By Angel Niño Torres, Law Professor and Compliance Consultant
March 4, 2023

Cryptocurrencies emerged in the public arena as a means of payment in the virtual Wild West – the internet of 15 years ago. Bitcoin was synonymous with Silk Road and the Dark Web during its early years.

When FinCEN fined the Virtual Currency Exchange BTC-e $110 million for facilitating ransomware and drug sales – the first regulatory action in the crypto industry – it seemed that the only function of cryptocurrencies was to help carry out criminal activities. FinCEN reported: “Users openly and explicitly discussed criminal activity on BTC-e’s user chat.  BTC-e’s customer service representatives offered advice on how to process and access money obtained from illegal drug sales on dark net markets like Silk Road, Hansa Market, and AlphaBay.“

Since then, crypto has come a long way, experiencing regulatory missteps and industry advances. In terms of sanctions, there has been considerable and significant progress in the treatment of the virtual assets industry.

First Sanctions

In March 2018, we saw the first crypto-related sanctions with Executive Order 13827 prohibiting transactions with Venezuela’s petro cryptocurrency. In November 2018, OFAC designated two Iranian nationals associated with the SamSam ransomware strain and included Bitcoin addresses linked to the individuals as identifiers on their Specially Designated Nationals And Blocked Persons (SDN) List entries.

Up to this point, the mention of cryptocurrencies, as far as sanctions are concerned, was casuistic.

Lazarus Group

In September 2019, the hacker groups Lazarus Group, Bluenoroff and Andariel were sanctioned pursuant to Executive Order 13722 on the basis of their relationship with the Reconnaissance General Bureau of North Korea. This designation is important because OFAC announced that the attacks by these hacker groups specifically targeted virtual asset services providers and cryptocurrency exchanges for their potential to both obfuscate revenue streams and serve as sources of funding for their targets.

At this point, we begin to identify the dual risk presented by virtual asset service providers: the assets that can be stolen from them also serve to obscure the traceability of their sources of financing. This is a modern version of bank robbery in which the placement and layering stages of money laundering are simultaneously executed.

In March 2020, individuals involved in laundering crypto assets stolen from an exchange were sanctioned. What is interesting about this designation is OFAC’s emphasis on the particular risk of financial crimes presented by cryptocurrencies and virtual assets. OFAC also emphasized that the Financial Action Task Force amended its standards to include virtual asset service providers in its regulatory and supervisory recommendations and devoted several paragraphs to explaining the risk particularities of these types of companies and the concern of the United States that they operate without the controls of a compliance program.

In October 2021, OFAC published the Sanctions Compliance Guidance for the Virtual Currency Industry, which states the following: “All companies in the virtual currency industry, including technology companies, exchangers, administrators, miners, and wallet providers, as well as more traditional financial institutions that may have exposure to virtual currencies or their service providers, are encouraged to develop, implement, and routinely update, a tailored, risk-based sanctions compliance program.“

This paragraph, beyond presenting a logical solution of requiring risk control measures for the virtual asset industry, illustrates the emphasis placed on any other traditional institution having control measures (which are inferred to be specific) by the mere possibility of exposure or proximity to virtual assets, or to companies that provide services related to them.

Blender.io and Tornado Cash

In a previous ACSS article, An Examination of OFAC’s Approach to Crypto-Related Sanctions, the Blender.io sanctions were discussed and it was highlighted how OFAC considered it important to prevent the use of “mixers“ to conceal illicit activities. To that effect, the Under Secretary for Terrorism and Financial Intelligence, Brian Nelson, stated: “[virtual] currency mixers that assist illicit transactions pose a threat to US national security interests. [The Treasury is] taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered.“

Following this reasoning, a few months after sanctioning Blender.io, OFAC sanctioned Tornado Cash, a decentralized, non-custodial smart contract distinct from other types of crypto mixers such as Blender.io. According to the firm Dechert LLP, the difference is that: “While Blender.io had a centralized custodial service attached to it that could be shut down, Tornado Cash does not operate as a conventional business: Tornado Cash consists of randomly generated addresses on the Ethereum blockchain that were uploaded by independent developers over years and is operated as an open-source, decentralized, non-custodial, and autonomous organization.“

Here it is evident how the crypto industry sanctions are evolving and adapting more and more to the different realities and modes of operation in the ecosystem. Although the measures are perfectible, they ultimately help to purge the ecosystem of bad actors.

Regulations are Leading to Opportunities

TRM Labs’ head of legal and government affairs, Ari Redbord, said in an article in CoinDesk that, after the Tornado Cash designation, “OFAC also kept the door open for DAOs and other decentralized organizations to be viewed as ‘entities’ for sanctions designations and enforcement actions. We are likely to see this come up again if OFAC targets the [decentralized finance] space.“

This extension of the sanctioning arsenal based on the characteristics of the virtual assets industry may seem negative, given that the main value that Bitcoin and cryptocurrency enthusiasts attributed to this innovation were decentralization and anonymity.

However, the implementation of these measures will allow the industry to purge itself of the bad actors and practices that cases such as Blender.io, Tornado Cash, OneCoin, FTX, and many others have shown us. How many other bad practices are still being executed under the cover of poor regulation and behind the banner of decentralization?

Although the need to establish a compliance program and risk mitigation measures from the very beginning is seen by many entrepreneurs in the virtual asset sector as a burden and as obstacles to innovation, Andrew Fierman, head of sanctions strategy at Chainalysis, points out: “While crypto certainly has a unique set of challenges in sanctions compliance, there are also endless opportunities in automation and efficiency. Thanks to the transparency and immutability of the blockchain, along with the help of education, regulation, blockchain analytics and industry coordination, all companies in this space can work together and build towards a safer ecosystem.“

A healthier ecosystem allows the entry of players with a lower risk appetite, which ultimately broadens the range of potential partners, clients and investors available to entrepreneurs in the virtual assets sector. Beyond seeing sanctions compliance as a burden, it is possible to see it as the gateway to a more sustainable stage of development of the virtual assets ecosystem.

Question of Balance

The evolution of sanctions against virtual wallet addresses, hackers and virtual asset service providers illustrates how virtual assets have gone from being considered assets similar to the funds in a bank account to being regarded as very specific assets whose own characteristics entail inherent risks that need to be mitigated. These risks were initially considered unavoidable, but as regulators have learned more about the technology, we are seeing adequate controls put in place.

Today, virtual asset services providers can be considered by some as more strictly regulated than traditional finance companies, both because of their inherent risk of money laundering and because of the approach to their regulation following the collapse of the Exchange FTX that has caused public mistrust in the ecosystem, putting pressure on regulators for stricter legislation to be issued.

Angel Niño Torres is a member of the ACSS Editorial Task Force (EdTf) and Latin America Task Force. Certified AML FinTech Compliance Associate (CAFCA). Head of Compliance for Coinbag (Hong Kong). Sanctions Researcher for PST.AG (Germany). Professor of Business Law at Universidad Rafael Urdaneta (Venezuela). Private Attorney and Sanctions Consultant (Venezuela).