← Back to guides

Sanctions Screening for Crypto Transactions

2026-04-18 · Web3 Compliance AI

The Sanctions Compliance Obligation

Sanctions screening is a legal requirement, not optional risk management. Violations carry severe penalties — OFAC can impose fines of over $300,000 per violation under a strict liability regime where intent is irrelevant. The EU, UK, and other jurisdictions impose similar obligations with criminal penalties for non-compliance. For crypto businesses, sanctions compliance has unique challenges: pseudonymous addresses, cross-border transactions by default, mixing and privacy tools, and rapidly evolving designations.

Since 2018, OFAC has designated specific cryptocurrency wallet addresses on the Specially Designated Nationals (SDN) List. The Tornado Cash designation in August 2022 marked the first time a smart contract protocol was sanctioned, establishing that sanctions law applies to on-chain infrastructure, not just named individuals.

What Must Be Screened

Customer Screening

Screen all customers against sanctions lists at onboarding and on an ongoing basis. Required lists by jurisdiction:

List Maintaining Authority Jurisdiction Update Frequency
SDN List (Specially Designated Nationals) OFAC United States Multiple times per week
Consolidated Sanctions List OFAC United States Includes SDN + sectoral + other programs
EU Consolidated Financial Sanctions List European Commission EU As needed (after Council decisions)
UN Security Council Sanctions List UN Global As needed (after Security Council resolutions)
HMT Consolidated List HM Treasury (OFSI) United Kingdom As needed
SECO Sanctions List SECO Switzerland As needed
MAS Sanctions List MAS Singapore As needed (implements UN lists)
DFAT Consolidated List DFAT Australia As needed

Screen these data points: Full names (all known aliases), dates of birth, nationalities, identity document numbers, addresses, and any other identifying information. Use fuzzy matching algorithms to catch transliteration variations, misspellings, and name variations across scripts (e.g., Arabic, Cyrillic).

OFAC 50% Rule: Entities owned 50% or more (individually or in aggregate) by one or more blocked persons are themselves blocked, even if not explicitly listed on the SDN List. Your screening must account for ownership chains.

Transaction Screening (Wallet Addresses)

Screen wallet addresses involved in every transaction — both deposits and withdrawals. This is unique to crypto and is where most enforcement failures occur.

Addresses to screen against:

  1. OFAC published crypto addresses — OFAC includes specific cryptocurrency addresses on the SDN List. As of 2026, hundreds of addresses have been designated across Bitcoin, Ethereum, and other chains.
  2. EU and UN designated addresses — Fewer explicit address designations, but growing.
  3. Blockchain analytics flagged addresses — Addresses identified by analytics providers as associated with:
    • Sanctioned entities or jurisdictions
    • Darknet marketplaces
    • Ransomware operators
    • Terrorist financing networks
    • Sanctioned mixers and tumblers (Tornado Cash, Blender.io, Sinbad)
    • Fraud and scam operations

Blockchain Analytics Integration

Raw address matching against published sanctions lists is necessary but not sufficient. Blockchain analytics tools provide critical additional capabilities:

Indirect exposure analysis — Funds that passed through a sanctioned mixer or interacted with a sanctioned address, even if the direct counterparty is not sanctioned. OFAC expects VASPs to analyze exposure beyond direct transactions.

Cluster analysis — Linking addresses to sanctioned entities through on-chain behavior patterns. A sanctioned entity may use new addresses not yet on the SDN List — analytics can identify them through clustering.

Risk scoring — Assigning risk scores to wallet addresses based on transaction history, counterparty exposure, and behavioral patterns. Configure thresholds appropriate to your risk appetite.

Real-time alerts — Immediate notification when a counterparty address is newly designated or when analytics identify a new connection to a sanctioned entity.

