On September 21, 2021, as part of a one-of-a-kind action, the US Treasury Department of Foreign Assets Control (“OFAC”) imposed economic sanctions on SUEX OTC, SRO (“SUEX”), a currency virtual exchange, to facilitate the payment of ransoms following ransomware cyber attacks.
In its press release announcing the sanctions, OFAC indicated that more than 40% of SUEX transactions involved illicit actors. SUEX has been added to OFAC’s list of Specially Designated Nationals and Blocked Persons (“SDN List”), which means that all of SUEX’s assets and interests in assets that are subject to US jurisdiction are blocked, and Americans are generally prohibited from engaging in transactions with SUEX.
In addition to designating SUEX as SDN, OFAC has also updated its Notice on Potential Sanction Risks to Facilitate Ransomware Payments (“Notice”), which was originally published on October 1, 2020. (For more information on the original review, see our article Ransomware attacks are on the rise; Are you ready?)
The content of the updated advisory is substantially similar to the original 2020 advisory with the significant addition of information on the SUEX designation. OFAC also added a more detailed discussion of steps victims of ransomware attacks can take to mitigate risk, including actions that OFAC would consider mitigating factors in any enforcement action. In the notice, OFAC makes it clear that it will continue to sanction actors and others who materially assist, sponsor or provide financial, material or technological support for cyber ransomware attacks.
OFAC calls SUEX a “virtual currency exchange,” but the exchange deals with what is commonly referred to as “cryptocurrency,” or in other words, an encrypted and decentralized digital currency. It should be noted that OFAC defines “virtual currency” and “digital currency” separately, with virtual currency being a subset of digital currency.
Under OFAC’s sanctions programs, “virtual currency” is “a digital representation of value that functions as (i) a medium of exchange; (ii) a unit of account; and / or (iii) a store of value; is neither issued nor guaranteed by any jurisdiction; and is not legal tender in any jurisdiction. OFAC further defines “digital currency” to include “sovereign cryptocurrency, virtual (non-fiat) currency and a digital representation of fiat currency”.
Because cryptocurrency is a decentralized currency, government agencies, including OFAC, have struggled to regulate or enforce this recent innovation in the financial world. In addition to the ransomware payment context described in the Notice (for which SUEX has been specifically sanctioned), cryptocurrency can also be – and has been – used in a variety of other illicit contexts.
The SUEX designation is OFAC’s first instance sanctioning a cryptocurrency exchange, but OFAC has also targeted actors involved in digital currency, even sovereign governments. On March 19, 2018, President Trump signed Executive Order 13827 (“EO 13827”), Take additional measures to remedy the situation in Venezuela, which prohibits U.S. nationals from engaging in transactions associated with “any digital currency, digital coin, or digital token, which was issued by, for or on behalf of the government of Venezuela on or after January 9, 2018.”
As the main ban enforcement body, OFAC has published Frequently Asked Questions (“FAQs”) that interpret the bans in EO 13827. Among other things, the FAQ clarified that cryptocurrencies “Petro” and “petro-gold” are considered “” digital currency, digital coin or digital token ”for the purposes of the application of OE 13827. However, the traditional fiat currency of Venezuela, the“ bolivar fuerte ”, is not considered a digital currency and is therefore not subject to the same prohibitions.
In addition to EO 13827’s specific bans on Venezuelan digital currency, OFAC has also pursued enforcement actions against companies in the cryptocurrency industry, with two such actions in the past year alone. On December 30, 2020, OFAC entered into a settlement agreement of $ 98,830 with BitGo, Inc. (“BitGo”) for alleged violations of several OFAC sanctions programs.
BitGo implements security and scalability platforms for digital assets and offers a non-custodial secure digital portfolio management service, which are services related to digital currency transactions. People in Syria, Iran, Cuba, Sudan and the Crimea region of Ukraine could have used BitGo’s digital wallet services due to Bitgo’s failure to restrict access to its services to sanctioned jurisdictions .
In accordance with OFAC’s settlement agreement, BitGo processed 183 digital currency transactions for individuals in sanctioned jurisdictions. BitGo had reason to know that people in sanctioned jurisdictions were using its services because the company was tracking the Internet Protocol (“IP”) addresses of its users for security purposes. However, BitGo did not use this information from Implocation for sanction compliance purposes.
In a similar case, on February 18, 2021, OFAC entered into a $ 507,375 settlement agreement with BitPay, Inc. (“BitPay”) for apparent violations of sanctions related to digital currency transactions. BitPay offers a payment processing solution that allows merchants to accept digital currency as a means of payment for goods and services.
