contexts. For crypto builders, pursuing a license is a complex path but can offer a way to operate in high‑risk jurisdictions without running afoul of sanctions law.

The emerging GENIUS regime will likely interact with licensing in intricate ways. PPSIs seeking to serve users in sanctioned jurisdictions for humanitarian purposes may need to structure their operations carefully, combine strong KYC and analytics with narrow use‑case definitions, and work closely with OFAC to ensure that licensed activity does not spill over into broader sanctions evasion. These dynamics again highlight that for stablecoin issuers, sanctions risk is not just a matter of defensive compliance, but also a potential competitive and strategic factor in designing products, choosing markets, and structuring governance.

0xpmm.eth

Aug 27, 2025

View article →

OFAC hit Russian national Vitaliy Sergeyevich Andreyev, a North Korean individual, and two entities, for enabling DPRK-linked fraud. Elliptic data show Andreyev’s sanctioned Bitcoin address received over $600K tied to the 2023 Atomic Wallet hack, with cross-chain layering used for obfuscation.

elliptic.co • Aug 27, 2025

Compliance In Practice For Crypto And DeFi

Who Is In OFAC’s Crosshairs?

The enforcement actions described above illustrate the categories of crypto actors that attract OFAC’s attention. Centralized exchanges are obvious targets, as they serve as gateways between fiat currencies and digital assets and often hold customer funds in custodial wallets. Domestic exchanges in sanctioned countries, such as Iran’s Nobitex, Bit Pin, Wallex, and Ramzinex, have been designated where OFAC concluded they were enabling regime insiders or sanctioned entities to access international digital asset markets and evade economic restrictions. Offshore exchanges that actively solicit business from sanctioned jurisdictions or that process large volumes for sanctioned banks or entities may also face designation or secondary sanctions risk.

Stablecoin issuers occupy a central position in this landscape. As the GENIUS Act and the proposed FinCEN–OFAC rule make clear, PPSIs are expected to operate with bank‑like compliance programs and technical controls that allow them to block and freeze tokens when necessary. Even before GENIUS, issuers like Tether voluntarily adopted sanctions screening and freeze capabilities aligned with OFAC guidance, recognizing that failure to do so could threaten their relationships with exchanges and banks that must themselves comply with U.S. sanctions. As stablecoins become integral to DeFi liquidity, cross‑exchange arbitrage, and cross‑border remittances, issuers’ compliance choices can influence the entire ecosystem’s exposure to sanctions risk.

Other crypto intermediaries, such as custodial wallet providers, payment processors, and OTC desks, also fall within OFAC’s focus. These entities may not issue tokens, but they hold or transmit value on behalf of clients and therefore have obligations to block and report property associated with sanctioned parties. Darknet markets and mixing services that facilitate the laundering of ransomware proceeds, hack revenues, or other criminal funds have already faced sanctions, as in the case of mixers like Blender.io and Tornado Cash. Cross‑chain bridges and protocols that provide liquidity for funds moving out of sanctioned jurisdictions or from hacks tied to sanctioned entities are increasingly scrutinized by analytics firms and, by extension, by regulators.

Even actors closer to the infrastructure layer, such as mining pools and validators, are not entirely insulated. While OFAC has not, to date, imposed broad sanctions on miners or validators merely for processing blocks that include sanctioned transactions, discussions within the community reflect concern that if a chain’s activity becomes dominated by sanctions‑related laundering, validators could face pressure to take preventive action to avoid the risk of chain‑level sanctions. Researchers have raised scenarios in which more than 80 percent of a chain’s volume appears linked to state‑sponsored money laundering, suggesting that in such extreme cases, neutral processing might no longer be a viable defense. Although these concerns remain largely hypothetical, they underscore the extent to which sanctions considerations are penetrating even the lowest levels of blockchain ecosystems.

Core Obligations For Crypto Businesses

For crypto businesses subject to U.S. jurisdiction, the core sanctions obligations are conceptually simple but operationally complex. U.S. persons—including U.S. entities, their foreign branches, and individuals who are U.S. citizens or permanent residents—must ensure that they do not engage in unauthorized transactions with persons on OFAC’s SDN List or with other blocked parties, including entities owned 50 percent or more by one or more SDNs. They must also block any property and interests in property of such persons that come within their possession or control and report those blocked assets to OFAC within prescribed time frames. These obligations apply regardless of whether the property involved is a bank deposit, a security, or a balance of virtual currency in a custodial wallet.

