top of page
Search

UK OFSI Cryptoasset Threat Assessment

Executive Summary


This report examines the key findings of the UK Office of Financial Sanctions Implementation (OFSI) 's "Cryptoassets Threat Assessment," published in July 2025. The assessment reveals a significant risk that UK cryptoasset firms may be used, often inadvertently, to circumvent international financial sanctions.


Key threats identified by OFSI include:


  • Significant Under-reporting: A systemic failure by UK crypto firms to report suspected sanctions breaches, mainly due to delayed discovery and attribution issues.

  • Russian Sanctions Evasion: A high likelihood of exposure to designated Russian entities, such as the crypto exchange Garantex and its suspected successor, Grinex, which actively facilitate sanctions evasion.

  • North Korean Cyber Threats: A high risk of targeting by DPRK-linked actors for high-value theft and sophisticated money laundering, alongside threats from disguised North Korean IT workers seeking to infiltrate firms.

  • Iranian Sanctions Circumvention: There is a likelihood that UK firms are facilitating transfers to Iranian crypto firms, such as Nobitex, with links to designated entities, including the IRGC.


Implications for firms: OFSI mandates immediate action to strengthen compliance. This includes conducting more comprehensive due diligence (scanning transaction histories up to 3-5 hops), submitting detailed and timely reports (even for retrospective discoveries), freezing assets linked to sanctioned entities, and recognising staff to identify a wide range of red flags. The report underscores the urgent need for the UK crypto sector to implement robust, risk-based compliance frameworks to mitigate these evolving threats and protect the integrity of the financial system.

ree

1. Introduction


In July 2025, the UK's Office of Financial Sanctions Implementation (OFSI) published its "Cryptoassets Threat Assessment," providing a critical overview of the threats posed to UK financial sanctions compliance by the cryptoasset sector. The report reveals a significant increase in suspected breach reports involving cryptoasset firms since early 2024, with Russia-related sanctions accounting for 90% of these cases. This analysis breaks down the key findings of the OFSI assessment and outlines the crucial implications for UK-based cryptoasset firms.


2. Key Findings and Implications for Firms


2.1. Under-reporting and Delayed Attribution


OFSI's assessment highlights a critical gap in the sector's compliance and reporting mechanisms.


  • Significant Under-reporting: OFSI judges it "almost certain" that UK cryptoasset firms have been under-reporting suspected breaches of financial sanctions since August 2022.

  • Inadvertent Non-Compliance: The majority of non-compliance is believed to be accidental. It often stems from common issues such as direct or indirect exposure to Designated Persons (DPs) and significant delays in attributing specific cryptoasset addresses to these sanctioned individuals or entities.

  • Delayed Discovery: A common problem is the retrospective discovery of illicit transactions, often identified long after they have occurred through the use of blockchain analytics tools. While reporting timeliness has seen some improvement, it remains inconsistent across the industry.


Suggested Actions


Consolidated Reporting: Bundle multiple, small-value transactions from the same addresses into a single, comprehensive report.

  • Detailed Information: Reports must include:

    • All involved crypto addresses (including intermediaries).

    • Transaction hashes.

    • Crypto quantities with their value in GBP/USD (mandatory for transactions over £1,000).

    • A clear rationale for linking addresses to DPs.

    • Explanations for any historical transactions and details of the screening process used.

    • Know Your Customer (KYC) details of the individuals involved.


2.2. Exposure to Russian Designated Persons (Garantex and Grinex)


The report indicates a high likelihood of exposure to sanctioned Russian entities.


  • Garantex Exposure: It is "highly likely" that UK firms have been exposed, directly or indirectly, to the designated Russian crypto exchange Garantex since its designation in 2023. Garantex is known for its links to illicit finance, including ransomware proceeds and the notorious Hydra Market.

  • Shift to Indirect Flows: Following the 2023 designation, direct transaction flows from UK firms to Garantex dropped. However, this was countered by a rise in indirect flows, indicating a deliberate effort to obscure the origins of the transactions.

  • Emergence of Grinex: OFSI assesses it is "highly likely" that Grinex is a successor to Garantex, established to circumvent sanctions. Grinex exhibits significant operational and user overlap with Garantex, accepts payments from Russian DPs, and has processed substantial transaction volumes.


