OFAC Sanctions

What Are OFAC Sanctions?

OFAC sanctions are economic restrictions administered by the Office of Foreign Assets Control, a division of the U.S. Department of the Treasury. OFAC enforces trade and financial sanctions against targeted foreign countries, regimes, terrorists, narcotics traffickers, and other threats to U.S. national security. For the cryptocurrency industry, OFAC sanctions define which addresses, individuals, and entities are off-limits for any transaction touching U.S. jurisdiction.

OFAC traces its origins to 1940, when the Office of Foreign Funds Control was created to block Norwegian and Danish assets after the German invasion. The modern office was established in December 1950 during the Korean War, when President Truman froze all Chinese and North Korean assets under the Trading with the Enemy Act of 1917. Today, OFAC operates under the Treasury's Office of Terrorism and Financial Intelligence (TFI) alongside FinCEN and other enforcement bodies.

OFAC's primary legal authorities include the International Emergency Economic Powers Act (IEEPA) of 1977, which grants the President broad power to block property and prohibit transactions during declared national emergencies, and the Trading with the Enemy Act for legacy programs like the Cuba embargo. These statutes give OFAC the ability to designate individuals, entities, vessels, and since 2018, cryptocurrency wallet addresses.

How It Works

OFAC's enforcement centers on the Specially Designated Nationals and Blocked Persons List (SDN list), a database of over 12,000 entries covering individuals, companies, organizations, government entities, and cryptocurrency addresses. The list is updated three to four times per week with no fixed schedule, and all U.S. persons and businesses must screen transactions against it.

The SDN List and Crypto Addresses

On November 28, 2018, OFAC added cryptocurrency addresses to the SDN list for the first time. Two Bitcoin addresses belonging to Ali Khorashadizadeh and Mohammad Ghorbaniyan were designated in connection with the SamSam ransomware scheme, which had infected hospital, university, and government networks since 2015. The pair processed over 7,000 illicit transactions worth millions of dollars through those addresses.

As of 2025, the SDN list includes over 1,200 cryptocurrency addresses spanning 17 different blockchains, including Bitcoin, Ethereum, Tron, Monero, USDT, and USDC. When an address appears on the SDN list, any U.S. person who interacts with it violates sanctions law, regardless of intent.

The 50 Percent Rule

Any entity owned 50% or more, directly or indirectly, by one or more blocked persons is itself considered blocked, even if it does not appear on the SDN list. Ownership stakes from multiple blocked persons aggregate toward the threshold: if two sanctioned individuals each own 25% of an entity, that entity is blocked. OFAC does not publish a list of majority SDN-owned entities, placing the due diligence burden entirely on businesses.

Strict Liability Standard

OFAC violations carry a strict liability standard for civil penalties. This means that intent is irrelevant: a company that inadvertently processes a transaction with a sanctioned address is still in violation. Software failures, screening gaps, and lack of knowledge do not excuse violations. Civil penalties under IEEPA can reach $377,700 per violation (2026 inflation-adjusted) or twice the transaction value, whichever is greater. Criminal penalties for willful violations can reach $1 million per violation and up to 20 years imprisonment.

Stablecoin Compliance and Blacklisting

Major fiat-backed stablecoins implement OFAC compliance through smart contract blacklist functions. When an address is blacklisted, the tokens at that address are frozen: the holder cannot send, receive, or redeem them.

Circle (USDC)

Circle has blacklisted approximately 372 USDC addresses since launch, freezing roughly $110 million in aggregate. Circle's stated policy is to freeze assets only when presented with a court order, sanctions designation, or law enforcement request. In August 2022, Circle blocked Tornado Cash-associated addresses immediately following OFAC's designation. In May 2025, Circle froze approximately $57 million in connection with the LIBRA memecoin case.

Tether (USDT)

Tether has frozen over $4.4 billion in USDT across 2,300+ cases, with over $2.1 billion frozen in cooperation with U.S. authorities specifically. Between 2023 and 2025, over 7,268 addresses were blacklisted. Tether works with 340+ law enforcement agencies across 65 countries. In April 2026, Tether froze $344.2 million tied to two Tron addresses linked to the Central Bank of Iran, coordinating with OFAC and U.S. law enforcement: the first time OFAC directly targeted central bank wallets on a blockchain.

Technical Implementation

The blacklist mechanism is embedded in the stablecoin's smart contract. A simplified example of how blacklisting works at the contract level:

// Simplified stablecoin transfer with blacklist check
function transfer(address to, uint256 amount) public returns (bool) {
    require(!isBlacklisted[msg.sender], "Sender is blacklisted");
    require(!isBlacklisted[to], "Recipient is blacklisted");
    balances[msg.sender] -= amount;
    balances[to] += amount;
    return true;
}

// Only the contract owner (issuer) can blacklist
function addToBlacklist(address account) public onlyOwner {
    isBlacklisted[account] = true;
}

This creates a compliance layer at the asset level: even if the underlying blockchain is permissionless, the stablecoin itself can enforce restrictions. This stands in contrast to native assets like Bitcoin or Ether, which have no built-in freeze mechanism.

The Tornado Cash Precedent

On August 8, 2022, OFAC designated Tornado Cash, a decentralized Ethereum mixer, citing its use to launder more than $7 billion in cryptocurrency. This included over $455 million stolen by North Korea's Lazarus Group. Approximately 40 wallet addresses were sanctioned. The designation was unprecedented: OFAC had sanctioned a mixer before (Blender.io in May 2022), but Tornado Cash was a set of immutable smart contracts with no centralized operator.

