In the midst of Russia’s invasion of Ukraine, financial crime enforcement agencies like the US Financial Crimes Enforcement Network (FinCEN), UK Financial Conduct Authority (FCA), and others around the world have released guidance on red flags for cryptocurrency sanctions evasion. In light of this global effort, we’ve updated this article to include recommendations from agencies outside the United States.
In wartime or otherwise, money services businesses (MSBs) and virtual asset service providers (VASPs) based in many jurisdictions are obligated to monitor for sanctions evasion. Regulatory agencies such as FinCEN in the US, financial regulatory authorities in the UK (FCA, Bank of England and OFSI), and the Financial Action Task Force (FATF) release frequent compliance guidance to make meeting these obligations possible. Chainalysis Know Your Transaction (KYT), meanwhile, provides the tooling to make meeting these obligations easier.
Below, we examine several red flags for cryptocurrency sanctions evasion and how KYT can help your business identify and act on them.
The latest red flags for sanctions evasion
Red flag 1: Suspicious IP addresses
Per UK regulators: “The use of tools designed to obfuscate the location of the customer (e.g. an IP address associated with a virtual private network or proxy).”
Per US FinCEN: “Transactions initiated from or sent to the following types of Internet Protocol (IP) addresses: non-trusted sources; locations in Russia, Belarus, FATF-identified jurisdictions with AML/CFT/CP deficiencies, and comprehensively sanctioned jurisdictions; or IP addresses previously flagged as suspicious.”
According to OFAC guidance, cryptocurrency compliance should remain on high alert for transactions carried out by users whose IP addresses indicate they’re using a VPN or are located in Russia, Belarus, or any other high-risk or heavily sanctioned jurisdiction. As a blockchain analysis tool, we do not specialize in monitoring users’ IP addresses. However, compliance teams using Chainalysis KYT can make note of address information on the user’s risk profile page, as this information could provide valuable context in the event that the team needs to address other risky activity or submit a Suspicious Activity Report (SAR) in the future.
Red flag 2: Sanctioned cryptocurrency addresses
Per UK regulators: “Transactions to or from a wallet address associated with a sanctioned entity, or a wallet address otherwise deemed to be high-risk, based on its transaction history or that of associated addresses, or other factors.”
Per US FinCEN: “A customer’s transactions are connected to [cryptocurrency] addresses listed on OFAC’s Specially Designated Nationals and Blocked Persons List.”
All cryptocurrency addresses associated with individuals or entities on OFAC’s Specially Designated Nationals (SDN) List are labeled in Chainalysis products as belonging to our “Sanctions” category. We also continuously monitor for and label cryptocurrency addresses added to other sanctions lists worldwide. Chainalysis KYT automatically alerts compliance teams of any transactions their users attempt to carry out with those addresses, and applies our most severe risk score to those transactions.
Red flag 3: Direct exposure to high-risk exchanges
Per UK regulators: “Transactions involving a cryptoasset exchange or custodian wallet provider known to have poor customer due diligence procedures or which is otherwise deemed high-risk.”
Per US FinCEN: “A customer uses a [cryptocurrency] exchanger or foreign-located MSB in a high-risk jurisdiction with AML/CFT/CP deficiencies, particularly for CVC entities and activities, including inadequate ‘know-your-customer’ or customer due diligence measures.”
All Chainalysis products include a category called “High-risk exchanges” for exchanges with lax due diligence programs, high exposure to illicit activity, or other potential compliance shortcomings. Compliance teams using Chainalysis can then receive alerts when users transact with those exchanges. Importantly, Chainalysis makes these alerts customizable; compliance teams can assign unique transaction thresholds for alerts to be triggered for different counterparty categories based on their own risk strategy. This ensures customers have flexibility in assigning risk associated with this category.
Red flag 4: Direct exposure to mixers
Per UK regulators: “the use of tools designed to obfuscate the source of cryptoassets (e.g. mixers and tumblers).”
Per US FinCEN: “A customer initiates a transfer of funds involving a [cryptocurrency] mixing service.”
As with high-risk exchanges, compliance teams can set customized alerts to be notified immediately when customers transact with mixing services above a specific threshold of their choosing. While mixers are not illegal, they may suggest laundering activity. This is another reason why it’s important for blockchain analysis tools to correctly identify mixers.
It should also be noted that obscuring sources of funds through the use of mixers is an increasingly risky option for bad actors, especially when trying to move the large quantities needed to systematically evade sanctions, as mixers require the participation of many users inputting comparable amounts of cryptocurrency in order to provide the desired obfuscation. Further, Chainalysis’ recently publicized demixing capabilities may further disincentivize mixer usage for illicit activities.
FinCEN’s latest red flags for Russian ransomware activity
US FinCEN’s latest guidance also included three red flags indicating possible customer involvement in ransomware activity. This is important because Russian cybercriminals play an outsized role in overall ransomware activity, and some Russian ransomware organizations have voiced their intent to aid Russia in its war efforts.
Red flag: “A customer receives [cryptocurrency] from an external wallet, and immediately initiates multiple, rapid trades among [cryptocurrencies] with no apparent related purpose, followed by a transaction off the platform. This may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.”
This red flag is different from the others in that the danger comes not from a known risky counterparty, but rather from suspicious trading activity that could indicate an attempt to launder money, such as a high volume of transactions in a short period of time with no discernible economic purpose, as described above. Luckily, Chainalysis KYT recently introduced a new behavioral alerts feature for just this purpose. With behavioral alerts, compliance teams can get notified when users carry out several transactions in rapid succession or engage in other unusual transaction patterns. Watch our webinar on-demand to learn more about the feature.
Red flag: “A customer has either direct or indirect receiving transaction exposure identified by blockchain tracing software as related to ransomware.”
Compliance teams using Chainalysis KYT can receive automatic notifications when one of their users receives funds from an address associated with ransomware. FinCEN is right to specify that it’s not just direct transactions from ransomware addresses that compliance teams need to watch out for. They should also look for indirect exposure to ransomware addresses, meaning funds that have moved from ransomware addresses to their user’s address via intermediary addresses not hosted by services (e.g. unhosted wallet addresses). Chainalysis KYT provides alerts for indirect exposure to risky counterparties, so compliance teams get notified if a user receives ransomware funds via an intermediary.
Sanctions matter now more than ever
Recent events have made sanctions top of mind for cryptocurrency businesses. Chainalysis stands ready to help compliance teams navigate the challenges of sanctions compliance during the crucial weeks and months ahead, and we hope this blog serves as an example of how we can do that. Read more here about what cryptocurrency exchanges can do to comply with sanctions, or here to learn how to use our newly-released, free sanctions screening tools.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making investment decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.