OFAC Crypto Sanctions Compliance: Strict Liability and the Tornado Cash Lesson

OFAC is the sharpest edge in crypto compliance for two reasons. The first is strict liability: a US-scope person can incur civil exposure for a prohibited transaction without ever knowing the counterparty was sanctioned. The second is that the law moves underneath you. The Tornado Cash sequence is the clearest illustration of both: sanctioned in 2022, then removed from the SDN List in March 2025 after a federal appeals court ruling. This guide covers how strict liability works for digital assets, what OFAC actually lists, and why the Tornado Cash story is a lesson about confirming current status rather than a green light for mixers. Sanctions law is strict, jurisdiction-specific and fast-changing, so this is a sanctions-counsel topic, not a do-it-yourself one.

The short version

• OFAC generally enforces US sanctions on a strict-liability basis: civil exposure can attach without knowledge that a counterparty or address was sanctioned.
• OFAC has listed digital-currency addresses on the SDN List since 2018, in a "Digital Currency Addresses" field tagged by blockchain. Those listings are not exhaustive, so screening looks for exposure and association, not only direct matches.
• Tornado Cash was designated in 2022. In Van Loon v. Treasury (5th Cir., 26 Nov 2024) the court held OFAC exceeded its authority because immutable smart contracts are not blockable "property", and OFAC removed Tornado Cash from the SDN List on 21 March 2025. It is not currently OFAC-sanctioned.
• That delisting is narrow. It is not a general clearance of mixers, and separate criminal proceedings against individuals connected to the protocol have proceeded independently of the sanctions question.
• Designations and case law change. Confirm the current status of any party, and keep sanctions status distinct from criminal matters.
• This area is strict, jurisdiction-specific and fast-changing. Obtain sanctions counsel. This is not legal, sanctions or compliance advice.

Strict liability is the core risk

OFAC generally enforces US sanctions on a strict-liability basis: a person within scope can face civil liability for a prohibited transaction even without knowledge or reason to know the counterparty or address was sanctioned. For crypto, receiving from or sending to a sanctioned address can create exposure regardless of intent. That is why screening is essential rather than optional, though the precise scope and application are a sanctions-counsel question, not a generic assumption.

OFAC lists addresses, but not all of them

Since 2018, OFAC has added digital-currency addresses to SDN List entries, in a "Digital Currency Addresses" field tagged by blockchain (for example XBT, ETH or XMR). Critically, OFAC's crypto listings are not exhaustive: a sanctioned actor may control additional, undesignated wallets. Compliance therefore generally requires screening for exposure and association with sanctioned activity, not only direct matches to listed addresses.

The Tornado Cash lesson

So as of that delisting, Tornado Cash is not OFAC-sanctioned. But designations and the surrounding law change, so the current status of any party must be verified, never assumed from memory. This is the same staleness discipline as any fast-moving regulatory fact.

What the delisting does not mean

The inference that "mixers are now fine" is unsafe:

• The delisting concerned a specific legal question, whether immutable smart contracts are blockable "property", not a general clearance of mixers or privacy tools.
• Separate criminal proceedings against individuals connected to the protocol have proceeded independently of the sanctions question, so do not conflate sanctions status with criminal matters.
• Other actors, tools or addresses may be designated.

Drawing a broad conclusion is exactly the error this area punishes; get sanctions counsel on the specific facts.

Practical guidance

1. Assume strict liability, and screen because intent is not a defence to civil exposure.
2. Screen for exposure, not just list hits, since OFAC crypto listings are non-exhaustive.
3. Verify the current OFAC status of any party; never rely on remembered designations.
4. Separate sanctions status from criminal matters, because they move independently.
5. Do not over-read a delisting; it is narrow and fact-specific.
6. Obtain sanctions counsel for anything non-trivial. This is strict, evolving, and not legal or sanctions advice.

Choosing a sanctions-screening tool

Because OFAC listings are not exhaustive, a screening tool that only checks for direct matches against listed addresses is not enough on its own. Providers such as Chainalysis and Elliptic offer blockchain analytics that detect both direct matches and indirect exposure to sanctioned activity. When evaluating one, confirm it:

• screens for exposure and association, not only exact matches to listed addresses;
• refreshes against current OFAC data, so a recent designation or delisting (the Tornado Cash removal is the obvious example) is reflected promptly;
• keeps an audit trail of the screening decision, which matters when intent is not a defence to strict-liability exposure.

The tool supports the process; the legal determination, the strict-liability exposure and the current designation status remain the business's and its sanctions counsel's responsibility.

Where Wag3s fits

Wag3s is not a sanctions-screening provider and does not make designation determinations. Wag3s HR and the finance OS keep the auditable financial record of counterparties and flows that a sanctions and AML/KYC programme relies on, so the screening that does happen sits on top of reconciled, evidenced data. The screening itself, the strict-liability determination and the current OFAC status stay with the business and its sanctions counsel.

Further reading

• AML & KYC for Crypto Businesses
• Crypto Travel Rule Compliance
• FATF VASP Guidance
• DAC8 Sanctions for CASPs
• MiCA Sanctions & the AMF
• Crypto Company Jurisdiction Guide

Sources

• OFAC — Publication of Sanctions Compliance Guidance for the Virtual Currency Industry: the guidance setting out the strict-liability framework, the expectation of a risk-based screening programme, and how digital-currency addresses are added to SDN List entries.
• OFAC — Frequently Asked Questions on Virtual Currency: how digital-currency addresses appear on the SDN List (the blockchain-tagged "Digital Currency Address" field) and that listings are identifiers, not an exhaustive list of a blocked person's wallets.
• OFAC — FAQ 594, querying a digital currency address: using the Sanctions List Search and the downloadable SDN data to screen for listed addresses.
• Tornado Cash was designated by OFAC in 2022; in Van Loon v. Treasury (5th Cir., 26 Nov 2024) the court held OFAC exceeded its statutory authority because immutable smart contracts are not "property" of a foreign national or entity, and OFAC removed Tornado Cash from the SDN List on 21 March 2025. The delisting concerned that specific legal question and did not clear mixers generally; separate criminal proceedings against connected individuals proceeded independently. Designations and case law change, so the current status of any party must be verified. This is not legal, sanctions or compliance advice.