Sanctions activity impacting the crypto space has gone into overdrive. The US, EU, UK and other countries imposed major financial and trade sanctions on Russia following its attack on Ukraine. While there has not been evidence of widespread sanctions evasion by Russia using crypto, there are indications that it is exploring avenues such as crypto mining to generate revenue.
According to Elliptic Report Sanctions Compliance in Cryptocurrencies, this led the US Treasury’s Office of Foreign Assets Control (OFAC) to sanction the Russian mining service BitRiver. Russian paramilitary groups fighting in Ukraine have also fundraised using crypto.
Sanctions have been directed increasingly at mixing services such as Blender and Tornado Cash, which the US Treasury sanctioned last year for facilitating North Korean money laundering.
Enforcement for crypto-related breaches of sanctions rules is also heating up, as was demonstrated by the seven-figure US Treasury settlement last year with the Bittrex crypto exchange for apparent violations of sanctions involving countries such as Iran.
Amid this rapidly evolving sanctions landscape, it is critical that cryptoasset businesses and financial institutions consider the impact on their compliance operations.
They should also proactively take steps and immediately implement available compliance solutions to mitigate the significant risks involved.
Cryptoasset businesses and financial institutions must prepare for an ever-tightening sanctions compliance environment. Those that fail to take appropriate steps now could find themselves in regulators’ crosshairs, risking large fines or penalties.
Avoiding dealings with crypto addresses controlled by sanctioned entities and countries should be a top priority for any crypto business or financial institution.
5 Key Steps to Solve Crypto Sanctions Compliance
Elliptic take a look at five key steps your team can take to navigate the emerging challenge of cryptocurrency sanctions compliance with success.
Deploying Effective Blockchain Monitoring Solutions and Leveraging Holistic Screening
Have you deployed blockchain monitoring solutions that rely on best-in-class data? Do you conduct pre-transaction wallet screening to prevent interactions with prohibited addresses? Can you identify sanctions risks involving cross-chain and cross-asset services?
Managing Your Country Risk Exposure
Are you able to identify more subtle signs of sanctions risks, such as potential exposure to entities located in or near sanctioned jurisdictions?
Knowing the Red Flags
In addition to geographical risk indicators, are your staff aware of red flags and suspicious indicators indicative of high-risk activity that may carry sanctions risks?
Defining Your Investigative Strategy
Where risks have been identified, are you equipped to investigate potential sanctions breaches and report them to the appropriate authorities?
Embedding a Comprehensive Risk Management Framework
Have you conducted a sanctions risk assessment to measure your overall level of risk exposure, and have you designed the processes and procedures necessary to mitigate that risk? Has your compliance team undergone the appropriate training needed to identify sanctions risks and ensure compliance?
Deploying Effective Blockchain Monitoring Solutions and Leveraging Holistic Screening
Avoiding exposure to sanctioned entities and individuals that use cryptocurrencies requires having the right technical solutions in place (see Blockchain Technologies for Cryptocurrencies).
Correctly utilizing the solutions can enable you to engage in efficient risk-based monitoring and to detect potential connections to sanctioned parties with confidence.
There are two essential components of blockchain analytics that any compliance team should have in place if it wants to be compliant with sanctions requirements:
Pre-transaction wallet screening.
Post-transaction screening to determine the ultimate source and destination of funds.
Screening destination crypto addresses prior to allowing customers to withdraw funds is critical to ensuring that you don’t make funds available to a sanctioned person or jurisdiction. Monitoring fund flows on an ongoing basis is critical for identifying attempted sanctions evasion among your customers’ transactions (see Why not require crypto projects to get special insurance after FTX crush?).
Elliptic’s data set contains crypto addresses belonging to individuals and entities on global sanctions lists, as well as information about exchanges and other entities using crypto in jurisdictions such as Iran, North Korea and Russia.
Screening customer wallets and transactions against these addresses can prevent a crypto business or financial institution from facilitating a prohibited transaction.
It is also critical that any blockchain analytics capabilities that a compliance team uses enable them to detect risks involving cross-chain and cross-asset services.
However, most DEXs do not apply anti-money laundering (AML) controls, and this allows criminals to swap assets rapidly through them as part of the money laundering process.
