US government cracks down on money laundering through digital assets

Sharon Cohen Levin, Anthony Lewis, Kamil R Shields, Tracy Nelson Wirth, Sullivan & Cromwell LLP

This is an extract from the Third edition of The Guide to Anti-Money Laundering. The whole publication is available here.

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

Introduction

There is no question that digital assets – cryptocurrencies and non-fungible tokens – have revolutionised financial markets. Viewed as currency for the internet age, ‘crypto’ has been characterised as a means to bank the unbanked and disrupt centralised financial systems, as well as to promote privacy in financial transactions to address increasing surveillance and monitoring.

While cryptocurrency has become an increasingly mainstream form of currency, it is not without risk, particularly because, in contrast to fiat currency, there is no clear universal regulatory framework. The very attributes that make digital assets unique – the ability to move money quickly and relatively anonymously – also make them vulnerable to money laundering risk.

Cybercriminals are estimated to have laundered over US$93 billion worth of cryptocurrency since 2019.^[1] To face this threat, regulatory agencies and law enforcement, including the United States Department of Justice (DOJ), have become nimbler in addressing both money laundering through digital assets and the non-criminal use of digital assets as a medium of exchange.

Historically, unlike fiat currency, digital assets were considered untraceable, leaving little to no clue as to the identity of the person involved in a transaction, and a tool of choice for criminals to purchase illicit goods or facilitate illegal transactions. The illusion of anonymity, however, has proven to be just that. Because cryptocurrency transactions occur on a blockchain – a distributed database that maintains a permanent secure record – those transactions can be recorded and verified, with relevant data such as the time and date of a transaction and a digital wallet address; in other words, it is possible to identify the actual persons involved in the transactions, rendering purportedly impenetrable transactions visible and accessible.

This chapter begins by providing a background on the laundering of digital assets and the US government’s shifting focus with respect to digital assets. It then addresses the differing theories underlying recent seminal digital assets money laundering cases, and regulatory enforcement actions by federal and state regulatory authorities. The cases demonstrate that, as criminals have become more technologically astute, so too have US law enforcement agencies and prosecutors in acquiring new information and strategies to investigate and prosecute crimes driven by digital assets. Those trends occur alongside regulators’ imposition of anti-money laundering (AML) requirements to prevent, identify and report money laundering through digital assets.

Although digital assets pose novel issues, certain aspects of the AML framework remain the same. As with fiat currency, compliance measures and safeguards for digital assets encompass the source, nature and purpose of the transactions at issue, as well as the goods or services being procured. And as with traditional AML issues, enforcement authorities across the government are poised to address both the conduct of bad actors and the compliance efforts of companies in the space.

Money laundering and digital assets

The purpose of laundering digital assets – as with fiat currency – is to ‘wash’ funds or cryptocurrency obtained as payment for illegal goods and illicit purposes such that the original criminal source is undetectable. For crypto, the original criminal source or specified unlawful activity can derive from a variety of crimes, including drug trafficking, fraud, ransomware, human trafficking or payments by or to sanctioned entities. Criminal actors then seek to convert the ill-gotten crypto into ‘clean’ currency – for example, by moving the crypto quickly through multiple wallets before cashing it out. According to one blockchain analytics company, illicit addresses sent approximately US$40.9 billion worth of cryptocurrency to exchanges in 2024.^[2]

Recent regulatory and enforcement matters demonstrate the importance of knowing the source of a digital assets transaction to combat money laundering. Crypto-related entities have increasingly adopted ‘know your transaction’ procedures, much like the ‘know your customer’ (KYC) requirements of the Bank Secrecy Act (BSA). Just as financial institutions must have credible and verifiable information for the individuals and entities with whom they transact, crypto companies are similarly expected to deploy analytics based on public blockchains to detect potentially criminal patterns, involvement with known illicit wallets and other indicia of wrongdoing.

President Trump’s focus on digital assets

On 23 January 2025, President Trump signed an executive order that outlines key digital asset policy objectives.^[3] Among those objects are:

• protecting and promoting access to and use of open public blockchain networks ‘for lawful purposes’ and without ‘persecution;’
• promoting the growth of ‘lawful and legitimate’ US dollar-backed stablecoins; and
• providing regulatory clarity and certainty ‘built on technology-neutral regulations’.

