On September 21, 2021, in a first-of-it-kind action, the U.S. Department of the Treasury Office of Foreign Assets Control (“OFAC”) imposed economic sanctions on SUEX OTC, S.R.O. (“SUEX”), a virtual currency exchange, for facilitating ransom payments pursuant to ransomware cyber-attacks.¹

In its press release announcing the sanctions, OFAC indicated that more than 40% of SUEX’s transactions involved illicit actors.¹ SUEX has been added to OFAC’s List of Specially Designated Nationals and Blocked Persons (“SDN List”), meaning that all of SUEX’s property and interests in property that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with SUEX.

Along with designating SUEX as an SDN, OFAC also updated its Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (“Advisory”),² which was originally published on October 1, 2020. (For more information on the original Advisory, see our article Ransomware Attacks Are on the Rise; Are You Ready?)

The updated Advisory’s contents are substantially similar to the original 2020 Advisory with the important addition of the SUEX designation information. OFAC also added a more detailed discussion of steps that victims of ransomware attacks can take to mitigate risks, including actions that OFAC would consider mitigating factors in any enforcement action. In the Advisory, OFAC makes clear that it will continue to sanction actors and others who materially assist, sponsor, or provide financial, material, or technological support for ransomware cyberattacks.

SUEX is referred to by OFAC as a “virtual currency exchange,” but the exchange deals in what is typically referred to as “cryptocurrency,” or in other words, a digital currency that is encrypted and decentralized.³ It’s worth noting that OFAC defines “virtual currency” and “digital currency” separately, with virtual currency being a subset of digital currency.⁴

Under OFAC sanctions programs, “virtual currency” is “a digital representation of value that functions as (i) a medium of exchange; (ii) a unit of account; and/or (iii) a store of value; is neither issued nor guaranteed by any jurisdiction; and does not have legal tender status in any jurisdiction.” OFAC further defines “digital currency” to include “sovereign cryptocurrency, virtual currency (non-fiat), and a digital representation of fiat currency.”

Because cryptocurrency is a decentralized currency, government agencies, including OFAC, have had a difficult time regulating or enforcing this recent innovation in the financial world. Aside from the ransomware payment context described in the Advisory (for which SUEX was specifically sanctioned), cryptocurrency can also be – and has been – used in a variety of other illicit contexts.

The SUEX designation is the first instance of OFAC sanctioning a cryptocurrency exchange, but OFAC has also targeted actors involved with digital currency, even sovereign governments. On March 19, 2018, President Trumpsigned Executive Order 13827 (“EO 13827”), Taking Additional Steps to Address the Situation in Venezuela, which prohibits U.S. persons from engaging in transactions associated with “any digital currency, digital coin, or digital token, that was issued by, for, or on behalf of the Government of Venezuela on or after January 9, 2018.”⁵

As the primary enforcement agency of the prohibition, OFAC published Frequently Asked Questions (“FAQs”) that interpret the prohibitions from EO 13827. Among other things, the FAQs clarified that the Venezuelan “petro” and “petro-gold” cryptocurrencies are considered “digital currency, digital coin, or digital token” for purposes of EO 13827 enforcement. However, Venezuela’s traditional fiat currency, the “bolivar fuerte,” is not considered a digital currency and is therefore not subject to the same prohibitions.

In addition to EO 13827’s specific prohibitions on Venezuelan digital currency, OFAC has also pursued enforcement actions against companies in the cryptocurrency industry, with two such actions in just the past year. On December 30, 2020, OFAC entered into a $98,830 settlement agreement with BitGo, Inc. (“BitGo”) for alleged violations of multiple OFAC sanctions programs.⁶

BitGo implements security and scalability platforms for digital assets and offers a non-custodial secure digital wallet management service, which are services related to digital currency transactions. Persons in Syria, Iran, Cuba, Sudan, and the Crimea region of Ukraine were allegedly able to use BitGo’s digital wallet services due to Bitgo’s failure to restrict sanctioned jurisdictions from access to its services.

Per the OFAC settlement agreement, BitGo processed 183 digital currency transactions for persons in sanctioned jurisdictions. BitGo had reason to know that persons in sanctioned jurisdictions used its services because the company tracked Internet Protocol (“IP”) addresses of its users for security purposes. However, BitGo failed to use this Iplocation information for sanctions compliance purposes.

In a similar case, on February 18, 2021, OFAC entered into a $507,375 settlement agreement with BitPay, Inc. (“BitPay”) for apparent sanctions violations related to digital currency transactions.⁷ BitPay offers a payment processing solution for merchants to accept digital currency as payment for goods and services.