For example, using DEXs, criminals can readily exchange Ether for other assets – such as Tether, USDC and many more – that operate using Ethereum’s ERC-20 protocol in an attempt to break the trail of traceability. In June 2022, North Korean cybercriminals did just that to launder the funds they stole after hacking a major DeFi service.
Another game changer has been the emergence of cross-chain bridges – services that allow a user to transfer assets seamlessly from one blockchain, such as Bitcoin, to another, such as Ethereum.
Before the advent of bridges, crypto users could not move readily across blockchains to access DeFi services. But with bridges, DeFi services are able to thrive as part of an increasingly interwoven cross-chain ecosystem.
However, criminals have also identified that bridges offer an ideal method for laundering their ill-gotten crypto across blockchains.
To date, one cross-chain bridge, the RenBridge – which allows users to move funds across Bitcoin, Ethereum and other blockchains – has processed more than $540 million in illicit transactions. This includes more than $153 million laundered by ransomware attackers, as well as $33.8 million which originated from the hack of the Liquid crypto exchange platform, and which has since been attributed to North Korean cybercriminals, who used RenBridge to try and hide their stolen Bitcoin.
US Treasury’s Office of Foreign Assets Control
As part of its efforts to disrupt the activity of threat actors, the US Treasury’s Office of Foreign Assets Control has, since 2018, listed crypto addresses on its Specially Designated Nationals and Blocked Persons List (SDN List).
To date, OFAC has listed more than 400 crypto addresses belonging to cybercriminals, money launderers, narcotics traffickers and their support networks.
Importantly, OFAC has clarified that the SDN List is non-exhaustive: that is, it expects US persons – such as crypto exchanges operating in the US, or operators of DeFi platform web interfaces who are US citizens – to avoid transactions not only with those crypto addresses that appear on the SDN List, but also with any other addresses that sanctioned entities control.
Suppose a crypto exchange business has a customer named Alice. She has a USDC stablecoin account with the exchange, and periodically sends transactions to her external USDC wallet.
Using legacy blockchain analytics capabilities, the crypto exchange can screen Alice’s external USDC address against the OFAC sanctions list to identify whether it is associated with any prohibited actors. If the legacy blockchain analytics solution does not identify any connection between the USDC address and other USDC addresses on the SDN List, it will assume that there are no sanctions risks present.
In the same scenario, Alice’s exchange could screen her external USDC address against the OFAC SDN List.
However, where legacy blockchain analytics solutions only search for potential connections to other USDC addresses, Elliptic Lens enables Alice’s exchange to check whether her USDC address may feature connections to addresses involving other assets that appear on the SDN List.
The implications of this enhanced screening are illustrated in the next diagram. By deploying Elliptic Lens, the exchange identifies that Alice’s external USDC wallet is shared within an Ethereum account that includes an Ethereum address which OFAC listed on the SDN List for belonging to the Lazarus Group – a major North Korean cybercrime outfit.
With legacy blockchain analytics, the exchange would have failed to detect these sanctions risks at the time of screening, and could only have identified its exposure to the OFAC-listed Ethereum address through painstaking investigative work.
Managing Your Country Risk Exposure
Avoiding sanctions risk exposure is about more than just monitoring for connections to specific SDNs or other known illicit actors. A successful risk-mitigation strategy also involves detecting more subtle signs of risk, such as exposure to high-risk countries, or to regions that pose high risks of sanctions evasion activity.
While large-scale sanctions evasion using [cryptocurrencies] by a government such as the Russian Federation is not necessarily practicable, sanctioned parties, illicit actors, and their related networks or facilitators may attempt to use [crypto] and anonymizing services to evade US sanctions and protect their assets around the globe.
US Treasury’s Financial Crimes Enforcement Network (FinCEN)
For example, compliance teams need to be alert not only to interactions with individuals and entities on sanctions lists. They also need to be able to identify interactions with cryptocurrency exchanges, miners, and other services in countries such as North Korea, Iran, Cuba, Russia, Venezuela and other jurisdictions that are subject to broad financial and economic sanctions.
Since early 2022, sanctions concerns involving Russia’s potential nexus with crypto have become particularly pronounced.