Implementing these obligations in a crypto context requires robust sanctions screening and monitoring. Exchanges and custodians must screen customer information against OFAC lists at onboarding and on an ongoing basis, as well as monitor deposits and withdrawals for interaction with OFAC‑listed wallet addresses. Stablecoin issuers must similarly screen redemption requests, blacklisted addresses, and on‑chain activity relevant to their tokens. When a U.S. virtual currency company determines that it holds virtual currency in which a blocked person has an interest, it must deny all parties access to that virtual currency and implement controls to ensure that the tokens remain blocked absent OFAC authorization or a change in the underlying sanctions program. This may involve freezing individual wallets or consolidating blocked balances into omnibus wallets, provided that the issuer or custodian can still associate each portion of the blocked assets with the correct owner.

Reporting obligations are equally important. Blocked virtual currency must be reported to OFAC within 10 business days of the blocking action and annually thereafter for as long as it remains blocked. If a business believes that a transaction may involve a sanctioned person but is not certain, it may need to seek guidance from OFAC or, in some cases, file a voluntary self‑disclosure if it discovers that a prohibited transaction has already occurred. Parallel obligations under the BSA may require filing SARs with FinCEN when transactions appear to involve sanctions evasion, money laundering, or other criminal activity. The GENIUS proposal would formalize these SAR obligations for PPSIs, reinforcing the expectation that stablecoin issuers will play an active role in detecting and reporting suspicious activity.

For non‑U.S. crypto businesses, the picture is more nuanced. While they may not be directly subject to U.S. jurisdiction in all cases, they can still be affected by secondary sanctions, correspondent banking relationships, and their interactions with U.S. persons or U.S. dollar clearing systems. Many non‑U.S. exchanges and service providers therefore adopt OFAC‑aligned screening and blocking policies as a matter of risk management, even where local law does not explicitly require it. Failure to do so can result in loss of banking relationships, de‑listing of tokens from U.S. exchanges, or, in extreme cases, designation by OFAC, as seen with Iranian exchanges and Russian virtual asset platforms.

DeFi, Non‑Custodial Services, And The Question Of Control

One of the most challenging areas for sanctions compliance lies in decentralized finance (DeFi) and other non‑custodial services. In these systems, users typically retain direct control over their funds via private keys, and smart contracts execute transactions automatically without ongoing intervention by identifiable intermediaries. This raises the question of who, if anyone, can be held responsible for blocking or reporting property associated with sanctioned persons.

The Tornado Cash litigation sheds some light on this issue but leaves many questions open. The Fifth Circuit’s ruling held that Tornado Cash’s immutable smart contracts were not “property” capable of being owned or controlled and therefore could not themselves be designated under IEEPA as property of a foreign person. However, the court did not decide whether entities such as the Tornado Cash DAO, developers, or governance token holders might themselves be considered “persons” subject to sanctions if they were found to be materially assisting sanctioned activities. Nor did the decision restrict OFAC’s ability to target web frontends, user interfaces, or other ancillary services that make interacting with smart contracts easier but that are operated by identifiable legal entities or individuals.

For DeFi projects, this means the extent of sanctions exposure may depend on governance and design choices. Protocols that are truly immutable and lack administrative keys or centralized control points may be harder for OFAC to directly regulate as property, but public interfaces and surrounding infrastructure may still be vulnerable. Projects that retain “pause” functions, upgradeable contracts, or other forms of admin control may find that regulators expect them to use those powers to block or restrict access by sanctioned parties. In stablecoin‑centric DeFi, protocols that integrate tokens issued by regulated PPSIs may inherit some sanctions risk indirectly, as issuers may pressure protocols to assist with blocking or reporting where feasible.

Validators and miners occupy a somewhat different position. At present, OFAC has not imposed broad obligations on miners or validators to screen transactions before including them in blocks, and consensus norms generally treat block producers as neutral record keepers. However, as concerns grow about chains becoming dominated by sanctions‑related flows—such as those associated with North Korean hacking or other state‑sponsored money laundering—some voices in the community have suggested that validators may eventually need to consider excluding certain transactions to avoid the possibility of chain‑wide sanctions. While this remains speculative, the mere fact that such discussions are occurring illustrates how deeply sanctions considerations are starting to percolate through the crypto ecosystem.

Global Spillovers And Secondary Sanctions

OFAC’s influence extends far beyond U.S. borders, and the crypto sector offers a clear example of how secondary sanctions and reputational risk can shape global behavior. Foreign exchanges that maintain accounts or process transactions for sanctioned entities, such as Iranian state‑linked institutions or Russian banks, may find themselves at risk of designation or loss of access to U.S. dollar clearing. As Treasury’s Russia‑related actions make clear, foreign financial institutions that provide significant services to Russia’s military‑industrial base face the possibility of being sanctioned themselves, potentially cutting them off from much of the international financial system.

