Public indictments connecting illicit crypto flows to OFAC-listed entities and the enforcement implications for exchanges and custodians.
WASHINGTON, DC, April 17, 2026
The Department of Justice is no longer treating sanctions risk in crypto as a compliance sideshow, because its recent cases show that once digital asset flows touch blocked persons, designated wallets, sanctioned banks, or embargoed state networks, prosecutors are prepared to translate the conduct into ordinary criminal allegations with national security overtones.
That shift matters because the old assumption that sanctions belonged to Treasury while hacks, laundering, and fraud belonged to prosecutors has broken down in the digital asset space, where a single transaction trail can now carry evidence of cyber theft, concealment, unlicensed money transmission, false statements, money laundering, and sanctions evasion all at once.
The practical result is a more dangerous legal environment for exchanges, custodians, wallet hosts, payment processors, and over the counter intermediaries, because federal investigators increasingly view sanctions failures not as isolated screening mistakes, but as evidence that a platform or operator helped blocked actors keep moving value after the U.S. government had already said those actors were off limits.
Garantex became the clearest recent example of sanctions logic colliding with exchange infrastructure.
The strongest recent case arrived on March 7, 2025, when the Justice Department announced the disruption of Garantex, a Russia-based cryptocurrency exchange that prosecutors said had processed at least $96 billion in transactions since 2019 while facilitating money laundering for transnational criminal organizations, including terrorist organizations, and sanctions violations.
In the department’s public Garantex action, the DOJ said administrators Aleksandr Mira Serda and Aleksej Besciokov were charged with a money-laundering conspiracy, while Besciokov was also charged with conspiracy to violate sanctions and conspiracy to operate an unlicensed money-transmitting business.
That charging mix is important because it shows how prosecutors are now treating a crypto venue that services sanctioned or otherwise illicit flow, not merely as a risky marketplace with weak controls, but as a continuing enforcement target whose operators can be accused of criminally preserving access to blocked financial activity.
The case also shows how the government now uses infrastructure disruption as part of sanctions enforcement, because the action involved domain seizures, frozen funds, and coordinated international steps aimed at removing the exchange’s operational capacity rather than merely issuing another market warning.
Later developments deepened that message, because Treasury said in August 2025 that after the March disruption and indictments, Garantex shifted customers and funds to successor exchange Grinex in an effort to keep operating despite sanctions and law enforcement pressure, reinforcing the government’s view that some crypto platforms are not simply noncompliant, but adaptive sanctions-evasion machinery.
The Evita indictment widened sanctions exposure beyond mixers and into ordinary crypto payment rails.
Another major step came on June 9, 2025, when the DOJ unsealed a 22-count indictment against Iurii Gugnin, the founder of U.S.-based crypto payment companies Evita Investments and Evita Pay, accusing him of turning a cryptocurrency business into a covert pipeline for more than $500 million in transactions involving sanctioned Russian banks and Russian end users.
According to the indictment, Gugnin is charged with wire and bank fraud, conspiracy to defraud the United States, violation of the International Emergency Economic Powers Act, operating an unlicensed money transmitting business, money laundering, Bank Secrecy Act failures, and related conspiracy counts.
The allegations are striking because prosecutors said Gugnin’s customers, many of whom held funds at sanctioned Russian banks, sent him cryptocurrency, most of it in USDT, which he allegedly laundered through wallets and U.S. bank accounts before converting the funds into dollars and other fiat currencies for downstream payments.
DOJ also alleged that Gugnin lied repeatedly to banks and cryptocurrency exchanges by saying Evita did not do business in Russia and did not deal with sanctioned entities, even though the government says he facilitated funds tied to sanctioned institutions, including Sberbank, Sovcombank, VTB Bank, and Tinkoff Bank.
That matters for the industry because it demonstrates that a crypto payments company does not need to look like a mixer, a darknet venue, or a rogue offshore exchange to become a sanctions case, since a U.S.-facing business that converts stablecoins, touches traditional banking rails, and disguises the true counterparties can still be framed as a national security threat.
It also sharpens the warning to custodians and exchanges that handle stablecoin flows, because prosecutors are making it clear that sanctioned exposure can be hidden within apparently routine payment traffic unless a platform screens counterparties, traces the source of funds, and tests customer statements against actual transactional behavior.
North Korea remains the most important bridge between crypto crime and sanctions enforcement.
The deepest alignment between DOJ and OFAC still sits in the North Korea cases, where the government treats digital assets not just as proceeds of crime, but as a funding mechanism for sanctioned state priorities, including weapons and ballistic missile programs.
One of the foundational prosecutions remains the April 2023 case against Sim Hyon Sop, a representative of North Korea’s Foreign Trade Bank, where the DOJ said Sim conspired with over-the-counter crypto traders and North Korean information technology workers to launder stolen virtual currency and illegal earnings for the benefit of the regime.
That case now matters even more because subsequent actions have filled in the operational picture, showing how prosecutors and the Treasury increasingly build sanctions cases through a blend of criminal charges, asset freezes, civil forfeiture, and SDN designations rather than relying on a single mechanism.
In the June 5, 2025, forfeiture action tied to that network, DOJ said North Korean IT workers used stolen or false identities to obtain remote work, often at blockchain or crypto-related companies, received compensation in stablecoins like USDC and USDT, and then used layered laundering techniques to push the money back toward Pyongyang.
