OFAC Enforcement Impacts NFTs: As Crypto Enforcement Ramps Up to Combat Ransomware, Robust Compliance is Key
The Treasury Department’s Office of Foreign Assets Control (OFAC) took action last Monday, November 8, 2021, and sanctioned a Latvia-based exchange, Chatex, its associated support network, and two ransomware operators for facilitating financial transactions for ransomware actors. In total, OFAC designated Chatex and 57 cryptocurrency addresses (associated with digital wallets) as Specially Designated Nationals (SDNs). OFAC took this action pursuant to Executive Order 13694, issued in 2015, which provides broad sanctions authority to address the national security threat posed by malicious cyber-actors outside the United States.
It is clear that the designations were part of the Biden Administration’s response to counter ransomware attacks and criminal actors’ “abuse of the virtual currency ecosystem to launder ransom payments.” The Treasury Department stated that it will use “all available authorities to disrupt malicious cyber actors, block ill-gotten criminal proceeds, and deter additional actions against the American people” (see here). The Treasury Department recently updated its guidance on the risks companies face for playing a part in ransomware payments (see here).
While the designation of Chatex and the other cryptocurrency addresses are itself significant, what is interesting is that these designations appear to be the first time NFTs have been publicly impacted as “blocked property” – as one of the designated cryptocurrency addresses owns non-fungible tokens (NFTs). Because U.S. persons are essentially prohibited from transacting with the individuals and entities associated with the designated cryptocurrency addresses, dealing in those NFTs is prohibited for U.S. persons as well.
We have seen a steady rise of ransomware attacks, including “supply chain attacks,” which have been targeting and impacting a range of industries in the United States. OFAC’s designation of Chatex and other cryptocurrency addresses are related to its direct ties with SUEX – a cryptocurrency exchange that laundered money to ransomware attackers (see our post here). According to OFAC, Chatex provided material support to SUEX, which was the basis for Chatex’s designation. Apparently, one of the co-founders of SUEX established Chatex.
According to reports, certain designated crypto addresses associated with Chatex held 42 NFTs worth approximately $531,600. The account at issue collected varied NFTs, including “digital magazine covers, superhero figures, digital land parcels and relatively little-known digital art collections.” Four of the 42 NFTs were created by the account itself. Aside from NFTs, the sanctioned wallets also own a range of cryptoassets, including virtual currency and ERC-20 tokens. The account had a profile on the NFT platform Opensea, which commented that it blocks addresses on the sanctions list from buying, selling or transferring items on OpenSea.
Additionally, OFAC designated two ransomware operators (Yevgeniy Igorevich Polyanin and Yaroslav Vasinskyi) for their role in the ransomware attacks on a Miami-based software company, Kaseya, earlier this year. According to reports, sanctioned addresses associated with these two individuals have received more than $18 million in cryptocurrencies.
The recent designations are notable because it represents the second time that a cryptocurrency exchange has been designated and the eighth time OFAC has designated cryptocurrency addresses. Although the designations of SUEX and now Chatex do not directly impact broader cryptocurrency exchanges, it does show that OFAC has ramped up its enforcement efforts to combat ransomware payments that are happening via cryptocurrency – through designations that may essentially cut them off from the U.S. market. Companies in the cryptocurrency business should take the designations and OFAC’s guidance as a warning and ensure that they are screening transactions appropriately and not facilitating payments to bad actors.
Increased Enforcement – What is clear from these recent designations coupled with the DOJ’s creation of a National Cryptocurrency Enforcement Team (NCET) (see here) and OFAC’s advisory on the risks companies face for playing a part in ransomware payments, enforcement related to malicious cyber activities involving cryptocurrency and digital assets will ramp up. In the upcoming months, we expect to see additional designations as well as indictments by the DOJ (see here).
Compliance is Key – Last month, OFAC published more targeted guidance for digital asset companies related to compliance with sanctions and best practices for mitigating risks (see our post here). This guidance is helpful because it provides important insight into what OFAC expects from companies’ compliance programs. At a minimum, it is critical for companies to have internal controls in place to screen transactions to ensure that no designated cryptocurrency addresses or assets owned by those sanctioned parties are involved. If a company does identify violations, OFAC considers the existing of a robust compliance program as a mitigating factor when assessing penalties.
NFTs – The existing regulatory landscape is not necessarily designed for the rapidly changing digital asset environment – it often appears that the law is ten (or 100) steps behind technology. There are a number of unique legal considerations for NFT owners and creators, including securities laws, anti-money laundering and sanctions, IP considerations, and licensing issues, among others. The key is to develop a holistic legal and compliance strategy early on, so you can integrate it into your business from the onset. We will continue to update on emerging regulatory issues impacting NFTs as they evolve.