The order established the President’s Working Group on Digital Asset Markets, which is chaired by the Special Advisor for AI and Crypto and includes the secretaries of the Department of the Treasury and the Department of Commerce, the Attorney General and various national security, technology and regulatory officials. The Working Group is tasked with ‘propos[ing] a Federal regulatory framework governing the issuance and operation of digital assets’, including considering ‘provisions for market structure, oversight, consumer protection, and risk management’.^[4]

Finally, the order expressly repealed the Biden administration’s 9 March 2022 executive order^[5] regarding regulatory objectives for digital assets. President Trump’s order has been characterised by market participants as an effort to remove regulations intended to limit innovation.

On 21 January 2021, the acting chair for the Securities and Exchange Commission (SEC) announced a new crypto task force ‘dedicated to developing a comprehensive and clear regulatory framework for crypto assets.’^[6] This task force arises in the context of Biden administration-era disputes over the scope of the SEC’s authority to regulate digital assets. The task force’s announced focus ‘will operate within the statutory framework provided by Congress and will coordinate the provision of technical assistance to Congress as it makes changes to that framework’.^[7]

On 7 April 2025, Deputy Attorney General Todd Blanche issued a memorandum to DOJ employees announcing that the DOJ ‘will no longer pursue litigation or enforcement actions that have the effect of superimposing regulatory frameworks on digital assets’.^[8] Specifically, the memorandum provides that, as a matter of prosecutorial discretion, ‘prosecutors should not charge regulatory violations’ in digital asset cases unless the violation is knowing and wilful;^[9] instead, it outlines the prioritisation of the prosecution of ‘individuals who victimize digital asset investors, or those who use digital assets in furtherance of criminal offenses’.^[10]

While it remains to be seen how this shift will impact existing regulatory guidance, these developments mark a significant change in the federal government’s approach to digital asset markets. The Trump administration has claimed that its new approach will result in increased opportunities to achieve market integrity, investor protection and compliance with AML and combating the financing of terrorism measures, rather than focusing solely on the potential risks and ignoring the considerable benefits of new technology.

US regulatory and enforcement authorities and framework

Comprehensive digital assets regulation is a continuing challenge given the speed of technological change and the large number of interested government entities with potentially divergent perspectives. Against the backdrop of congressional efforts to refine and improve AML laws and penalties, including changes to the BSA, the Anti-Money Laundering Act of 2020 (AMLA) and enforcing regulations, both federal and state enforcement authorities continue to emphasise the importance of thorough and effective compliance policies for digital assets companies.

DOJ

Notwithstanding any exercise of prosecutorial discretion, the DOJ has the authority to investigate and prosecute individuals and entities involved in the digital assets industry, including for violations of the money laundering laws, operation of an unlicensed money transmitter business and criminal violations of the BSA, such as the failure to implement and maintain an effective AML programme and adhere to reporting and record-keeping requirements.

FinCEN

The Treasury Department has long viewed cryptocurrency exchanges as money services businesses (MSBs) under the BSA and required them to register with the Financial Crimes Enforcement Network (FinCEN).^[11] FinCEN, which administers the BSA, has stated that any platform that ‘(1) accepts and transmits a convertible virtual currency or (2) buys or sells convertible virtual currency for any reason is a money transmitter under FinCEN’s regulations, unless a limitation to or exemption from the definition applies to the person’.^[12]

The AMLA endorsed this view by expanding the definition of ‘financial institutions’ and ‘money transmitters’ to include ‘a business engaged in the exchange of currency, funds, or value that substitutes for currency or funds’ and adding to the definition of ‘financial agency’ ‘a service provided with respect to . . . ​value that substitutes for currency’.^[13]

In 2019, FinCEN issued a comprehensive advisory statement on the applicability of AML rules to ‘convertible virtual currencies’, including mixers and tumblers.^[14] That statement advised the industry that as money transmitters, ‘[p]ersons accepting and transmitting [convertible virtual currencies] are required (like any money transmitter), to register with FinCEN as an MSB and comply with AML program, recordkeeping, monitoring, and reporting requirements’.^[15] Likewise, regulators agree that the Travel Rule^[16]applies to digital asset providers.^[17]

