Regulators are increasingly taking enforcement action against crypto asset industry participants for violating anti-money laundering (AML) and sanctions laws. Regulators are concerned about the illicit use of crypto assets and are increasingly scrutinizing crypto asset companies. As we have previously discussed,1 companies in the crypto asset industry must be acutely aware of their AML and sanctions obligations or face the risk of an enforcement action by a federal or state regulator.
As the chart below documents, federal and state regulators, including the Department of the Treasury, the Department of Justice (DOJ), and the New York Department of Financial Services (NYDFS), have ramped up enforcement actions against crypto asset companies. Notably, of the approximately two dozen enforcement actions in the chart, the majority occurred in the last three years. The increase in enforcement actions underscores the importance for companies in the crypto asset space of maintaining effective AML and sanctions compliance programs. Violations of AML and sanctions laws could lead to civil and criminal liability, including the imposition of steep fines to imprisonment, or both.
Date |
Entity |
Charge |
Resolution |
May 1, 2023 |
Poloniex, LLC (crypto asset trading platform) |
Treasury’s Office of Foreign Assets Control (OFAC) determined Poloniex was potentially liable for tens of thousands of individual sanctions violations over nearly six years. According to its press release, OFAC found that Poloniex significantly delayed the establishment of its sanctions compliance program and, following implementation, did not sufficiently block the use of its platform by IP addresses in sanctioned jurisdictions. |
Poloniex paid over $7.5 million in its OFAC settlement. |
Apr. 14, 2023 |
BitPay Inc. (U.S.-based payment processing solution for merchants to accept digital currency) |
The NYDFS found that BitPay “failed to establish a system of internal controls designed to ensure ongoing compliance with the relevant AML laws and failed to provide for independent testing of its AML program.” Further, the NYDFS determined that BitPay did not “establish an OFAC quality assurance process”, and it failed to meet various cybersecurity requirements. |
BitPay agreed to a NYDFS settlement of $1 million. |
Mar. 27, 2023 |
Binance (digital asset trading platform) and its owner and CEO, Changpeng Zhao |
The Commodity Futures Trading Commission (CFTC) filed a civil enforcement action against the entities that operate Binance as well as the platform’s owner and CEO for allegedly “knowingly disregard[ing] applicable provisions of the [Commodity Exchange Act (CEA)] while engaging in a calculated strategy of regulatory arbitrage for commercial benefit.” Allegedly, the company failed to require customers to provide identifying information, instructed some U.S.-based customers on how to evade its compliance controls, and failed to implement compliance procedures to prevent AML and terrorist financing. |
Litigation is ongoing in the Northern District of Illinois, as of June 2023. |
Jan. 18, 2023 |
Anatoly Legkodymov, executive of Bitzlato Ltd. (Hong Kong-registered cryptocurrency exchange) |
Legkodymov was arrested for operating Bitzlato, which the DOJ alleged to have transmitted and transported illicit funds, and failed to follow AML laws and other regulatory safeguards. According to the DOJ, Bitzlato required little identifying information from users, and it used this fact as part of its marketing approach. Allegedly, Legkodymov wrote in a message on the company’s chat system that users were “known to be crooks” and registered on the platform under false identities. |
Litigation is ongoing in the Eastern District of New York as of June 2023. |
Jan. 4, 2023 |
Coinbase, Inc. (U.S.-based digital currency exchange) |
The NYDFS determined that Coinbase had “significant failures in its compliance program,” including the failure to track, monitor, and report suspicious activity as required under the New York Banking Law and NYDFS regulations (incorporating federal law). The violations were discovered during a routine examination. |
