Powered By:


On September 21, 2021, the U.S. Department of the Treasury took several actions targeting the recent escalation of ransomware attacks and related payments, including a renewed focus on the cryptocurrency industry. Notably, the Treasury Department’s Office of Foreign Assets Control (OFAC) issued an updated advisory addressing the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities. OFAC also sanctioned an offshore cryptocurrency exchange for its involvement in facilitating ransomware payments.

OFAC’s designation of the Suex OTC exchange represents the first time ever that OFAC has sanctioned a cryptocurrency exchange. Suex OTC was sanctioned under Executive Order 13694 for facilitating financial transactions for ransomware actors, and thereby providing material support to those actors. According to OFAC’s press release, an analysis of known Suex transactions reflected that over 40 percent of Suex’s known transaction history was associated with illicit actors. Additionally, press reports indicate that Suex was operating as a “nested” exchange, in which it used the infrastructure and liquidity of a larger cryptocurrency exchange in order to facilitate and conduct transactions. The designation means that all property and interests in property of Suex that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities owned 50% or more by Suex (or other sanctioned actors) are also the subject of sanctions and their property and interests in property are blocked. In addition, there is considerable sanctions risk for financial institutions and other entities that engage in transactions or activities with Suex (or entities owned 50% or more by Suex), which risk exposure to sanctions or an enforcement action.

In OFAC’s updated Ransomware Advisory, which was initially published October 2020, OFAC takes a stronger policy stance against ransomware payments, noting that the “U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.” This is a fairly stark contrast to the October 2020 Advisory, which focused more on the sanctions risks inherent in making ransomware payments, without expressing much of a policy position. Both Advisories make clear that ransomware payments can carry significant sanctions risk, to the extent the payments involve sanctioned actors, entities, or jurisdictions that are the subject of sanctions. Moreover, many OFAC sanctions are strict liability, meaning that intent or knowledge is not required to demonstrate a civil violation (criminal violations require a showing of willfulness).

Importantly, the new Advisory also clarifies the circumstances in which victims of ransomware attacks may receive cooperation credit for voluntarily self-disclosing an apparent sanctions violation to OFAC. Under OFAC’s Enforcement Guidelines, those who voluntarily self-report an apparent sanctions violation to OFAC can be eligible for considerable benefits, including a 50% reduction in the monetary penalty, among other forms of relief. The challenge is that OFAC operates on a “first in” basis – meaning that if you do not report the violation to OFAC first (e.g., OFAC finds out about it another way or you report it to another regulator), then you may not receive the cooperation credit. OFAC’s new Advisory makes clear, for the first time, that a company’s self-initiated and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies (e.g., not simply OFAC), made as soon as possible after discovery of an attack, will be deemed a voluntary self-disclosure and a significant mitigating factor in determining an enforcement response.

OFAC also advises that it “would be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or Cautionary Letter) when the affected party took the mitigating steps described above, particularly reporting the ransomware attack to law enforcement as soon as possible and providing ongoing cooperation.”


Ransomware-related payments continue to carry tremendous sanctions risks, and responding to a cyberattack, from an operational and legal perspective, remains a challenge. This new OFAC Advisory provides clearer guidance on how to mitigate sanctions risk; however, there are still significant challenges to fully mitigating that risk, which is often nearly impossible in the current environment. At a minimum, risk mitigation will require screening counterparties, including via blockchain analytic technology, as well as analyzing IP address information and certain characteristics of the attack (e.g., the virus strain, the language the attackers use in the chat function, and even what time of day the attackers are active). It remains to be seen whether and to what extent OFAC and other U.S. regulators initiate enforcement actions against those making ransomware payments. The use of blocking sanctions against cyber attackers is probably a more immediate focus for the time being.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm or its clients, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.


Fill out the following form to receive our cryptocurrency news and analysis.

Author's Assets


Anthony Tu-Sekine | Partner

As the head of Seward & Kissel’s Blockchain and Cryptocurrency Group and a frequent commentator on all things crypto, Anthony advises clients on a wide range of evolving topics, including how to structure and issue security and utility tokens, registered and unregistered offerings of security tokens, token custody, transfer and liquidity issues, non-security opinions, and investments in crypto assets by funds and other investors. A recognized leader on physical precious metals funds, Anthony represented APMEX Inc. and alternative asset manager Sprott Inc. in connection with the launch of OneGold.com, which allows investors to own gold documented on blockchain.

“You can work with regulators or you can really try to piss them off… If you really want to do the latter, then you should expect that they will bring every tool they have against you.”

Anthony’s thoughts on BitMEX indictment, as published in Law360 article “BitMEX Case Seen as Blessing in Disguise for Crypto Sector”


Andrew Jacobson | Associate

A former enforcement attorney at the New York State Department of Financial Services (DFS), Andrew Jacobson represents individual and institutional clients at Seward & Kissel in connection with complex governmental investigations, regulatory probes, and related civil matters. While at the DFS, Andrew was involved in early cryptocurrency issues and brought some of the most significant enforcement actions for violations of U.S. economic sanctions and anti-money laundering laws.

Andrew has extensive experience advising on matters relating to U.S. economic sanctions, including those administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), and anti-money laundering laws. Andrew serves as Chair of the Export Controls, Sanctions, and Anti-Corruption Subcommittee of the International Bar Association, co-chair of the Virtual Commodity Association’s BSA/AML Committee, and is a member of the Digital Chamber of Commerce’s AML Task Force.

As a member of Seward & Kissel’s Blockchain and Cryptocurrency Group, Andrew regularly advises clients on all aspects of financial crimes compliance and licensing in the virtual asset industry, including:

  • OFAC and FinCEN regulatory requirements, including asset blocking and reporting obligations;

  • Unhosted wallets and risks to software providers and VASPs;

  • Privacy coins, mixers, and other external privacy mechanisms;

  • Technology and open-source user platforms;

  • Ransomware and other cyberattack-related ransom payments;

  • BitLicense and state licensing requirements; and

  • Counterparty due diligence and screening.


“This is certainly a lesson to senior management to take compliance seriously and that there are consequences for individuals who don’t follow the regulatory regime.”

Andrew’s thoughts on BitMEX indictment, as published in Law360 article “BitMEX Case Seen as Blessing in Disguise for Crypto Sector”