OFAC

The Treasury Department’s Office of Foreign Assets Control (OFAC) administers economic and trade sanctions, which are generally applicable to all US persons, including all US citizens and permanent resident aliens regardless of where they are located, and all persons and entities within the United States. OFAC sanctions apply to US businesses that transact in virtual currencies or receive virtual currency and convert it to US dollars, or vice versa. Sanctions violations are strict liability offences, meaning that a person can be held liable for a sanctions offence even if the violation was inadvertent or unintentional.

CFTC

The Commodity Futures Trading Commission (CFTC), an independent agency of the US government, regulates the US derivatives markets, which includes futures, swaps and certain kinds of options. The CFTC has recently brought actions involving AML violations for digital assets. As digital assets have grown, so has interest in trading derivatives relating to digital assets, and the CFTC has historically asserted its jurisdiction over entities servicing digital assets that have failed to adhere to their AML obligations.^[18]

State regulatory agencies

States have varied in their approach to the cryptocurrency market. Some have been aggressive leaders in announcing comprehensive regulatory regimes specific to cryptocurrency. New York is a notable example: ‘To conduct virtual currency business activity in New York State, entities can either apply for a BitLicense or for a charter under the New York Banking Law . . . ​with approval to conduct virtual currency business’.^[19]

Many states take the same view as FinCEN that cryptocurrency exchanges are subject to existing money transmission laws.^[20] Forty-nine states and the District of Columbia (DC) require those involved in money transmission to obtain a licence from the relevant state entity. Generally, the statutory definitions of ‘money transmission’ under the various state laws are substantively similar to each other and those of FinCEN and require the transfer of funds from one party to another.

Given the changes to federal enforcement priorities for digital assets and crypto-related entities, it is possible that state regulatory and enforcement activity will increase in the near future as states move to fill perceived enforcement gaps by federal authorities.

Relevant federal prosecutions

During the past decade, the DOJ, working in concert with law enforcement and regulatory agencies, has prosecuted significant money laundering matters involving cryptocurrency and other digital assets.^[21]Beginning in 2022, these prosecutions were resourced by the National Cryptocurrency Enforcement Team (NCET), an agency-wide task force of attorneys with expertise in cryptocurrency, cybercrime, money laundering and asset forfeiture.^[22] The NCET was later merged into the Computer Crime and Intellectual Property Section (CCIPS) and then formally disbanded in a 2025 memorandum.^[23] That memorandum explained that the CCIPS will ‘provide guidance and training to Department personnel and serve as liaisons to the digital asset industry’.^[24]

Marketplaces

Early government action in the digital asset space included several high-profile prosecutions and enforcement actions involving exchanges and other companies that facilitated (1) crime or (2) lacked sufficient AML and compliance programmes. Of the first category, the Silk Road prosecution is perhaps the most notable.

In 2013, the US Attorney’s Office for the Southern District of New York seized and shuttered Silk Road, described by prosecutors as ‘the most sophisticated and extensive criminal marketplace on the Internet’, allowing users to anonymously procure illegal drugs and services using bitcoin.^[25] According to evidence presented at trial, drug dealers and other unlawful merchants used Silk Road to distribute ‘hundreds of kilograms of illegal drugs and other unlawful goods and services’ to more than 100,000 customers.^[26] In addition, as demonstrated at trial, these unlawful vendors used Silk Road to launder hundreds of millions of dollars of proceeds from these illegal transactions.