In crypto, this dynamic has led many non‑U.S. platforms to adopt OFAC‑compliant policies even when operating in jurisdictions that have not formally implemented the same sanctions. Exchanges that initially saw an opportunity in serving users from sanctioned countries have, in many cases, reconsidered after facing scrutiny from regulators, loss of correspondent banking relationships, or de‑risking by key partners. Stablecoin issuers, too, must consider the global reach of U.S. sanctions when deciding where to list, which markets to serve, and how to configure their technical controls. A non‑U.S. issuer that becomes a key liquidity provider for sanctioned regimes may attract OFAC’s attention even if it is nominally outside U.S. jurisdiction.

At the same time, other jurisdictions are developing their own sanctions and AML frameworks for crypto, sometimes aligning with OFAC and sometimes diverging. The result is an increasingly complex global patchwork in which crypto businesses must navigate overlapping and sometimes conflicting obligations. In many cases, aligning with the strictest applicable standard—often OFAC’s—becomes the default risk‑minimization strategy, particularly for firms that desire access to U.S. markets or U.S. dollar liquidity. For a sector that has long prized jurisdictional arbitrage and regulatory competition, this convergence on sanctions compliance standards is a notable development.

Debate And Design Choices: Censorship, Privacy, And Innovation

Code As Speech Versus Sanctions Power

OFAC’s actions have fueled intense debates about the boundaries between code, speech, and economic regulation. Advocates of permissionless innovation argue that writing and publishing open‑source smart contracts should be treated as protected expression, and that punishing developers for how others use their code risks chilling beneficial innovation. In the Tornado Cash case, for instance, some users argued that they relied on the mixer for legitimate privacy needs, such as protecting salary payments or political donations from public scrutiny, and that sanctioning the protocol indiscriminately punished law‑abiding users alongside criminals.

OFAC, for its part, has emphasized the real harms associated with mixers used to launder billions of dollars in stolen funds, including proceeds from high‑profile hacks and state‑sponsored cyber operations. Treasury has argued that when a service is repeatedly used to facilitate significant threats to U.S. national security and economic stability, and when its operators fail to implement adequate controls, sanctions are an appropriate tool to disrupt that service. The challenge lies in drawing lines in a space where protocols can be forked, interfaces can be replicated, and users can interact with contracts directly without centralized intermediaries.

The Fifth Circuit’s decision in the Tornado Cash litigation provides an important but narrow precedent. By holding that immutable smart contracts are not “property” that can be owned or controlled, the court limited OFAC’s ability to treat such code as the target of sanctions under IEEPA. However, the ruling did not categorically bar sanctions related to decentralized protocols; it simply required OFAC to identify a proper target, such as a person or entity with a property interest, and to ensure that designations comport with statutory limits. Future cases will likely further refine the interplay between sanctions law and open‑source software, particularly as protocols experiment with new forms of governance and control that blur the lines between centralized and decentralized models.

Privacy Tools, Mixers, And Layered Solutions

Beyond Tornado Cash, the broader category of privacy‑enhancing technologies in crypto—including mixers, coinjoin services, privacy‑focused blockchains, and layer‑2 solutions—faces uncertain regulatory terrain. On one hand, privacy is a legitimate and often vital objective, particularly for users in repressive regimes, journalists, activists, and businesses seeking to protect trade secrets. On the other hand, the same tools are attractive to criminals and sanctioned entities seeking to obscure their activity, as evidenced by North Korean hackers’ repeated use of mixers and cross‑chain protocols to launder stolen funds.

OFAC has so far taken a targeted approach, focusing on services that it believes are heavily used for illicit purposes and whose operators have not implemented adequate controls. At the same time, its public statements suggest that it views sanctions as one tool among many, and that law enforcement actions, diplomatic pressure, and international cooperation remain crucial in combating illicit finance. This leaves room for the development of privacy‑preserving tools that incorporate compliance‑enabling features, such as selective disclosure mechanisms or zero‑knowledge proofs that allow institutions to verify compliance without gaining full visibility into user activity.

For builders, the design challenge is to reconcile user privacy with regulatory expectations. One direction involves creating “regulated privacy” solutions, in which use is restricted to KYC‑verified participants and compliance checks can be performed under defined circumstances. Another involves building non‑custodial tools that minimize reliance on centralized intermediaries while still providing points of interaction where regulated entities can perform screening and monitoring. The tensions are unlikely to disappear, but as more projects engage with OFAC and other regulators early in their design process, it may be possible to develop frameworks that preserve meaningful privacy while mitigating the most serious risks of sanctions evasion and large‑scale money laundering.