Coinbase paid $50 million to New York State and agreed to invest $50 million to improve its AML and sanctions compliance program. |
Sept. 22, 2022 |
bZeroX LLC (operator of a decentralized blockchain-based protocol) and its founders, Tom Bean and Kyle Kistner |
The CFTC charged bZeroX, Bean, and Kistner with “illegally offering leveraged and margined retail commodity transactions in digital assets; engaging in activities only registered futures commission merchants (FCM) can perform; and failing to adopt a customer identification program as part of the [Bank Secrecy Act (BSA)].” In taking this action, the CFTC chairman stated that he was determined to pursue an aggressive approach towards operations that purposefully evade oversight. |
The CFTC settlement imposed a $250,000 civil monetary penalty on bZeroX, Bean, and Kistner. It also required that they cease and desist from further violations of this kind. |
Sept. 22, 2022 |
Ooki DAO (decentralized autonomous organization and successor to bZeroX—see row above) |
The CFTC filed a federal civil enforcement action against Ooki Dao, charging Ooki Dao with violating the same laws—described in the row above—that bZeroX violated, including the failure to adopt a customer identification program as part of its AML program. Allegedly, Ooki DAO ran an unregistered digital currency exchange that “operated the same software protocol as bZeroX.” |
Litigation is ongoing in the Northern District of California as of May 2023. One key ruling in the course of litigation was that, even though the exchange is a decentralized technological association (comprised of a collective of token holders jointly operating the software protocol) notice can be properly served upon it as though it were an “unincorporated association.” |
Aug. 5, 2022, |
BTC-e (digital currency exchange) and its owner, Alexander Vinnik |
According to the DOJ, BTC-e had a customer base that was heavily reliant on criminals. Allegedly, BTC-e lacked AML processes and other internal controls to prevent the use of its services for illegal purposes. The DOJ stated that BTC-e “had no AML process, no system for appropriate ‘know your customer or ‘KYC’ verification, and no AML program as required by federal law.” As a result, BTC-e allegedly facilitated money laundering and did not report suspicious activity to law enforcement. |
Aug. 2022: Vinnik was extradited to the U.S. from Greece. Litigation is ongoing in the Northern District of California as of June 2023. July 2017: The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) assessed a civil monetary penalty of nearly $110 million against BTC-e, and a $12 million penalty against Vinnik. He was arrested in Greece and later extradited to France, serving out an additional sentence in connection with money laundering charges. |
Aug. 8, 2022 |
Tornado Cash (digital currency mixer) |
OFAC determined that Tornado Cash was used to launder $7 billion in cryptocurrency, including $455 million that was stolen by a hacking group sponsored by the Democratic People’s Republic of Korea (DPRK). OFAC added Tornado Cash to the Specially Designated National (SDN) list on the grounds that its mixer enabled illicit activities and sanctions evasion. OFAC also stated that it considers mixers like Tornado to be “high-risk,” until they have adequate AML controls in place. |
OFAC added Tornado to the SDN List, where it remains listed. Oct. 2022: Coin Center (a DC-based think tank that researches and advocates for cryptocurrency) sued OFAC, seeking Tornado Cash’s removal from the SDN List. Litigation is ongoing in the Northern District of Florida as of June 2023. |
Aug. 8, 2022 |
Gregory Dwyer (high-ranking employee at BitMEX) |
Dwyer, the Head of Business Development at BitMEX, pled guilty to violating the BSA by willfully failing to establish an AML program in his role at BitMEX. According to the DOJ press release, Dwyer knew that purported BitMEX “controls” were inadequate to comply with AML and “know your customer” requirements. |