The Fifth Circuit Ruling

In Van Loon v. Treasury, users challenged the Tornado Cash designation. On November 26, 2024, the U.S. Court of Appeals for the Fifth Circuit reversed the district court, holding that OFAC exceeded its statutory authority. The court reasoned that immutable smart contracts cannot be classified as "property" under IEEPA because they lack the hallmarks of ownership, control, and exclusivity. Once deployed, the contracts cannot be changed, deleted, or restricted by anyone. The court relied on the Supreme Court's decision in Loper Bright Enterprises v. Raimondo, holding that OFAC was not entitled to heightened deference in its statutory interpretation.

Delisting and Aftermath

On March 21, 2025, the Trump administration removed Tornado Cash from the SDN list rather than appealing the ruling. Treasury stated it exercised discretion based on "the Administration's review of the novel legal and policy issues raised by use of financial sanctions against financial and commercial activity occurring within evolving technology and legal environments."

The criminal proceedings continued separately. Developer Roman Storm was found guilty on August 6, 2025 of conspiracy to operate an unlicensed money transmitting business, but the jury deadlocked on the more serious charges of conspiracy to commit money laundering and conspiracy to violate sanctions. In March 2026, the DOJ requested a retrial on the deadlocked charges.

Compliance for Crypto Businesses

In October 2021, OFAC issued tailored sanctions compliance guidance for the virtual currency industry, establishing five essential components for any compliance program:

1. Management commitment to sanctions compliance
2. Risk assessment covering products, services, customers, and geographies
3. Internal controls including SDN list screening and geolocation blocking
4. Testing and auditing of compliance procedures
5. Training for all relevant personnel

Exchange Obligations

U.S. crypto exchanges must screen all customers and counterparties against the SDN list, implement IP-based geolocation blocking for comprehensively sanctioned jurisdictions (Iran, North Korea, Syria, Crimea), and report blocked virtual currency to OFAC within 10 business days. Exchanges must also account for VPN usage and other obfuscation techniques in their geolocation controls.

DeFi and Non-Custodial Services

Compliance in decentralized systems operates across multiple layers. Block producers can refuse to include transactions involving sanctioned addresses. DeFi application front-ends can block sanctioned addresses from the user interface. Stablecoin providers can freeze assets via smart contract blacklists. Blockchain analytics firms like Chainalysis and TRM Labs provide screening tools that integrate with these layers.

Even non-custodial wallet providers face exposure. In December 2025, Exodus Movement settled with OFAC for $3.1 million over 254 violations related to Iranian users, including cases where staff recommended VPNs to circumvent IP-based controls.

Enforcement Track Record

Key enforcement actions against crypto businesses illustrate the scale of penalties:

The GENIUS Act and Stablecoin Regulation

The GENIUS Act, enacted in July 2025, introduced the first binding federal requirements for stablecoin sanctions compliance. On April 8, 2026, FinCEN and OFAC jointly proposed rules requiring permitted payment stablecoin issuers (PPSIs) to maintain formal sanctions compliance programs with all five core components. Issuers must have technical capabilities to block, freeze, and reject impermissible transactions, including those on the secondary market via smart contracts. Full enforcement begins no later than January 2027.

For a broader view of how these requirements fit into the global landscape, see the stablecoin regulation global tracker and the GENIUS Act deep dive.

Sanctions vs. Permissionless Principles

OFAC sanctions create a fundamental tension with the core design principles of permissionless blockchains: censorship resistance, open access, and immutability. Bitcoin and Ethereum were designed so that no single party can block transactions, yet sanctions law requires exactly that capability.

This tension plays out at every layer of the stack. Base-layer protocols remain largely uncensorable: anyone can broadcast a valid Bitcoin or Ethereum transaction. But the application layer, where users interact with wallets, exchanges, and stablecoins, increasingly implements compliance controls. The result is a spectrum from fully permissionless (native cryptocurrency transfers) to fully compliant (regulated stablecoin transfers with blacklist enforcement).

Research shows that even after OFAC sanctioned Tornado Cash, reducing overall deposit volume by approximately 71%, attackers still used the protocol in over 78% of Ethereum-related security incidents. This highlights the practical limits of sanctions enforcement on immutable code: while compliant actors stop using sanctioned tools, malicious actors often do not.

Secondary Sanctions and Global Reach

OFAC's enforcement extends beyond U.S. borders through secondary sanctions. Non-U.S. entities that engage with sanctioned parties risk losing access to U.S. markets, dollar clearing, and correspondent banking. Since many global transactions are dollar-denominated and clear through U.S. banks, this gives OFAC significant extraterritorial reach.

For crypto businesses, this means non-U.S. exchanges face sanctions exposure if they process transactions involving SDN-listed addresses. Many non-U.S. platforms voluntarily implement OFAC compliance programs because the cost of losing access to the U.S. financial system far outweighs the compliance burden. In March 2024, the U.S. expanded its secondary sanctions regime to cover additional non-U.S. financial institutions, broadening this extraterritorial scope.

Risks and Considerations

• Strict liability means accidental violations carry real penalties: crypto businesses must implement robust transaction monitoring and SDN screening, not just at onboarding but on every transaction
• The 50% rule creates hidden compliance exposure: entities indirectly owned by sanctioned persons may not appear on any list, requiring proactive due diligence beyond simple list screening
• Stablecoin blacklisting introduces counterparty risk: users holding blacklisted stablecoins lose access to their funds, and freezes can occur without prior notice based on sealed court orders
• The Tornado Cash ruling narrowed OFAC's authority over immutable code, but the boundaries remain untested: future cases may redefine what types of crypto infrastructure can be sanctioned
• Compliance requirements may push activity toward less transparent channels: users in sanctioned jurisdictions who cannot access compliant platforms may turn to peer-to-peer trading or privacy-focused protocols, making taint analysis more difficult

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.