On July 21, 2025, the implementation of the UK financial sanctions office (OFSI) published an assessment of threats to cryptocurrency specific to the sector (“the report”), by highlighting the risks and evolving vulnerabilities of the cryptographic sector linked to financial sanctions. While the landscape of cryptography continues to develop, this report serves as a critical resource for British cryptocurrency companies and stakeholders aimed at strengthening compliance and reducing exposure to illegal activity.
The report is part of a series of similar evaluations that OFSI published in 2025 with other reports covering financial, legal and real estate services, as well as players in the art market and high value dealers.1
Cryptoassets: the regulatory landscape
Under British law, cryptocurrencutors are treated like any other asset class in the context of financial sanctions. The money laundering regulations (MLR) and the law on sanctions and the fight against money laundering 2018 (SAMLA) also apply to digital assets. Since January 2020, cryptocurrency companies have to register with the Financial Conduct Authority (FCA) for the supervision of the LMA.
The report, covering data from January 2022 to May 2025, reflects the growing dynamic behind the sector’s regulations:
- September 2023: The FCA introduces the “travel rule”, demanding that crypto-caster companies collect, check and share information on Cryptoset transfers.2
- October 2023: The FCA presents the cryptocurrency financial promotions regime for all companies promoting cryptocurrency in the United Kingdom.3
- November 2023: The FCA issues a discussion document on the regulation of stablecoins.4
- December 2024: The FCA publishes a discussion document on the future market abuse regime for cryptocurrency and the admission and disclosure regime of cryptocurrency.5
- April 2025: The British government publishes a bill aimed at providing the exploitation of a cryptocurrency trading platform, intermediation, loans and cryptocurrency, ignition and decentralized financing (DEFI) in the delivery of the FCA.6
- May 2025: The FCA publishes a discussion document on the regulation of crypto-evaluing activities.7
The FCA roadmap published in November 2024, anticipates the publication of all policy declarations and final rules in 2026, after which companies will have time to prepare before the diet was put online.8 The regulation of cryptocurrency is essential, but the rhythm to which the FCA moves suggests that it will find it difficult to follow the threats in constant evolution described in the report.
The OFSI report: key judgments
The report describes five basic judgments concerning the sanctions of relevant threats to service companies linked to the British cryptocurrency:
- Underestimation of violations: During the period covered by the report, more than 7% of all reports to the OFSI of alleged sanctions, violations involved crypto companies, with almost all these reports since April 2024. Despite this, the OFSI affirms that it is almost certain that British cryptocurrency companies have underestimated the alleged violations since August 2022.
- Inadvertently non-compliance: Most violations probably arise from indirect exposure to designated persons (DPS) and suspected violations identified after a delay in allocation, the delays in allocation also contributing to failures to implement the assets.
- Exhibition for Russian entities: It is very likely that British cryptocurrency companies have been directly or indirectly exposed to the designated Russian exchange since its designation in 2023, resulting in violations of British financial sanctions. More than 90% of the suspect violation reports linked to the crypto subject to the OFSI since 2022 imply Russia.
- North Korean cyber-men: It is very likely that British Crypto-Tassettes companies may be targeted by PIRES linked to RPDC and IT workers who seek to fly or obtain funds by illegal means.
- Iranian connections: It is likely that British Crypto-Tassettes companies are currently facilitating transfers with Iranian cryptocurrency companies with alleged links with DPS.
These results reflect the geopolitical use of cryptocurrency to bypass traditional financial systems and highlight the urgent need for reasonable diligence, relationships and technological vigilance.
Overview of threats: common vulnerabilities
The report deepens several areas of risk and current typologies used to escape sanctions:
Cross -border payments: Cryptocurrencies allow the DPS to bypass the financial channels and compliance mechanisms, including through VPNs, to obscure the real location of the individuals involved in a transaction, complicating KYC’s efforts.
