On November 28, 2018, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) identified for the first time digital currency addresses associated with sanctioned persons.  The newly sanctioned individuals, Iran-based Ali Khorashadizadeh and Mohammad Ghorbaniyan, were accused of converting digital currency payments into Iranian rial as part of a widespread ransomware scheme.  Since 2015, the ransomware scheme (known as “SamSam”) has infected the data networks of corporations, hospitals, universities, and government agencies.  According to OFAC’s announcement, the identified bitcoin addresses were used with over 40 digital currency exchangers to process more than 7,000 illicit transactions in bitcoins worth millions of U.S. dollars.

OFAC signaled in its press release increased enforcement attention to digital currencies, particularly where existing sanctions targets are implicated.  “Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims,” said Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker. “It is vital that virtual currency exchanges, peer-to-peer exchangers, and other providers of digital currency services harden their networks against these illicit schemes,” she further noted.

In addition to the new designations and digital-currency identifiers, OFAC also issued two new FAQs for technology companies and payment processors.  The guidance provides two acceptable methods of blocking digital currencies held by an institution on behalf of a sanctioned person.  The first is by blocking each digital currency wallet associated with the addresses identified by OFAC.  The second is for a company to use its own designated wallet to consolidate wallets containing the blocked digital currency.  In either case, companies are expected to retain an audit trail and are required to report the blocked digital currency to OFAC within 10 business days.  Companies are permitted to inform customers that they have blocked digital currency.

Digital currency addresses

Digital currency addresses are alphanumeric identifiers that represent destinations for digital currency transfers.  The addresses are held in digital currency wallets—software or hardware mechanisms that allow users to hold, store, and transfer digital currency.  Because each transfer records a user’s digital currency address on the public blockchain ledger, transactions are described as pseudonymous rather than anonymous.  OFAC’s action this week may raise questions about the privacy of bitcoin payments as opposed to other digital assets.

Similar to traditional identifiers like dates of birth, citizenship, and street addresses, the publication by OFAC of digital currency addresses associated with designated persons is intended to assist compliance officers with blocked accounts and prohibited transactions.  Thus, while designated individuals may cease to use the listed addresses, financial institutions and digital exchanges can still use the information to help identify related or subsequent digital currency addresses.

Increasing scrutiny

Wednesday’s identification of digital currency addresses was not unexpected.  On March 19, 2018, OFAC published a set of FAQs on virtual currencies noting that it may add digital currency addresses as identifiers on the SDN List, providing their unique alphanumeric identifier (up to 256 characters) and the digital currency to which the address corresponds (e.g., Bitcoin (XBT), Ethereum (ETH), Litecoin (LTC), Neo (NEO), Dash (DASH), Ripple (XRP), Iota (MIOTA), Monero (XMR), and Petro (PTR)). The FAQs also confirmed that OFAC obligations are the same regardless of whether a transaction is denominated in traditional fiat currency or digital currency and called for technology companies, users of digital currencies, and payment processors to develop “tailored, risk-based compliance program[s], which generally should include sanctions list screening.”

OFAC’s recent action is another signal of regulators’ increasing attention to digital currencies.  On November 16, 2018, the Securities and Exchange Commission issued a public statement on Digital Asset Securities Issuance and Trading, outlining the application of federal securities laws to initial coin offerings (ICOs), as described in our previous blog post.

In October, the British Cryptoassets Taskforce—composed of representatives from HM Treasury, the Financial Conduct Authority, and the Bank of England—published its Final Report acknowledging the increasing risks of digital currency-related financial crime.  The report called for strengthened requirements beyond the EU Fifth Anti-Money Laundering Directive (5MLD), and extending coverage to exchange services, peer-to-peer platforms, digital currency ATMs, and non-custodian wallet providers.