Stablecoin Design: Centralized Versus Decentralized

Stablecoins sit at the heart of many OFAC‑related debates because they combine high utility for legitimate users with high potential for misuse by sanctioned actors. Centralized fiat‑backed stablecoins, such as USDT and others, are typically issued and redeemed by identifiable entities that control off‑chain reserves and on‑chain token contracts. This centralized structure makes them attractive to regulators, because issuers can be required—or persuaded—to implement sanctions controls, freeze or burn tokens, and cooperate with law enforcement, as seen in Tether’s work with U.S. authorities. The GENIUS Act and the proposed FinCEN–OFAC rule effectively embrace this model for PPSIs, embedding issuer control as a prerequisite for regulatory approval.

Decentralized stablecoins, by contrast, often rely on algorithmic mechanisms, overcollateralized debt positions, or other on‑chain structures without centralized custodians or admin keys. In their purest form, such systems lack a single entity capable of freezing tokens or blocking transfers. This presents a challenge for sanctions enforcement: while addresses controlled by sanctioned persons can still be added to the SDN List, there may be no issuer or custodian capable of blocking the tokens themselves. As a result, decentralized stablecoins may face greater barriers to integration with regulated financial institutions and may be viewed with suspicion by policymakers focused on sanctions and systemic risk.

The GENIUS regime does not outlaw decentralized stablecoins, but it delineates a category of “permitted payment stablecoins” that are expected to meet specific control and compliance standards. For developers, this raises strategic questions. Some may choose to build fully decentralized stablecoins that prioritize censorship resistance and accept a more limited role in regulated markets. Others may adopt hybrid models with governance structures that allow for certain compliance interventions while preserving decentralized aspects in other dimensions. The choices made in the next several years will shape not only individual projects, but also the broader distribution of power between centralized and decentralized monetary infrastructures in crypto.

Industry Engagement And The Rulemaking Process

As OFAC and FinCEN move from ad hoc enforcement toward more structured regulation of stablecoins and other crypto services, industry engagement has intensified. Traditional financial sector groups, such as the Institute of International Bankers, have submitted comment letters on the proposed GENIUS rule, reflecting concerns about how stablecoin issuers will be supervised, how obligations will align with existing bank compliance frameworks, and how cross‑border operations will be handled. Crypto‑native firms, venture investors, and advocacy organizations are similarly weighing in, emphasizing the need for clarity, proportionality, and flexibility to accommodate innovation.

One key theme in these discussions is the importance of recognizing technological realities. Commenters have urged regulators to account for differences between custodial and non‑custodial models, to avoid imposing obligations that are technically impossible for decentralized protocols to meet, and to clarify the circumstances under which indirect exposure to sanctioned addresses—for example, through protocol‑level liquidity pools—creates obligations for intermediaries. Another theme is the need to avoid driving activity into less regulated jurisdictions or into opaque channels by imposing overly burdensome requirements on compliant actors. Regulators, for their part, have signaled a willingness to engage with industry but have also emphasized their commitment to preventing the misuse of stablecoins and other digital assets for illicit finance.

For the crypto sector, engaging constructively with OFAC and FinCEN has shifted from a defensive posture to a strategic necessity. Firms that can help shape practical, technologically informed regulations may gain a competitive advantage, both by reducing regulatory uncertainty and by influencing how compliance expectations are operationalized. Conversely, projects that ignore the rulemaking process or treat sanctions as someone else’s problem may find themselves struggling to adapt when final rules are issued or when enforcement actions cascade through the ecosystem.

Conclusion

OFAC’s role in the crypto ecosystem has evolved from a peripheral concern to a central force shaping how digital assets are designed, traded, and used across borders. As the U.S. government’s primary sanctions authority, OFAC brings to bear decades of experience in using economic tools to pursue foreign policy and national security objectives. Its extension of these tools into the realm of cryptocurrencies and stablecoins reflects both the growing importance of digital assets in global finance and the real risks posed by their misuse by sanctioned regimes, terrorist organizations, and criminal enterprises.