Dwyer was fined $150,000 and sentenced to a year of probation. |
May 6, 2022 |
Blender.io (digital currency mixer) |
OFAC determined that Blender.io was used extensively by a hacking group sponsored by DPRK. The mixer was allegedly used in support of malicious hacking and for laundering stolen cryptocurrency. OFAC designated Blender.io, and stated it will continue to "investigate the use of mixers for illicit purposes and consider the range of authorities [it] has to respond to illicit financing risks in the virtual currency ecosystem." |
OFAC added Blender to SDN List. |
April 5, 2022 |
Garantex (Russia-based digital currency exchange originally registered in Estonia) |
OFAC found that over $100 million in Garantex transactions were connected to illicit actors and markets. OFAC described Garantex as willfully disregarding AML and countering the financing of terrorism obligations. |
OFAC added Garantex to the SDN List. |
Oct. 11, 2022 |
Bittrex, Inc. (U.S.-based digital currency exchange) |
OFAC and FinCEN took parallel actions, finding apparent violations of multiple sanctions programs as well as willful violations of the BSA’s AML and suspicious activity reporting (SAR) requirements. The company allegedly failed to block thousands of transactions prohibited by U.S. sanctions and identify other suspicious transactions initiated using its platform. |
Bittrex agreed to pay a total settlement of over $53 million, including $24 million to OFAC and $29 million to FinCEN. |
Feb. 25, 2022 |
Satish Kumbhani, founder of BitConnect (alleged fraudulent cryptocurrency investment platform) |
According to the DOJ, BitConnect misled its investors about its “lending program,” paying earlier investors with money from later investors. Further, the DOJ press release states that BitConnect did not register with FinCEN as a money services business (MSB), as required by the BSA, thereby evading regulatory scrutiny. |
Kumbhani charged with “conspiracy to commit wire fraud, wire fraud, conspiracy to commit commodity price manipulation, operation of an unlicensed money transmitting business, and conspiracy to commit international money laundering,” according to a DOJ press release. “If convicted of all counts, he faces a maximum total penalty of 70 years in prison.” |
Feb. 24, 2022, |
February: Arthur Hayes and Benjamain Delo, two of three co-founders of BitMEX (digital currency exchange) March: Samuel Reed, BitMEX’s third co-founder. |
Hayes, Delo, and Reed all pled guilty to violating the BSA for failing to establish, implement and maintain an AML program (including a know your customer program). Further, according to the SDNY, BitMEX purported to withdraw from the U.S. market in 2015 but in effect did not because the purported controls BitMEX implemented to prevent U.S. trading were ineffective. |
Separate plea agreements for Hayes, Delo, and Reed required each to make a payment of $10 million in criminal fines. |
Nov. 8, 2021 |
Chatex (Russia-based digital currency exchange) |
OFAC found that Chatex and its associated support network facilitated transactions for ransomware actors. According to OFAC, the support network included three companies: IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd. OFAC designated Chatex, IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd. “Unprincipled virtual currency exchanges like Chatex are critical to the profitability of ransomware activities,” OFAC wrote. “Treasury will continue to use all available authorities to disrupt malicious cyber actors.” |
OFAC added the four entities—Chatex, IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd—to the SDN List. |
Sept. 21, 2021 |
SUEX OTC, S.R.O. (Russia-based digital currency exchange) |
OFAC sanctioned SUEX for “providing material support to the threat posed by criminal ransomware actors.” It found that 40 percent of known SUEX transactions were associated with illicit actors. |
OFAC placed SUEX on the SDN List.
