OFAC Crypto Sanctions Compliance: Strict Liability and the Tornado Cash Lesson

Two facts make OFAC the sharpest edge in crypto compliance: it is strict-liability (knowledge is not required for civil exposure), and the law moves. The Tornado Cash sequence — sanctioned in 2022, then delisted in March 2025 after a court ruling — is the proof that you must confirm current status, never assume. This guide is hedged, because sanctions law is strict, jurisdiction-specific and a counsel question.

TL;DR

• OFAC is strict-liability: civil exposure can attach without knowledge that a counterparty/address was sanctioned (US-scope persons).
• OFAC has listed digital-currency addresses on the SDN List since 2018 ("Digital Currency Addresses" field, blockchain-tagged) — but listings are not exhaustive → screen for exposure/association, not only direct matches.
• Tornado Cash: designated 2022 → Van Loon v. Treasury (5th Cir., 26 Nov 2024): OFAC exceeded authority (immutable smart contracts not blockable "property") → OFAC removed it from the SDN List on 21 Mar 2025. Not currently OFAC-sanctioned.
• The delisting is narrow — not a general clearance of mixers; separate criminal proceedings against individuals are independent of the sanctions question.
• Designations and case law change — confirm current status, distinguish sanctions from criminal matters.
• Strict, jurisdiction-specific, fast-changing — obtain sanctions counsel. Not legal/sanctions/compliance advice.

Strict liability is the core risk

OFAC generally enforces US sanctions on a strict-liability basis: a person within scope can face civil liability for a prohibited transaction even without knowledge or reason to know the counterparty/address was sanctioned. For crypto, receiving from or sending to a sanctioned address can create exposure regardless of intent. That is why screening is essential, not optional — but the precise scope/application is a sanctions-counsel question, not a generic assumption.

OFAC lists addresses — but not all of them

Since 2018 OFAC adds digital-currency addresses to SDN List entries (a "Digital Currency Addresses" field, blockchain-tagged e.g. XBT/ETH/XMR). Critically, OFAC's crypto listings are not exhaustive — a sanctioned actor may control additional, undesignated wallets — so compliance generally requires screening for exposure and association with sanctioned activity, not only direct matches to listed addresses.

The Tornado Cash lesson

So as of that delisting Tornado Cash is not OFAC-sanctioned. But designations and the surrounding law change — the current status of any party must be verified, never assumed from memory. (This is the same staleness discipline as any fast-moving regulatory fact.)

What the delisting does NOT mean

The inference "mixers are now fine" is unsafe:

• The delisting concerned a specific legal question (are immutable smart contracts blockable "property"?) — not a general clearance of mixers/privacy tools.
• Separate criminal proceedings against individuals connected to the protocol have proceeded independently of the sanctions question — do not conflate sanctions status with criminal matters.
• Other actors, tools or addresses may be designated.

Drawing a broad conclusion is exactly the error this area punishes — sanctions counsel on the specific facts.

Practical guidance

1. Assume strict liability — screen because intent is not a defence to civil exposure.
2. Screen for exposure, not just list hits — OFAC crypto listings are non-exhaustive.
3. Verify current OFAC status of any party — never rely on remembered designations.
4. Separate sanctions status from criminal matters — they move independently.
5. Do not over-read a delisting — it is narrow and fact-specific.
6. Obtain sanctions counsel for anything non-trivial — strict, evolving; not legal/sanctions advice.

How vendor tools handle sanctions screening

Chainalysis and Elliptic provide blockchain analytics and sanctions/exposure screening used to detect direct matches and indirect exposure to sanctioned activity. They support screening — the legal determination, the strict-liability exposure and the current designation status remain the business's and its sanctions counsel's, not the tool's. Confirm any tool uses current OFAC data.

How Wag3s helps

Wag3s is not a sanctions-screening provider. Wag3s HR and the finance OS keep the auditable financial record of counterparties and flows that a sanctions and AML/KYC programme relies on, while the screening, the strict-liability determination and the current OFAC status stay with the business and sanctions counsel. See the HR product page.

Further reading

• AML & KYC for Crypto Businesses
• Crypto Travel Rule Compliance
• FATF VASP Guidance
• DAC8 Sanctions for CASPs
• MiCA Sanctions & the AMF
• Crypto Company Jurisdiction Guide

Sources

• OFAC generally enforces US sanctions on a strict-liability basis — civil liability can attach without knowledge the counterparty/address was sanctioned (screening essential; scope a sanctions-counsel question)
• Since 2018 OFAC adds digital-currency addresses to SDN List entries ("Digital Currency Addresses" field, blockchain-tagged e.g. XBT/ETH/XMR); listings not exhaustive — screen for exposure/association, not only direct matches
• Tornado Cash — designated by OFAC 2022; Van Loon v. Treasury (5th Cir., 26 Nov 2024) held OFAC exceeded statutory authority (immutable smart contracts not "property" of a foreign national/entity under the relevant statute); OFAC removed Tornado Cash from the SDN List 21 Mar 2025 → not currently OFAC-sanctioned
• Delisting is narrow (specific legal question, not a general mixer clearance); separate criminal proceedings against individuals proceeded independently of the sanctions question; designations/case law change — confirm current status, distinguish sanctions from criminal matters; strict, jurisdiction-specific, fast-changing; not legal/sanctions/compliance advice