Leading providers:

Provider Key Products Strengths
Chainalysis KYT (Know Your Transaction), Reactor Largest coverage, law enforcement partnerships, broadest chain support
Elliptic Lens, Navigator, Investigator Strong EU presence, DeFi and cross-chain coverage
TRM Labs TRM Forensics, TRM Transaction Monitoring Real-time screening, strong API, regulatory relationships
Crystal Blockchain Crystal Analytics Bitfury-backed, extensive VASP data

Implementation Architecture

Real-Time vs. Batch Screening

Customer screening:

  • Real-time — Screen at onboarding, and immediately when sanctions lists are updated (re-screen entire customer base)
  • Batch — Daily re-screening of the full customer base as a safety net. Run after each list update.
  • Best practice: Both. Real-time catches immediate matches; batch catches anything missed.

Transaction screening:

  • Must be real-time — Block or flag transactions before they are processed. Post-hoc screening is insufficient and may constitute a violation.
  • For withdrawals: screen the destination address before broadcasting the transaction on-chain.
  • For deposits: screen the source address upon detection (mempool or confirmation). If sanctioned, freeze and report.

Screening Workflow

Outbound Transactions (Withdrawals)

  1. Customer initiates a withdrawal to an external address.
  2. System screens the destination address against:
    • OFAC SDN List crypto addresses
    • EU/UN/HMT designated addresses
    • Blockchain analytics risk database
  3. If no match: Transaction proceeds through normal processing.
  4. If potential match: Transaction is held (not broadcast). Alert generated for compliance review.
  5. Compliance investigation: Analyst reviews the match. Determines true positive or false positive.
  6. True positive: Block the transaction. Freeze the customer account. File a blocking report (OFAC requires within 10 business days). File SAR/STR as appropriate.
  7. False positive: Document the analysis and rationale. Release the transaction. Update screening parameters if needed.

Inbound Transactions (Deposits)

  1. Funds arrive on-chain (detected at confirmation or mempool stage).
  2. System screens the source address against all lists and analytics.
  3. If sanctioned source: Freeze the funds. Do NOT return them (returning funds to a sanctioned party is itself a violation). File a blocking report and SAR.
  4. If high-risk but not sanctioned: Flag for enhanced review. Assess whether the customer relationship should continue.
  5. Clean: Credit normally.

Alert Handling and Disposition

Never automatically clear potential matches. Every alert must receive qualified human review. Document:

  • The alert details (what was matched, confidence score, list source)
  • Investigation steps taken
  • Analysis and conclusion (true positive, false positive, inconclusive)
  • Disposition decision and rationale
  • Reviewer name and date
  • Any escalation to senior management or legal

Escalation triggers:

  • Any true positive match — escalate to Compliance Officer / MLRO immediately
  • Any match involving a PEP or government official
  • Any match involving comprehensively sanctioned jurisdictions (Cuba, Iran, North Korea, Syria)
  • Repeated near-matches or patterns suggesting sanctions evasion

Jurisdictional Requirements

OFAC (United States)

  • Regime: Strict liability — no intent required. Penalties can reach hundreds of thousands per violation, with aggravated penalties for willful or egregious violations reaching millions.
  • Scope: Applies to all US persons and US-nexus transactions. "US nexus" includes USD-denominated transactions, use of US financial infrastructure, and transactions involving US persons anywhere in the world.
  • Five pillars of an OFAC compliance program: Management commitment, risk assessment, internal controls, testing and auditing, training.
  • Blocking reports: Must be filed within 10 business days when property of a blocked person is identified. Use OFAC's online portal.
  • Voluntary self-disclosure (VSD): Significantly reduces penalties. If you discover a sanctions violation, self-report promptly. OFAC treats VSD as a significant mitigating factor.
  • Crypto-specific guidance: OFAC published "Sanctions Compliance Guidance for the Virtual Currency Industry" (October 2021) — read it.

EU (European Union)

  • Regime: EU sanctions prohibit making funds or economic resources available to designated persons. Criminal penalties in most member states.
  • Scope: Applies to EU persons, entities established in the EU, and activities within EU territory.
  • 2024 updates: EU sanctions regulations explicitly address crypto-assets. CASPs must screen all transactions, not just those above a threshold.
  • Enforcement: Each member state has a competent authority. Penalties vary by member state but must be "effective, proportionate and dissuasive."
  • Russia sanctions: Extensive crypto-specific measures including prohibition of crypto services to Russian nationals above certain thresholds.

