On 21 July 2025, the UK Office for Financial Sanctions Implementation (OFSI) released a detailed threat assessment focused on the crypto-asset sector’s vulnerability to sanctions breaches (the Assessment). This Assessment sends a clear warning to UK crypto firms: sanctions compliance is not optional, and enforcement is tightening.
The following is a summary of the Assessment, which is discussed in greater detail in our client alert found here.
Why Focus on Crypto?
OFSI’s attention to the crypto space reflects growing concern about how digital assets are being used to evade sanctions and facilitate financial crimes. Crypto firms registered with the Financial Conduct Authority (FCA) – including exchanges, ATM operators and wallet providers – are now seen as high-risk entities, especially given the borderless and rapid nature of crypto transactions.
Key Takeaways:
The report underscores several areas where crypto firms fall short:
- Incomplete self-disclosure: Many UK firms fail to report suspected sanctions breaches – either due to lack of detection, misunderstanding of obligations, or reluctance to self-report.
- Inadvertent non-compliance: Much of the non-compliance appears unintentional and stems from direct or indirect exposure to Designated Persons (DPs) listed on the OFSI Consolidated List (see here), or retrospective discovery of suspected breaches.
- Delayed breach discovery: Firms often identify exposure to sanctioned entities only after implementing blockchain analytics tools – by which time the damage is done.
- Challenges in freezing assets: Unlike banks, crypto firms cannot reject incoming transactions, making them particularly vulnerable to receiving funds from designated persons (DPs) or sanctioned jurisdictions.
Notable Threat Actors
OFSI highlighted three specific threats:
- Russia: UK firms were found to have transacted with the Russian exchange Garantex, despite its 2023 designation. Its successor, Grinex, and links to ransomware operations and darknet markets like Hydra further heighten the threat.
- Iran: OFSI suspects that UK firms may have facilitated transactions with Nobitex, an Iranian exchange tied to the Islamic Revolutionary Guard Corps.
- North Korea: UK crypto firms are at high risk of targeting DPRK-linked hackers. The February 2025 Bybit hack, which resulted a $1.5 billion loss, underscores the scale of the threat.
Red Flags to Watch Out For
OFSI outlines several red flags crypto firms must monitor, including:
- Dealings with DPs or their proxies;
- Abrupt or unusual activity from previous dormant wallets; and
- High-volume microtransactions.
Reccomendations
To stay compliant, OFSI recommends that crypto-asset firms adopt robust compliance measures including:
- Providing staff training on sanctions risks and red flags;
- Deploying blockchain analytics tools for tracing and screening;
- Reviewing internal processes for managing frozen crypto-assets;
- Enhancing due diligence on counterparties and transaction structures;
- Regularly updating compliance frameworks as regulations evolve; and
- Reporting to OFSI as well as file Suspicious Activity Reports with the National Crime Agency (NCA) (reporting to the NCA and OFSI can be found here and here).
Conclusion
The key message from OFSI is unmistakable: passive compliance is no longer enough. As such, UK crypto-asset firms must proactively upgrade their systems to detect, prevent and report sanctions breaches.