Centralized exchanges with links to the DPS: Certain crypto trading platforms can share infrastructure with designated exchanges, despite the sanctions against them. These links can be disguised by the use of intermediate portfolios to separate incoming deposits from withdrawals and bypass the conformity software which signals the links to a DP.
High -risk services and not kyc: Instant exchanges, which do not collect customer information, are used to convert standard currencies to cryptocurrency to facilitate the transfer of funds from the DPS (including sanctioned banks) to the specified cryptographic portfolio, elude sanctions screening.
Superposition, mixture and anonymity improvement techniques: The decentralized nature of cryptocurrency facilitates the obscure of the transaction tracks and payment structures, including the use of anonymous private portfolios. Cryptoassets can also be superimposed by moving them between different blockchain networks, increasing the complexity of the tracing of illicit cryptocurrency.
Exchanges operating via Darknet markets: Individuals can use platforms on the Dark web to discuss, sell and promote illicit activity, including escape sanctions, anonymously.
On -the -counter (OTC): Peer trading and the use of direct brokers can take place outside the supervision of an exchange, which makes regulations more difficult. The over -the -counter trades work internationally and can be used by Evaders sanctions to exchange species in a jurisdiction and access it in another.
Decentralized exchanges (DEX): DEX are trading platforms that often work without a single control entity and do not require identity checks, which makes them attractive for the escapes of sanctions.
Nested exchanges: Also known as parasitic exchanges, they use the more established exchange infrastructure without the conscience or approval of the latter. The nested exchanges manage illegal cryptocurrency at much higher rates than legitimate platforms.
These methods highlight the complexity of tracing illicit cryptographic activity and the need for robust surveillance tools.
Identification of red flags
The report identifies several common red flags in the cryptography sector and urges businesses in the United Kingdom to make a robust reasonable diligence to identify these problems. Ofsi states that the presence of two or more red flags should trigger an increased reasonable diligence. Current red flags include:
- Important or unusual transactions following the announcements of the sanctions;
- Exposure to DPs or known associated entities;
- Sudden changes in transaction models;
- Repeated payments of individual addresses for very low amounts;
- Rapid movement of active ingredients through several addresses;
- Several portfolios controlled by the same entity (grouping of addresses);
- Use of confidentiality, mixers or VPN parts; And
- Transactions involving sanctioned jurisdictions.
Reinforcement of conformity
The report describes several considerations for cryptographic companies and stakeholders aimed at improving the conformity of sanctions, using a risk -based approach to assess exposure according to transaction models, jurisdiction and type of service. The recommendations include:
- Check the FCA register to identify whether the crypto-assembly companies they do business are recorded,9 Or check the equivalent register of the jurisdiction in which the Crypto-Support Society is based.
- Improve the detection through the use of transaction screening and blockchain analysis to monitor cryptography flows and identify all new addresses related to DPS. Companies should consider the use of specialized software for this purpose.
- Consider the counterpart risk, behavioral models and the depth of transactions history as a function of the number of individual transactions (“hop”) used within the framework of a global transaction.
- Perform look exercises to identify any suspected past violation involving cryptocurrency who may not have been reported to the OFSI.
- Report suspect transaction channels in Ofsi as soon as they discovered.
- Report any presumed illicit activity involving cryptocurrency at the NCA and the FCA, if necessary, in accordance with their legal obligations.
Main to remember
The report is an alarm clock. While the United Kingdom struggling with the growing adoption of crypto-assemblies and an evolving sanctions regime, companies are faced with immediate compliance pressures, even if the regulatory environment has trouble keeping the pace of the development threat. The vulnerabilities identified in the report are potential active vectors for bypass sanctions, exhibiting businesses at significant risks. Companies must be proactive in the updating of systems, training and policies to take into account emerging threats; Vigilant in the screening of transactions and counterpart risks; and cooperative with their regulators and with OFSI in the declaration of offenses to alleged sanctions.
Posted for the first time in Compliance Weekly.