The complaint described methods that are becoming central to the government’s sanctions narrative, including fictitious accounts, movement in small increments, chain hopping, token swapping, non-fungible tokens used as a temporary store of value, U.S.-based accounts used to legitimize the appearance of activity, and commingling designed to blur the source of funds.
DOJ said the government froze and seized more than $7.74 million tied to the scheme, while noting that OFAC had already placed Sim on the SDN list in April 2023 and later added Kim Sang Man and Chinyong, a North Korean defense-linked IT company, to the SDN list in May 2023.
That record is especially important for exchanges and custodians because it shows how sanctions exposure may arrive through employment fraud, payroll flows, over the counter conversion, or routine-looking stablecoin activity rather than only through the dramatic theft of a major exchange wallet.
The November 14, 2025 DOJ action pushed the same logic further, when the department announced guilty pleas and more than $15 million in civil forfeiture actions linked to North Korean remote IT work and virtual currency heist schemes, while alleging that APT38 had carried out multimillion-dollar heists at four overseas virtual currency platforms in 2023 and laundered the proceeds until U.S. authorities froze and seized part of the assets.
That matters because it shows the government drawing a straight line from a sanctioned state actor to exchange theft, then from exchange theft to laundering, and finally from laundering to forfeiture and victim return, all within a single enforcement story that blends criminal law with sanctions strategy.
Tornado Cash revealed both the ambition and the limits of the DOJ’s sanctions theory.
The most symbolically important sanctions prosecution in crypto remains the 2023 case against Tornado Cash founders Roman Storm and Roman Semenov, in which the DOJ alleged that the mixer laundered more than $1 billion in criminal proceeds and knowingly facilitated hundreds of millions in transfers for the Lazarus Group, a sanctioned North Korean cybercrime organization.
Prosecutors said the defendants continued operating the service even after OFAC had identified and blocked Lazarus-linked property and after internal discussions showed that purported sanctions-compliance changes would be ineffective in practice, according to the indictment.
That theory became one of the boldest expressions of how the government wanted to align crypto infrastructure with OFAC obligations, because it implied that once operators knew a service was helping a blocked actor move funds, continuing that service could itself support sanctions-violation counts.
But the case also showed that this area is not frictionless for prosecutors, because a Manhattan jury in August 2025 convicted Storm only on the unlicensed money-transmitting conspiracy count, while deadlocking on the money-laundering and sanctions-evasion charges.
As Reuters reported when Treasury later lifted Tornado Cash sanctions in March 2025 after broader legal challenges, the Tornado Cash story remains one of the clearest reminders that DOJ’s sanctions theory can be aggressive even when courts, juries, or later executive branch decisions complicate the path.
That nuance matters for this landscape because it shows that the government’s enforcement direction is unmistakably hardening, while the doctrinal boundaries for software developers and infrastructure operators are still being tested in real time.
What OFAC expectations now mean for exchanges and custodians.
The enforcement implications for the industry are no longer subtle, because Treasury has long said that sanctions obligations apply equally to virtual currency and fiat transactions, and that message is now being reinforced by DOJ proceedings that convert failed controls into evidence of criminal exposure.
OFAC’s guidance for the virtual currency industry says the obligations apply to technology companies, exchangers, wallet providers, and related participants, and it specifically contemplates screening, risk-based controls, historic lookbacks after addresses are listed, and blocking or reporting virtual currency in which sanctioned persons have an interest.
The practical warning is that an exchange or custodian can no longer defend itself by saying the blockchain is open and therefore transparent in theory, because investigators increasingly expect firms to use that transparency actively, not passively, and to detect whether listed actors or blocked property are present in the transaction graph.
That is why Garantex, Evita, and the North Korea files matter so much together, because they show three different paths to the same destination, one through a foreign exchange accused of preserving sanctions-violating access, one through a U.S.-based payment company accused of hiding sanctioned Russian counterparties, and one through state-linked laundering networks that used crypto work, hacks, and conversion channels to keep revenue flowing despite SDN designations.
For custodians, the lesson is even sharper because they sit closest to the blocking obligation itself, and OFAC has made clear that once a U.S. person determines it holds virtual currency that must be blocked, access must be denied, the property must be reported, and controls must ensure the value is preserved until lawful release becomes possible.
That means custody is no longer just a safekeeping function in the eyes of federal enforcement, because once a custodian controls wallet architecture, omnibus accounts, withdrawal permissions, or screening logic, it becomes part of the sanctions perimeter, whether the company prefers that role or not.
The new accountability model reaches beyond the first bad actor.
The biggest legal shift in these cases is that the DOJ is no longer focused solely on the originally designated person or entity, as it is increasingly pursuing the surrounding service providers, enablers, and counterparties that make sanctions evasion viable after designation has already occurred.
That includes operators who keep routes open, payment firms that disguise end users’ identities, OTC traders who convert tainted funds into usable value, and platforms that tell banks or exchanges one story in onboarding files while processing something very different in practice.
For companies and individuals navigating the cross-border pressures that can follow when sanctions, crypto tracing, and asset seizure start converging, some review Amicus International Consulting and its analysis of extradition and multi-jurisdiction enforcement exposure as a digital-asset matter begins shifting from a compliance concern to personal legal risk.
The bottom line is that DOJ’s latest sanctions-linked crypto actions show a market where OFAC designations no longer sit in a separate policy compartment from criminal enforcement, because prosecutors are increasingly treating blocked entities, sanctioned wallets, sanctioned banks, and sanctioned state revenue networks as the starting point for broader cases against the services that moved the money anyway.