UK (United Kingdom)

  • Regime: OFSI (Office of Financial Sanctions Implementation) under HM Treasury administers sanctions.
  • Scope: Applies to all UK persons and entities.
  • Strict liability: Since the Economic Crime (Transparency and Enforcement) Act 2022, sanctions violations carry strict civil liability in the UK.
  • Penalties: Civil monetary penalties up to GBP 1,000,000 or 50% of the estimated value of the breach, whichever is greater.
  • Crypto-specific: FCA-registered crypto businesses must screen against HMT Consolidated List and consider broader sanctions obligations.

Secondary Sanctions

US secondary sanctions can apply to non-US persons who facilitate significant transactions with sanctioned entities. Crypto businesses outside the US must consider OFAC exposure if they:

  • Process USD-denominated stablecoins (USDT, USDC)
  • Serve US customers in any capacity
  • Use US-based infrastructure or correspondent banking relationships
  • Interact with US-based counterparty VASPs

Non-US VASPs have been designated on the SDN List for facilitating sanctions evasion — this is a real, not theoretical, risk.

Sanctions Evasion Typologies in Crypto

Train your team to recognize these patterns:

  1. Chain-hopping — Moving assets across multiple blockchains to obscure origin. Use cross-chain analytics.
  2. Mixing and tumbling — Using mixers (Tornado Cash, etc.) to break the transaction trail. Monitor for mixer exposure.
  3. Peer-to-peer OTC trading — Off-exchange trading to avoid VASP screening. Watch for large deposits followed by immediate P2P activity.
  4. Nested services — Operating through other VASPs to avoid direct screening. Know your counterparty VASP.
  5. Privacy coins — Monero, Zcash (shielded transactions). Consider whether to support privacy coins given the screening limitations.
  6. Rapidly created wallets — New wallets with no history used for single transactions. Flag as higher risk.
  7. NFT-based laundering — Using NFT purchases to transfer value. Screen NFT marketplace transactions.

Ongoing Maintenance

Sanctions lists are updated frequently — sometimes multiple times per week. Your program must keep pace:

  • OFAC updates: Available via RSS feed, email alerts, and the OFAC API. Subscribe to all channels.
  • EU updates: Published in the Official Journal. Monitor via EUR-Lex alerts.
  • UN updates: Published by the UN Security Council Sanctions Committees.
  • Blockchain analytics updates: Providers push continuous updates. Ensure your integration receives them in real-time.

Audit trail requirements: Maintain a complete record of every screening event, including:

  • The transaction or customer screened
  • The list version(s) used
  • The timestamp of the screening
  • Match results (including false positives)
  • Investigation notes and disposition
  • Reviewer identity and date

Retain screening records for at least five years (longer in some jurisdictions).

Program Testing

Test your sanctions screening program at least annually:

  • List coverage testing — Verify that all required lists are loaded and current.
  • Matching accuracy testing — Test with known sanctioned names and addresses, including variations and aliases.
  • False positive rate analysis — Track and optimize. High false positive rates delay transactions and overwhelm analysts.
  • Timeliness testing — Verify that list updates are ingested within your target timeframe (ideally within hours of publication).
  • Blocking report testing — Confirm that blocking reports can be filed within the 10-business-day OFAC deadline.
  • Gap testing — Identify any transaction types or channels not covered by screening.

Common Failures

Enforcement actions in crypto have consistently targeted these failures:

  1. Failure to screen wallet addresses — Screening only customer names without screening on-chain addresses. OFAC expects both.
  2. Failure to update sanctions lists promptly — Stale lists mean missed matches. Automate list ingestion.
  3. Over-reliance on automated clearing — Auto-clearing false positives without qualified human review. Every alert needs a human disposition decision.
  4. Failure to file blocking reports — OFAC requires blocking reports within 10 business days. Late filing is a separate violation.
  5. Ignoring indirect exposure — Only screening for direct matches without analyzing transaction chain exposure. Use blockchain analytics.
  6. No program documentation — OFAC expects a documented sanctions compliance program. Verbal policies do not count.

Resources