For example, as Elliptic has previously shown, Russia-linked separatist groups – including those operating in the Donetsk, Luhansk, Kherson and Zaporizhzhia regions – have solicited Bitcoin donations worth nearly $5 million in support of their militant activities.
After the announcement by the US, EU, and other jurisdictions of sanctions targeting those regions, Elliptic took steps to ensure our customers could screen cryptoasset wallets and transactions involving these groups in using our blockchain analytics solutions.
Using Elliptic’s Configurable Risk Rules, compliance teams can set their monitoring arrangements to ensure they can detect entities located in these regions, in neighboring countries such as Belarus – or in Russia more broadly – as required by their sanctions compliance obligations.
What’s more, compliance teams can leverage transaction and wallet screening to ensure the full implementation of pre-existing sanctions targeting Russian actors who use cryptoassets. OFAC has previously sanctioned Russian cybercriminal gangs, as well as Russia-linked individuals involved in hacking US elections.
Another essential component of sanctions compliance at this time is having the ability to identify digital asset exchange services in Russia that could potentially enable sanctions evasion.
Cryptoasset businesses and financial institutions should take special care to apply enhanced due diligence to these transactions for signs of potential dealings with sanctioned individuals and entities in Russia.
Fortunately, solutions exist to empower compliance teams in these efforts. Elliptic Discovery is our database of comprehensive due diligence profiles on more than 1,000 virtual asset service providers (VASPs) located globally.
Using Discovery – which already includes profiles of hundreds of exchanges located in Russia – compliance teams can proactively take steps to apply enhanced monitoring to any transactions involving them. They can even determine whether to continue business with them as restrictions increase.
Knowing the Red Flags
Because sanctioned individuals and entities go to great lengths to conceal their activity, it is essential that you know what red flags to look out for. Red flags of potential sanctions-related activity can involve both transactional behaviors, as well as a range of other qualitative indicators.
Normally, several red flags will appear in tandem that should alert your compliance teams to sanctions risks, prompting them to take a closer look.
In March 2022, following the Russian invasion of Ukraine, the US Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an alert warning of potential crypto-related red flags related to sanctions evasion, including:
A customer of an exchange or financial institution engages in transactions with addresses on the OFAC SDN List.
A customer engages in transactions with a crypto exchange located in a high-risk jurisdiction.
A customer’s transactions involve the use of mixing or obfuscating services.
Below, we outline a number of additional sanctions-related red flags that can be indicators of sanctions-related activity.
Cryptocurrency and Sanctions Risks: Key Red Flags
A customer attempts to log-on to an exchange using IP addresses, email addresses, phone numbers, or other identifying indicators registered in a sanctioned jurisdiction.
A customer is identified as being associated with advertisements for cryptocurrency brokerage activity on P2P trading sites available to users in sanctioned jurisdictions.
A customer engages in indirect transactions – ie. transactions separated by more than one hop – with exchanges in sanctioned jurisdictions with a frequency that can’t be logically explained; a customer sends funds to a cryptocurrency address that forms part of “cluster” of addresses (or wallet) associated with an OFAC-listed address, but that has not itself been identified by OFAC.
A customer frequently engages in transactions through or with entities in countries known to be associated with sanctions evasion activity, with no clear purpose or rationale for the activity in question.
A customer sends funds to a cryptocurrency address that forms part of a “cluster” of addresses (or wallet) associated with an OFAC-listed address, but that has not itself been identified by OFAC.
A customer frequently engages in transactions through or with entities in countries known to be associated with sanctions evasion activity, with no clear purpose or rationale for the activity in question.
A customer sends or receives funds to or from a miner in a sanctioned jurisdiction, or a mining pool located in a country such as China, but with operations in a sanctioned jurisdiction.
A customer frequently sends/receives funds to/from exchange services that do not require KYC information and are located in high-risk jurisdictions. At Elliptic, we conduct ongoing research into these and other red flag indicators of sanctions-related typologies and can assist your compliance teams in understanding how to identify them.
In addition to knowing what key red flags of sanctions evasion to spot, it’s important to be aware of emerging issues and typologies impacting the crypto space.
