The UK Office for Financial Sanctions Implementation (“OFSI”)’s Cryptoassets Threat Assessment report (the “Report”) published on 21 July 2025, highlights key sanctions compliance risks for cryptoasset firms from exposure to Russian or Iranian designated persons (“DPs”) and from North Korean cyber activity. The Report highlights the need for cryptoasset firms to take a risk-based based approach to compliance and to undertake enhanced due diligence where red flags around transaction history and behavioural patterns are identified - and to use specialist software for blockchain analysis where needed. The Report also outlines OFSI’s assessment of threats to sanctions compliance involving UK cryptoasset firms from January 2022 to May 2025. It is published as a series of assessments to assist UK cryptoasset firms in understanding and protecting against threats to compliance.
Source: Teamblockchain
Key findings and recommendations
According to the Report, it is almost certain that UK cryptoasset firms have under-reported suspected breaches of financial sanctions to OFSI since August 2022. Furthermore, since January 2022, just over 7% of all suspected breaches reported to OFSI involved cryptoasset firms in some capacity and over 90% were made since April 2024. But despite the increase in suspected breach reports since April 2024, OFSI noted that reporting has been inconsistent and, in some cases, significantly delayed. It is likely that most non-compliance by UK cryptoasset firms has occurred inadvertently due to issues such as:· direct and indirect exposures to DPs
· suspected breaches being identified after a delay in attribution, with attribution delays also contributing to failures to implement the asset freeze.
To aid in protecting against direct or indirect exposures to DPs, OFSI encourages cryptoasset firms to take a risk-based approach to compliance, considering relevant factors including counterparty risk, behavioural patterns and transaction history depth based on the number of hops. Additionally, post-designation, DPs may attempt to move their cryptoassets to distance themselves from links to known cryptoasset addresses and OFSI urges cryptoasset firms to monitor for any new addresses linked to DPs through blockchain analytics. Firms should also consider the use of specialised software to conduct blockchain analysis as part of their due diligence processes to capture transaction screening across multiple stages.
Due diligence: red flags
OFSI has observed some instances of insufficiently detailed due diligence checks. It has provided some ‘red flags’ in regard to potential sanctions evasion, especially when two or more of the red flags are present. In those cases, enhanced due diligence should be carried out. The red flags include (but are not limited to):
· large or unusual transactions immediately following sanctions announcements
· exposure to counterparties with known associates to DPs
· exposure to services lacking a KYC requirement or transactions involving services that do not require user identification
· use of anonymity enhanced cryptocurrencies (privacy coins)
· cross-chain transfers (chain hopping), particularly to privacy-focused blockchains
· operating in jurisdictions that do not implement UK-aligned financial sanctions.
Key threats
The Report identified key trends that pose a threat to the integrity of UK financial sanctions. According to the report, OFSI has identified 3 key threats: 1. Exposure to Russian DPs 2. North Korean cyber activity, and 3. Iranian cryptoasset firms with links to DPs. The report gave the following examples:
· exposure to Russian DPs
Garantex was designated by the UK in May 2022 under the Russia (Sanctions) (EU Exit) Regulations 2019. OFSI notes that almost all transfers from cryptoasset firms to DPs since 2022 involved Garantex. In March 2025, Garantex was disrupted. However, Garantex has continued its operations through Grinex - a Kyrgyz-registered cryptoasset service provider offering conversion between USD, rouble, USDT and A7A5 (a rouble-backed stablecoin). OFSI considers the rebranding to be an attempt to evade sanctions and recommends that UK firms should proceed with caution and consider applying a risk-based approach to compliance regarding any transactions involving Grinex addresses. This warning from OFSI is unsurprising. The scale of transactions involving Grinex within just four months after its emerging was staggering - according to the Financial Times, it reached $9.3 billion. Astraea wrote about Grinex and A7A5 earlier here.
· North Korean cyberactivity
The Report stated that it is highly likely that UK-based cryptoasset firms are currently at risk of being targeted by DPRK (North Korea)-linked hackers and IT workers seeking to steal or obtain funds through illicit means. These illicit means include cryptoasset heists and money laundering. By way of example, in February 2025, DPRK-linked actors were responsible for the theft of ~1.5 billion USD in cryptoassets from the exchange Bybit, representing the largest ever cryptoasset exploit. The Report noted that some DPRK cyber actors and IT workers are known to operate on behalf of the North Korean Government, including entities designated under the UK’s sanctions regulations. Therefore, any activities, whereby the funds or economic resources are made available to the designated entities or individuals, would breach UK financial sanctions and constitute a criminal offence. OFSI also stated that UK cryptoasset firms are being targeted by North Korean IT workers to steal data, including sensitive or critical company information, which could result in this information being compromised or misused by other malign DPRK cyber actors. OFSI has produced guidance on how the North Korean IT workers operate, including by identifying red flag indicators and due diligence measures to help UK firms avoid inadvertently hiring such individuals.
· Iranian cryptoasset firms with links to DPs
The Report noted that since 2019, Iran has developed a complex cryptoasset ecosystem which includes legalisation of cryptocurrency mining in 2019 and the subsequent introduction of the digital Rial in 2024. According to the Report, this is likely due in part to imposition of heavy international financial sanctions against Iran, including those by the UK. According to the Report, since 2022, Iran has increased its usage of cryptoassets as payment in foreign trade, including through the prevalent use of USDT, with transactions patterns linked to Iranian centralised exchanges indicating capital flight. This likely reflects an attempt by Iran to leverage cryptoassets as an alternative system to traditional financial services in the context of international sanctions.
OFSI has found that there is a possibility that Iranian cryptoasset firms with suspected links to DPs are presently involved in facilitating payments through the UK. The majority of these payments reported to OFSI to date were made to unknown end users using the services of Nobitex, a designated entity. OFSI urged UK firms to report any suspected activity involving Iranian DPs or Iranian cryptoasset firms suspected to be facilitating UK financial sanctions evasion or circumvention as soon as it is discovered.
The UK’s new Cryptoassets Threat Assessment makes one point starkly clear: sanctions risk in crypto is no longer theoretical but systemic. OFSI warns that UK firms are both under-reporting and underestimating exposure to designated persons, with Russia, Iran and North Korea emerging as the key vectors. What might look routine - a stablecoin transfer, a new wallet or an overseas counterparty - can mask state-backed sanctions evasion, billion-dollar hacks or capital flight from sanctioned economies. The report reframes compliance from box-ticking to intelligence-led risk management. Blockchain’s transparency, once hailed as its strength, cuts both ways: sanctioned actors can obfuscate through chain-hopping, privacy coins and rebranded exchanges, while firms that fail to detect those patterns risk regulatory action and reputational damage. The lesson is sobering - crypto cannot outrun geopolitics. For UK firms, survival depends on moving beyond compliance as cost and treating it as strategy, investing in analytics, vigilance and real-time adaptability.
This article first appeared in Digital Bytes (2nd of September, 2025), a weekly newsletter by Jonny Fry of Team Blockchain.