Suggested Actions:


  • Firms must exercise extreme caution and apply a stringent risk-based approach to any transactions potentially involving Grinex addresses.


2.3. North Korean (DPRK) Cyber Threats


The threat from state-sponsored North Korean actors remains acute.


  • Elevated Risk of Targeting: UK cryptoasset firms are "highly likely" to be targeted by DPRK-linked hackers and IT workers aiming to steal funds or generate revenue for the regime. These actors are behind some of the largest global crypto heists, including the approximately USD 1.5 billion Bybit hack.

  • Sophisticated Money Laundering: DPRK actors use a complex web of services to launder stolen decentralised exchanges (DEXs), centralised exchanges, mixers, privacy protocols, cross-chain bridges, P2P services, and OTC desks in permissive jurisdictions. They may also create fake exchanges to "clear exposure" and break the chain of custody.

  • IT Worker Exploitation: A significant threat comes from North Korean IT workers who pose as third-country freelancers. They seek to generate revenue and may gain privileged access to a firm's sensitive systems and information.


Suggested Actions:


  • Maintain high vigilance against social engineering and phishing campaigns.

  • Review and implement the guidance from the OFSI advisory on North Korean IT Workers.

  • Report any suspected activity immediately.


2.4. Transfers to Iranian Cryptoasset Firms


The assessment identifies likely facilitation of transfers to sanctioned Iranian entities.


  • Facilitating Illicit Transfers: It is "likely" that UK firms are facilitating transfers to Iranian cryptoasset firms with suspected links to DPs. An example cited is Nobitex, which has suspected ties to the Islamic Revolutionary Guard Corps (IRGC).

  • Sanctions Circumvention Tactics: Iranian platforms are known to provide users with guidance on evading international sanctions, including the use of AI-generated identification to defeat KYC checks.


Suggested Actions:


  • Report any suspected activity involving Iranian DPs or any Iranian cryptoasset firms that appear to be facilitating sanctions evasion.


3. Strengthening Compliance and Recognition emphasises.


OFSI emphasises the need for more robust compliance frameworks and heightened awareness of warning signs.


  • Comprehensive Due Diligence: Firms are urged to conduct more robust due diligence, including scanning transaction histories for a minimum of 3-5 hops or until the transaction reaches an attributed service provider.

  • Retrospective Reporting: If transactions with DPs are discovered retrospectively (e.g., after onboarding a new analytics tool), firms are still obligated to report these suspected breaches to OFSI, the Financial Conduct Authority (FCA), and the National Crime Agency (NCA).

  • Asset Freezing: Firms are not permitted to reject incoming transactions. If incoming cryptoassets are linked to suspected sanctions evasion, the firm must restrict user access to the account and freeze the assets, reporting the matter to the OFSI.


Red Flags for Increased Due Diligence:


OFSI has identified several red flags. While not conclusive individually, their presence in combination should trigger enhanced scrutiny:


  • Significant or unusual transactions immediately following new sanctions announcements.

  • Exposure to counterparties with known associations to DPs.

  • Sudden, unexplained changes in transaction patterns.

  • Rapid movement of assets through multiple addresses or newly created wallets.

  • Use of DEXs or other services with weak or non-existent KYC/AML procedures.

  • Use of anonymity-enhancing technologies like mixers, privacy coins, VPNs, or cross-chain bridges.

  • Public marketing of "no-passport cash-out" or "sanctions-proof" services.

  • Transactions directed to or originating from sanctioned jurisdictions.

  • Counterparties who refuse compliance checks or provide inconsistent information.

  • Frequent migration of a service's technical infrastructure.


4. Conclusion


The OFSI Cryptoassets Threat Assessment is a clear call to action for the UK crypto sector. The threat landscape is dynamic and sophisticated, with state actors and illicit networks actively exploiting the crypto ecosystem to circumvent sanctions. UK cryptoasset firms must invest in and maintain robust, adaptable compliance frameworks, enhance their due diligence processes, and foster a culture of prompt and transparent reporting to the relevant authorities. Failure to do so not only poses significant regulatory and reputational risk but also undermines the integrity of the UK financial system.


 
 
 

Comments

bottom of page