|
Aug. 10, 2021 |
BitMEX (convertible virtual currency derivatives exchange) |
FinCEN found that BitMex, which operated as an unregistered futures commission merchant and provided money transmission services, violated the BSA and FinCEN’s implementing regulations by willfully failing to comply with the BSA for over six years. |
FinCEN assessed a $100 million civil money penalty against BitMEX. |
Feb. 18, 2021 |
BitPay, Inc. (U.S.-based payment processing solution for merchants to accept digital currency) |
OFAC found potential liability for over two thousand apparent violations of multiple sanctions programs. BitPay allegedly facilitated digital currency transactions between merchants based in the U.S. (and elsewhere) and persons in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria. |
BitPay agreed to remit $507,375 to settle its potential civil liability. |
Dec. 30, 2020 |
BitGo, Inc. (U.S.-based company that offers wallet management services and implements security and scalability platforms for digital assets) |
OFAC found nearly two hundred apparent violations of multiple sanctions programs because BitGo’s wallet management service was allegedly used by IP addresses in sanctioned jurisdictions: the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria. |
BitGo agreed to remit $98,830 to settle its potential civil liability. |
Oct. 19, 2020, and Aug. 18, 2021 |
Larry Dean Harmon, founder and primary operator of Helix (convertible virtual currency mixer) |
In Oct. 2020, FinCEN found that Helix violated the BSA and its implementing regulations because it did not register as an MSB, implement an effective AML program, or report suspicious activities. In Aug. 2021, Harmon pled guilty to a money laundering conspiracy arising from his operation of Helix, which allegedly partnered with several Darknet markets to provide bitcoin money laundering services; Helix moved over $300 million in bitcoin, with a significant portion of this business coming from Darknet markets. According to the DOJ, the laundered bitcoin allegedly included profits from illegal activity, including drug trafficking. |
FinCEN assessed a $60 million civil money penalty against Harmon. |
April 18, 2019 |
Eric Powers, operator of a “peer-to-peer” digital currency exchange |
FinCEN found that Powers violated the BSA when he did not register his exchange as an MSB, report suspicious transactions, or have any written BSA/AML compliance policies. |
Powers cooperated with FinCEN efforts and was given a $35,000 fine as well as an industry bar prohibiting him from engaging in any other activity that would make him an MSB. |
May 5, 2015 |
Ripple Labs Inc. (virtual currency exchanger) |
FinCEN found that Ripple Labs willfully violated the BSA by acting as an MSB and selling virtual currency without registering with FinCEN, and failing to implement and maintain an adequate AML program. |
FinCEN assessed a $700,000 civil money penalty against Ripple Labs. |
Based on these recent enforcement actions, crypto asset industry participants companies should:
1. Get the right policies in place, and ensure they are adequately resourced. Companies should incorporate AML and sanctions compliance policies into their business functions at the outset and retroactively apply any new controls to existing customers.
2. Maintain and operate a sanctions screening program. While technically there is no proactive legal requirement to conduct sanctions screening, the OFAC’s “strict liability” standard underscores the practical importance of maintaining a sanctions screening program and implementing IP blocking. Companies should conduct sanctions screening during customer onboarding, and on a transactional basis (i.e., at the time a customer initiates a transaction).
3. Stay up to date. Companies need to periodically revisit their AML and sanctions compliance policies as they grow, when they change their service or product offerings, and when underlying laws change. This will include evaluating the effectiveness of the AML and sanctions procedures and adapting quickly when a compliance program is no longer sufficient.
4. Stay flexible. Companies should make sure their compliance programs are tailored to their size and business model. Additionally, they should consider risk factors such as geographic location, activities, size, and counterparties when implementing an AML and sanctions compliance program.
Crypto asset companies should consult with legal counsel to evaluate their business operations and money laundering and sanctions risks, and assist with creating, revising, or implementing their compliance policies to ensure they are adequately tailored to the size and scope of the company’s business operations.
If you have any questions about your company’s AML and sanctions compliance obligations or policies, please reach out to any member of Wilson Sonsini’s national security practice.
[1] OFAC Penalizes Another Crypto Asset Company for Sanctions Violations (May 2023); Coinbase Agrees to Pay $100 Million and Improve Compliance Program as Regulators Continue Scrutiny of Crypto Asset Companies (Jan. 2023); Crypto Exchange Agrees to Pay More than $362,000 to Settle Alleged Sanctions Violations (Dec. 2022); Cryptocurrency Exchange Platform Agrees to Pay over $53 Million for Anti-Money Laundering and Sanctions Violations (Oct. 2022); Money Services Businesses Penalized for Failure to Adopt Robust Anti-Money Laundering Practices (Aug. 2022); MSB or Not MSB? That Is the Question (for Determining Applicability of Anti-Money Laundering Rules (Jan. 2021); Anti-Money Laundering Obligations for Virtual Currency Companies (April 2018).