The agency’s actions—from sanctioning mixers like Tornado Cash and Blender.io, to targeting Iranian and Russian exchanges, to pursuing North Korean IT worker networks that rely on crypto—illustrate a pragmatic, if sometimes controversial, approach that focuses on points of leverage in the digital asset ecosystem. These include centralized exchanges, domestic platforms in sanctioned jurisdictions, stablecoin issuers, and, in some cases, smart‑contract‑based services that play central roles in laundering operations. At the same time, litigation such as the Tornado Cash case has demonstrated that there are legal limits to how far sanctions law can be stretched to encompass autonomous code, at least under existing statutory frameworks.

The emergence of the GENIUS Act and the joint FinCEN–OFAC rulemaking for permitted payment stablecoin issuers marks a new phase in this evolution. Stablecoin issuers are now poised to be treated explicitly as financial institutions under the BSA and U.S. sanctions laws, with bank‑like obligations to implement AML/CFT programs, file SARs, and maintain effective sanctions compliance programs. Technical requirements to block, freeze, burn, and otherwise control tokens in response to lawful orders are being codified, turning design choices that many issuers already made for operational reasons into legal mandates. This will likely accelerate the divergence between highly regulated, centralized stablecoins integrated into mainstream finance and more decentralized alternatives operating at the edges of regulatory tolerance.

For crypto businesses and users, the practical implications are clear. Sanctions compliance is no longer optional for any actor that touches U.S. persons, the U.S. financial system, or major centralized stablecoins. Exchanges, wallets, DeFi frontends, and infrastructure providers must build sanctions screening and blocking into their core operations, leveraging blockchain analytics and legal expertise to manage risk. Stablecoin issuers must prepare for a world in which detailed AML and sanctions compliance programs are a condition of market access, not a differentiator. Developers of privacy tools and decentralized protocols must grapple with how to preserve user rights and censorship resistance while respecting legal constraints and avoiding association with large‑scale criminal or state‑sponsored abuses.

At the same time, OFAC’s expanding engagement with crypto offers opportunities. Public blockchains, as Tether and analytics firms have emphasized, provide a level of transparency and traceability that cash does not, enabling law enforcement to follow flows, freeze assets, and disrupt illicit networks in new ways. Licensing mechanisms allow carefully designed crypto projects to deliver valuable services in sanctioned jurisdictions under controlled conditions, potentially mitigating humanitarian harm and supporting policy objectives. Industry participation in rulemaking can help ensure that regulations are technologically informed and proportional, reducing the risk of unintended consequences or mass de‑risking.

In this landscape, staying informed about OFAC developments is essential for anyone seriously engaged with crypto. The specifics of sanctions programs will continue to evolve, new targets will be designated, and court decisions will refine the boundaries of regulatory authority. But the underlying trajectory is clear: sanctions risk is now a permanent feature of the digital asset environment, and navigating it effectively will be a decisive factor in which projects thrive, which falter, and how the broader relationship between crypto and the global financial system unfolds.

Outlook

Looking ahead, three dynamics are likely to define OFAC’s relationship with crypto. First, the implementation of the GENIUS Act’s AML and sanctions provisions for stablecoin issuers will reshape the stablecoin landscape, clarifying which issuers can operate as fully regulated PPSIs and which will remain outside that perimeter. As final rules emerge and supervisory expectations crystallize, we can expect further consolidation around issuers with the resources and willingness to build bank‑grade compliance, even as alternative stablecoins experiment with more decentralized or jurisdictionally diverse models.

Second, OFAC will continue to refine its enforcement strategy in response to evolving threats. State actors such as Iran, North Korea, and Russia are unlikely to abandon their use of crypto for sanctions evasion and cyber operations, and criminal groups will keep exploiting new protocols, bridges, and privacy tools. This will drive ongoing designations of wallet addresses, exchanges, and infrastructure providers, as well as increased cooperation with analytics firms and foreign regulators. Successive enforcement waves—like the layered approach to Iran’s crypto ecosystem—may become a template for tackling other state‑linked crypto networks.

Third, the legal and philosophical debates that surfaced in the Tornado Cash case will continue, as courts, regulators, and developers grapple with how sanctions law applies to decentralized systems and open‑source code. Future litigation and rulemaking may provide more clarity on the liability of DAOs, governance participants, and protocol developers, and on the expectations placed on validators and other infrastructure operators. The balance struck between preserving the core values of decentralization and accommodating legitimate national security concerns will be a defining issue for crypto’s next decade.

For now, the message for the crypto industry is straightforward. OFAC is not going away, and neither are stablecoins, DeFi, or cross‑border digital asset flows. Building with sanctions compliance in mind—rather than treating it as an afterthought—will be essential not only for avoiding penalties, but also for gaining the trust of users, partners, and regulators in an increasingly interconnected financial system.