OFAC alleged that BitPay was potentially responsible for 2,102 transactions using digital currency between US merchants and people in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan and Syria . Similar to BitGo, BitPay collected location and IP address information for its customers, but did not use this information to prevent violations of sanctions programs. OFAC used the enforcement actions of BitGo and BitPay to remind companies involved in digital currency services, like all financial service providers, to take action to understand and mitigate the risks of sanctions compliance.
While BitGo and BitPay are US companies that have received OFAC sanctions, the SUEX issue is different because SUEX is a foreign company that has become subject to sanction bans. SUEX is a concierge cryptocurrency exchanger with locations in Russia and the Czech Republic. SUEX was a ‘nested’ exchange, meaning it did not have direct custody of its clients’ cryptocurrency, but instead used the infrastructure of a larger multinational exchange. Using this mechanism, SUEX masked its connection to the largest cryptocurrency exchange and was able to very successfully convert its clients’ illicit funds into physical cash. Although SUEX has been specifically referenced in the Ransomware Advisory, OFAC’s concern with cryptocurrency exchanges also extends to facilitating the evasion of sanctions, ransomware programs, and other cybercrimes.
In announcing SUEX’s SDN designation, OFAC specifically stated that SUEX facilitates illegal transactions for its own illicit purposes, unlike certain other digital currency exchanges that are simply “operated by malicious actors” including, for example, , two Chinese nationals appointed by OFAC. as SDN on March 2, 2020 for laundering cryptocurrency stolen during a 2018 cyber-intrusion against a cryptocurrency exchange. This cyber intrusion is linked to Lazarus Group, a malicious cybergroup sponsored by the North Korean state, itself designated as SDN.
Execution activity directed at the cryptocurrency market should serve as a warning to American people of the potential for sanction liability regarding 1) activity related to particular cryptocurrencies, as is the case with Venezuelan state cryptocurrency, or cryptocurrency exchanges, such as SUEX; and 2) the provision of cryptocurrency services, which could result in violations of sanctions regulations vis-à-vis SDN-listed individuals or individuals located in sanctioned jurisdictions.
As such, companies and individuals operating in this ever-expanding industry should create a risk-based sanctions compliance program to mitigate and prevent sanctions violations. Cryptocurrency service companies should also train their employees on enforcing sanctions, including filtering, identifying red flags, blocking and reporting prohibited transactions.
1 OFAC Sanctions Action Notice, 86 Fed. Reg. 53 147 (Sep 24, 2021), available at https://www.govinfo.gov/content/pkg/FR-2021-09-24/pdf/2021-20745.pdf.
2 Treasury takes robust action to counter ransomware, US Department of the Treasury Office of Foreign Assets Control (September 21, 2021), available at https://home.treasury.gov/news/press-releases/jy0364.
3 Update to the advisory on potential sanctions risks to facilitate ransomware payments, US Department of the Treasury Office of Foreign Assets Control (September 21, 2021), available at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf.
4 Definition of cryptocurrency, Merriam-Webster, https://www.merriam-webster.com/dictionary/cryptocurrency (last visit on September 29, 2021).
5 Frequently Asked Questions: Virtual Currency Questions, US Department of the Treasury Office of Foreign Assets Control, https://home.treasury.gov/policy-issues/financial-sanctions/faqs/559 (last visit on September 29, 2021).
6 Executive Decree 13827 of March 19, 2018, Taking additional measures to remedy the situation in Venezuela (March 19, 2018), available at https://home.treasury.gov/system/files/126/13827.pdf.
7 OFAC Reaches $ 98,830 Settlement with BitGo, Inc. for Apparent Violations of Several Sanctions Programs Related to Digital Currency Transactions, US Department of the Treasury, Office of Foreign Assets Control (December 30, 2020), available at https://home.treasury.gov/system/files/126/20201230_bitgo.pdf.
8 OFAC Reaches $ 507,375 Settlement with BitPay, Inc. for Apparent Violations of Several Sanctions Programs Related to Digital Currency Transactions, US Department of the Treasury, Office of Foreign Assets Control (February 18, 2021), available at https://home.treasury.gov/system/files/126/20210218_bp.pdf.
9 people sanctioned by the Treasury Laundering Cryptocurrencies for the Lazarus Group, US Department of the Treasury Office of Foreign Assets Control (March 2, 2020), available at https://home.treasury.gov/news/press-releases/sm924.