OFAC alleged that BitPay was potentially liable for 2,102 transactions using digital currency between U.S. merchants and persons in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria. Similar to BitGo, BitPay collected location and Ipaddress information for its customers but failed to use this information to prevent violations of sanctions programs. OFAC used the BitGo and BitPay enforcement actions to remind companies involved in digital currency services, like all financial service providers, to take steps to understand and mitigate sanctions compliance risks.

Whereas BitGo and BitPay are U.S. companies that received penalties from OFAC, the SUEX matter is different because SUEX is a foreign company that has become subject to sanctions prohibitions. SUEX is a concierge cryptocurrency exchanger with locations in Russia and the Czech Republic. SUEX was a “nested” exchange, which means it did not have direct custody of its clients’ cryptocurrency but instead used the infrastructure of a larger multinational exchange. Using this mechanism, SUEX obscured its connection to the larger cryptocurrency exchange and was able to very successfully convert illicit funds of its customers into physical cash. Although SUEX was specifically referenced in the Ransomware Advisory, OFAC’s concern with cryptocurrency exchanges also extends to facilitation of sanctions evasion, ransomware schemes, and other cybercrimes.

In announcing the SDN designation of SUEX, OFAC specifically stated that SUEX facilitated unlawful transactions for its own illicit aims, in contrast with certain other digital currency exchanges that are merely “exploited by malicious actors” including, for example, two Chinese nationals that OFAC designated as SDNs on March 2, 2020 for laundering stolen cryptocurrency from a 2018 cyber intrusion against a cryptocurrency exchange.⁸ This cyber intrusion is linked to Lazarus Group, a North Korean state-sponsored malicious cyber group, which is itself designated as an SDN.

***

The enforcement activity directed toward the cryptocurrency market should serve to put U.S. persons on notice as to the potential for sanctions liability with respect to 1) activity related to particular cryptocurrencies, as is the case with the Venezuelan state cryptocurrency, or cryptocurrency exchanges, such as SUEX; and 2) the provision of cryptocurrency services, which could lead to violations of sanctions regulations vis-à-vis SDN-listed persons or persons located in sanctioned jurisdictions.

As such, companies and individuals operating in this ever-expanding sector should create a risk-based sanctions compliance program to mitigate and prevent sanctions violations. Cryptocurrency services companies should also train employees on sanctions compliance, including screening, identification of red flags, and blocking and reporting prohibited transactions.

If you participate in the cryptocurrency industry or otherwise have questions related to potential sanctions or other regulatory liability for engaging in digital currency activity, please do not hesitate to contact us.

1 Notice of OFAC Sanctions Action, 86 Fed. Reg. 53,147 (Sep. 24, 2021), available at https://www.govinfo.gov/content/pkg/FR-2021-09-24/pdf/2021-20745.pdf.

2 Treasury Takes Robust Actions to Counter Ransomware, U.S. Department of the Treasury Office of Foreign Assets Control (Sep. 21, 2021), available at https://home.treasury.gov/news/press-releases/jy0364.

3 Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, U.S. Department of the Treasury Office of Foreign Assets Control (Sep. 21, 2021), available at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf.

4 Cryptocurrency Definition, Merriam-Webster, https://www.merriam-webster.com/dictionary/cryptocurrency (last visited Sep. 29, 2021).

5 Frequently Asked Questions: Questions on Virtual Currency, U.S. Department of the Treasury Office of Foreign Assets Control, https://home.treasury.gov/policy-issues/financial-sanctions/faqs/559 (last visited Sep. 29, 2021).

6 Executive Order 13827 of March 19, 2018, Taking Additional Steps to Address the Situation in Venezuela (Mar. 19, 2018), available at https://home.treasury.gov/system/files/126/13827.pdf.

7 OFAC Enters $98,830 Settlement with BitGo, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions, U.S. Department of the Treasury Office of Foreign Assets Control (Dec. 30, 2020), available at https://home.treasury.gov/system/files/126/20201230_bitgo.pdf.

8 OFAC Enters Into $507,375 Settlement with BitPay, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions, U.S. Department of the Treasury Office of Foreign Assets Control (Feb. 18, 2021), available at https://home.treasury.gov/system/files/126/20210218_bp.pdf.

9 Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group, U.S. Department of the Treasury Office of Foreign Assets Control (Mar. 2, 2020), available at https://home.treasury.gov/news/press-releases/sm924.