Some emerging issues that impact sanctions risk include:
Privacy Coins: Elliptic’s research indicates that illicit actors – especially darkwebmarkets – are increasingly looking to privacy coins like Monero as a way to evade the traceability of other cryptoassets. OFAC has included Monero, Dash, Verge and Zcash addresses belonging to sanctioned cybercriminals on its SDN List – suggesting that privacy coins could prove attractive to sanctioned actors as well.
Privacy Wallets: the use of privacy wallets such as Wasabi Wallet as an alternativeto centralized mixers has grown significantly among illicit actors. Privacy wallets are less vulnerable to law enforcement disruption than centralized mixing services, and criminals look to them increasingly as a way to obfuscate funds flows in Bitcoin.
Coinswap Services: illicit actors are moving away from using large fiat-to-cryptoexchange platforms. Since the introduction of comprehensive guidance from the Financial Action Task Force (FATF) in June 2019, large exchanges have implemented AML and KYC measures that are deterring criminals. Elliptic’s research indicates that threat actors are increasingly using coinswap services to launder funds. Coinswap services are crypto-to-crypto exchange platforms that generally do not collect KYC information and that are often located in high risk money laundering jurisdictions.
DEXs: decentralized exchanges (DEXs) and other apps in decentralized finance (DeFi)are among the most exciting innovations in the crypto space. However, because they are unregulated and do not gather KYC information from users, there are concerns that they could become a haven for crypto laundering. North Korea’s Lazarus Group has been linked to the hack of a crypto exchange in Singapore, KuCoin, from which it stole cryptoassets worth $280 million. Some of the funds were laundered through DEXs – an indication that North Korea is capable of exploiting DeFi technology.
Defining Your Investigative Strategy
If your compliance team identifies red flags that may suggest you have sanctions exposure, it will be necessary to dig deeper. You need to have in place an investigations strategy that allows you to look in depth at customer activity and exhaustively scrutinize it.
This is especially important in sanctions-related cases, where even indirect and seemingly remote connections between customers and sanctioned parties can carry severe regulatory consequences.
A well-designed investigative strategy includes:
ensuring that all relevant staff are skilled in conducting cryptocurrency investigations;
having documented investigative procedures and recordkeeping policies in place;
leveraging crypto forensic analysis software – like Elliptic Investigator – to map the flow of funds related to suspected sanctions cases;
having in place internal escalation processes for raising alerts where positive hits have been identified; and
clearly documenting investigation findings in final reports that can be shared with relevant regulatory bodies, law enforcement or other relevant stakeholders.
Embedding a Comprehensive Risk Management Framework
A comprehensive sanctions compliance risk management framework includes:
Risk Assessment: conducting an enterprise-wide risk assessment to determine theextent of potential sanctions-risk exposure across customer, product and market segments.
Systems Configuration: utilizing effective sanctions list screening solutions andensuring those are calibrated for effective monitoring for hits against OFAC and other sanctions lists.
Sanctions Training: having training programs in place to ensure that key members ofstaff understand sanctions obligations, risks and appropriate responses.
Policies and Procedures: developing policies and procedures that clearly definestaff responsibilities and set out well-defined prohibited activities. Below, we outline some specific steps you can take to address two of the components above: systems configuration and sanctions training.
Summary
Sanctions compliance is by no means a simple task. A rapidly evolving threat landscape and increasing scrutiny from regulators makes it all but certain that the sanctions-related challenges facing the crypto industry will only grow in complexity over time.
But if the industry is to continue its impressive growth, compliance officers must face these challenges head-on and navigate them successfully.
Failure to do so can result in significant penalties and regulatory censure that businesses can’t afford to face.
By focusing on achieving the objectives outlined in this report, cryptocurrency compliance officers can ensure their sanctions compliance process is as smooth as possible.
……………………….
AUTHORS: Aruna Costa – VP Government Solutions Elliptic, Arda Akartuna – Senior Crypto Threat Analyst Elliptic, Thibaud Madelin – Research & Investigations Lead Elliptic
While some employers may see using cryptocurrency as a way to differentiate themselves in attracting next-generation talent, there is also a case for caution in seeking creative ways to reward employees
