Sanctions compliance has become increasingly challenging in recent years, as a number of major global events impacting the crypto space have added new layers of complexity for compliance professionals.
Law enforcement agencies such as the US Treasury’s Office of Foreign Assets Control (OFAC) have cracked down on numerous individuals, criminal enterprises and entities linked to the nation state through sanctions.
Following Russia’s full-scale invasion of Ukraine in February 2022, OFAC also stepped up its crackdown on a number of Russian-linked Dark Web markets and exchanges.
Furthermore, the US Treasury Department has targeted commingling services such as Blender and Tornado Cash for facilitating money laundering in North Korea. Law enforcement in the UK and US have also sanctioned ransomware gangs in an attempt to crack down on this criminal ecosystem.
Enforcement for cryptocurrency-related sanctions violations is also heating up, as shown by the US Treasury’s seven-figure settlement with crypto exchange Bittrex last year for apparent sanctions violations involving countries like Iran.
In this blog, we will explore the role of “red flags and suspicious indicators” in dealing with sanctions compliance, looking at the key signs that compliance teams need to be aware of in order to identify potentially sanctioned individuals or entities.
Introduction
Because sanctioned individuals and entities go to great lengths to conceal their activities, it’s important to know what key signs to look out for. Red flags of potential sanctions-related activity can include transactional behaviors as well as a number of other qualitative indicators.
Usually, several red flags will appear in tandem that should alert your compliance teams to the risks of sanctions, prompting them to take a closer look.
Below, we list a number of additional sanctions-related red flags that are often considered indicators of sanctions-related activity.
Cryptocurrency Risks and Sanctions: Key Red Flags
- The User attempts to log into the Exchange using IP addresses, email addresses, telephone numbers or other identification indicators registered in a sanctioned jurisdiction.
- The customer is identified as being associated with advertisements for cryptocurrency brokerage activities on P2P trading sites accessible to users in sanctioned jurisdictions.
- The client engages in indirect transactions – i.e. transactions separated by more than one hop – with exchanges in sanctioned jurisdictions with a frequency that cannot be logically explained, or the user sends funds to a cryptocurrency address that is part of a “cluster” of addresses (or wallets) associated with OFAC – the specified address, but it has not been identified by OFAC.
- The client often engages in transactions through or with entities in countries known to be associated with sanctions evasion activities, without a clear purpose or rationale for the activity in question.
- A customer sends funds to a cryptocurrency address that is part of a “cluster” of addresses (or wallets) associated with an address on OFAC’s list, but not identified by OFAC.
- The client often engages in transactions through or with entities in countries known to be associated with sanctions evasion activities, without a clear purpose or rationale for the activity in question.
- A user sends or receives funds to or from a miner in a sanctioned jurisdiction or a mining pool located in a country such as China but with operations in a sanctioned jurisdiction.
- Client often sends/receives funds to/from exchange services that do not require Know Your Customer (KYC) information and are located in high risk jurisdictions. At Elliptic, we conduct ongoing research on these and other red flag indicators of sanctions-related typologies and can help your compliance teams understand how to identify them.
- A client whose transactions involve interactions with mixers or other obfuscation services has also engaged in transactions with entities located in sanctioned jurisdictions or on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) list.
- The client’s transactions show frequent and significant exposure to mixers that the client is unable or unwilling to explain, especially when exposure to mixers occurs in close proximity to major incidents of cyber theft or other crimes.
- A customer who receives a large incoming transfer from a mixing service immediately tries to exchange the funds for another crypto-asset and move it from the platform in a short period of time (an indicator of the “chain-hopping” money laundering typology).
- A client who frequently transacts with mixers or other similar services presents other sanctions risks, such as logging into their account from high-risk or sanctioned jurisdictions.
Emerging challenges
In addition to knowing the key sanction evasion red flags to look out for, it’s important to be aware of new, rapidly growing issues and typologies that are also impacting the crypto space. This includes:
- Privacy Coins: Elliptic’s research shows that illegal actors – especially dark web markets – are increasingly looking to privacy coins like Monero as a way to avoid the traceability of other cryptoassets. OFAC has included Monero, Dash, Verge and Zcash addresses belonging to sanctioned cybercriminals on its SDN list – suggesting that privacy coins could prove attractive to sanctioned actors as well.
- Privacy Wallets: The use of privacy wallets like Wasabi Wallet as an alternative to centralized mixers has grown significantly among illegal actors. Privacy wallets are less susceptible to law enforcement disruptions than centralized mixing services, and are increasingly viewed by criminals as a way to disguise Bitcoin fund flows.
- Coin Exchange Services: Illegal actors are moving away from using major fiat-to-crypto exchange platforms. Since the introduction of the Financial Action Task Force’s (FATF) comprehensive guidance in June 2019, major exchanges have implemented AML and KYC measures that deter criminals.
- Elliptic’s research shows that threat actors are increasingly using money exchange services to launder funds. Coinswap services are crypto-to-crypto exchange platforms that generally do not collect KYC information and are often located in high-risk money laundering jurisdictions. Elliptic’s separate briefing note on coin exchange services highlights that many of these services are located in Russia, and we have identified cases of sanctioned actors using these services.
- DEX: Decentralized exchanges (DEX) and other applications in decentralized finance (DeFi) are among the most exciting innovations in the crypto space. However, since they are not regulated and do not collect KYC information from users, there are growing concerns that they could become havens for cryptocurrency laundering.
- North Korea’s Lazarus Group has been linked to the hack of a cryptocurrency in Singapore – KuCoin – from which it stole $280 million worth of cryptocurrencies. Some of the funds were laundered through popular DEXs – an indication that North Korea is capable of exploiting DeFi technology.
How Elliptic can help
Cryptoasset exchanges and financial institutions should take proactive steps to identify and manage the risks associated with sanctions involving mixing and other cloaking services. They can achieve this by using blockchain analytics solutions – such as those offered by Elliptic – at various stages of the compliance journey.
First, by using a wallet verification solution like Elliptic Lens, companies can identify if their customers intend to withdraw funds to a blacklisted blending service like Blender, or an allegedly related service like Sinbad, and can block and transactions – ensuring compliance with sanctions.
Second, compliance teams can use transaction screening software like Elliptic Navigator to identify where they have customers who have indirectly interacted with mixers. It is common for illegal actors like the Lazarus Group to send funds through a number of intermediary wallets (or “hops”) before or after the funds pass through the mixer – a technique known as “chain peeling” designed to try to further disguise the origin of the funds.
Using Elliptic’s exposure-based monitoring methodology that uses holistic screening, compliance teams can identify exposures to sanctioned or high-risk mixers even when related assets have gone through multiple jumps, or have been replaced by different assets or blockchains, ensuring they can identify and address risk exposures from indirect sanctions.
Finally, compliance teams should be equipped with the capabilities to conduct in-depth investigations into suspected sanctions violations involving mixers and other covert services. Using Elliptic Investigator – our multi-asset crypto-forensics tool – analysts can map the flow of funds to visualize complex transactions involving mixers, helping them determine if sanctions evasion may be occurring.
For a complete look at achieving sanctions compliance and how you can protect your organization from exposure, download our Guide to Cryptocurrency Sanctions Compliance 2023.
Download your copy
Sanctions Compliance Financial Services