Complying with financial and economic sanctions remains one of the most significant challenges facing compliance teams at cryptoasset exchanges and financial institutions.
At Elliptic, we recently published our report Cryptocurrency Sanctions Compliance: Using Block Analytics to Mitigate Risk, in which we outline a series of steps compliance teams can take to effectively identify and meet sanctions requirements. Among the key steps we outline in the report is the importance of ensuring robust transaction screening practices to enable the detection of sanctions risks.
In this article, we’ll take a deep dive into a key issue that compliance teams face when it comes to vetting crypto transactions for sanctions risks: the importance of detecting exposure to sanctioned parties through numerous “hops” or intermediary addresses.
The importance of tracking through spikes in crypto transactions
As illustrated in the diagram below, a cryptoasset exchange or other service provider may encounter situations where there is a direct interaction between their wallet and the wallet of a sanctioned party that appears on the sanctions list maintained by the US Treasury’s Office of Foreign Assets Control (OFAC).
The above image from Elliptic Investigator illustrates a direct transaction between OFAC’s SDN Wu Huihui, an OFAC individual sanctioned for laundering funds on behalf of the Lazarus Group, and a crypto-asset exchange service.
In other cases, however, transactions may occur where the interactions between the exchange and the sanctioned party are indirect and go through one or more “hops” or transfers via intermediary crypto addresses. This is shown in the following image.
The above image from Elliptic Investigator illustrates a transaction between OFAC’s SDN Yinyin Tian, which OFAC sanctioned for its support of the Lazarus Group, and a cryptoasset exchange service. The white circles represent the 11 intermediate jumps through which Yinyin Tian sent the funds before depositing them on the exchange.
In considering such a case, it may be tempting for the cryptoasset exchange’s compliance team to assume that there is a reduced risk of facilitating a sanctions violation because the transaction did not occur directly with the wallet of an OFAC-sanctioned person. This, however, would be a wrong and potentially costly assumption.
First, it is important to note that the obligation to comply with OFAC’s sanctions includes the responsibility to avoid providing an indirect benefit to sanctioned persons. Second, it is also important to be aware that sanctioned individuals and entities often deliberately transfer funds through numerous hops to try to avoid detection.
As illustrated in the example above, a sanctioned party could transfer funds through a number of jumps in the hope that the exchange’s compliance team might not notice the connection to them, because the compliance team has decided to discount any exposure to sanctioned persons beyond a predefined number of jumps .
This dynamic can play out in more complex ways. For example, North Korea’s sanctioned Lazarus Group – a cybercriminal organization – often used the technique of sending funds via multiple hops to launder cryptoassets it stole from crypto exchanges and decentralized finance (DeFi) protocols. This laundering technique is known as a “chain of peels” and is designed to attempt to conceal the source of the funds, as shown in the image below.
The above image from Elliptic Investigator illustrates the flow of funds in a “skinned chain” of transactions after the Lazarus Group stole a cryptoasset from a South Korean crypto exchange – Bithumb – in June 2018. The funds eventually passed through dozens of wallets before being deposited into a Russian crypto exchange known as YoBit.
Accordingly, if a cryptoasset exchange receives funds from a sanctioned actor that has gone through a large number of spikes, the exchange risks violating sanctions if it fails to disclose the original source of the funds and block the funds as required by OFAC.
This risk is increased if the exchange’s compliance team relies on block analysis solutions that stop looking for exposure to penalized parties based on a predetermined number of jumps, such as three or five jumps. In this case, the reconciliation team could fail to identify funds belonging to the sanctioned actor.
To address this risk, Elliptic’s blockchain analytics solutions track all hops until exposure to a sanctioned actor is detected, ensuring comprehensive compliance with sanctions requirements can be achieved and risks appropriately addressed.
Using Elliptic Navigator – our transaction screening solution – a crypto exchange will be alerted to exposure to sanctioned entities even when those entities have tried to hide their activity behind dozens of spikes, as North Korean cybercriminals and other sanctioned actors often try to do. These insights will allow the exchange to block relevant transactions and prove to regulators that they were able to detect sanctions risks affecting their business.
Go even deeper with holistic screening
In addition, compliance teams face the challenge of sanctioned actors moving cryptoassets not only through multiple hops, but across multiple assets and blocks.
For example, the Lazarus group has used DeFi services such as decentralized exchanges (DEX) to launder the cryptoassets it steals. In these cases, the Lazarus Group sent the stolen stablecoins and tokens through the DEX, where it converts them into Ether, which it can then move through the chain peeling process.
To identify the original source of funds in such cases, compliance teams must be able to identify exposure to sanctioned parties even when the funds have passed through services such as DEXs.
Consider a potential scenario. Suppose a crypto exchange has a customer named Bob, who deposits Tether on the exchange. Using legacy blockchain analytics, the exchange will only detect sanctions risks if the Tether address used for payment is linked to other Tether addresses on the SDN list. This is illustrated in the image below.
However, with Elliptic’s Holistic Screening capabilities, the exchange immediately identifies that the Tether Bob received is traceable to the DEX, where it was exchanged for Ether originating from a wallet belonging to the Lazarus Group. The impact of this improved ability to detect risk through cross-asset flows is illustrated below.
Compliance success with the next generation of blockchain analytics
Ensuring compliance with sanctions requires access to wallet and transaction verification solutions that allow you to know exactly when your business will be exposed to sanctioned entities.
Contact us to learn more about how Elliptic’s next-generation blockchain analytics solutions can empower your business to achieve effective and efficient sanctions risk management.
In the meantime, click below to read our report “Cryptocurrency Sanctions Compliance: Using Blockchain Analytics to Mitigate Risk”.
Download your copy
Sanctions Compliance Financial Services