In 2015, Silk Road’s founder, Ross Ulbricht, was convicted of seven criminal counts in connection with his operation and ownership of Silk Road, including money laundering conspiracy, and sentenced to life imprisonment and the forfeiture of US$184 million.^[27] Ulbricht was pardoned in 2025 by President Trump.^[28]

In July 2017, federal prosecutors seized and shut down AlphaBay, another online marketplace that, like Silk Road, allowed its users to exchange virtual currency for criminal goods and services, including illegal drugs, firearms, malware and toxic chemicals.^[29] AlphaBay was considered substantially larger than Silk Road; it listed more than 350,000 items, compared with Silk Road’s 14,000, at the time each was closed. Alexandre Cazes, the creator and administrator of AlphaBay, was charged by indictment with multiple criminal charges, including a money laundering conspiracy.^[30]

The US Attorney’s Office for the Eastern District of California filed a civil forfeiture complaint against the assets of Cazes and his wife located throughout the world.^[31] In addition to high-value assets, such as luxury vehicles, residences and a hotel in Thailand, Cazes also possessed millions of dollars in cryptocurrencies, which were ultimately seized by US law enforcement.^[32]

In shutting down AlphaBay, law enforcement acknowledged that going after illicit marketplaces was akin to playing ‘whack-a-mole’: ‘Critics will say as we shutter one site another site emerges . . . ​But that is the nature of criminal work. It never goes away, you have to constantly keep at it, and you’ve got to use every tool in your toolbox.’^[33]

The lessons learnt from Silk Road and AlphaBay, in particular the ability to trace transactions on digital ledgers using blockchain analytics, have informed law enforcement’s approach to crypto-related prosecutions and have opened new avenues to investigate and pursue money laundering prosecutions.

Exchanges

One of the first cases to demonstrate the potential for global cryptocurrency exchanges to serve as money laundering fronts involved the Costa Rica-based centralised digital currency service Liberty Reserve. Founded in 2006, prosecutors claimed that Liberty Reserve laundered more than US$6 billion prior to its closure by US authorities in May 2013.^[34] According to the government, at its peak, Liberty Reserve had more than a million users globally and 200,000 users in the United States and had processed 55 million transactions.

Liberty Reserve required minimal and unverified personal information to register. Its accounts could be funded only through third-party payment exchangers in countries that the DOJ described as ‘without significant governmental money laundering oversight’.^[35] Once deposited as Liberty Reserve currency, funds could be used to purchase illegal goods, as well as exchange and launder the proceeds of illicit activities.^[36] Notably, one group used Liberty Reserve to launder US$45 million procured from a heist of two Middle Eastern banks. To evade regulators in the United States and Costa Rica, Liberty Reserve supplied fictitious transaction information and pretended to have terminated operations in the jurisdiction.

In May 2013, Liberty Reserve was shuttered by US federal prosecutors and law enforcement as part of the ‘global takedown’ of Liberty Reserve following investigations by authorities in 17 countries. The DOJ charged founder Arthur Budovsky and six others with money laundering and operating an unlicensed money service business.^[37] The US government seized or restrained 45 bank accounts and US$25 million, seized domain names, arrested five of the seven individuals named in the indictment and sought legal assistance from 15 countries through mutual legal assistance treaty requests.^[38] In January 2016, Budovsky pleaded guilty to one count of conspiracy to commit money laundering for operating a money laundering enterprise through his global digital currency business, Liberty Reserve and was later sentenced to 20 years in prison.^[39]

The DOJ has also brought actions against exchanges in connection with alleged AML deficiencies. On 21 November 2023, Binance entered into an agreement with the DOJ, agreeing to pay US$4 billion and pleading guilty to violating the International Emergency Economic Power Act, conducting an unlicensed money transmitting business and conspiracy to do the same. The DOJ alleged that Binance lacked an effective AML programme, namely Binance ‘did not implement comprehensive know-your-customer protocols’, ‘systematically monitor transactions’ or ‘file[] suspicious activity report[s]’.^[40] This plea was part of coordinated resolutions with FinCEN, OFAC and the CFTC. On 30 April 2024, Changpeng Zhao, co-founder and former CEO of Binance, was sentenced to four months in prison after pleading guilty to failure to maintain an effective AML programme.^[41]

Mixers and tumblers

The DOJ has brought several actions against the operators of ‘mixer’ or ‘tumbler’ services. These services operate in various ways; for example, they can allow individuals to mix cryptocurrency from multiple different users, thereby combining illicit and clean funds and then allowing a user to withdraw their initial contribution and send ‘clean’ cryptocurrency. Although proponents of mixer and tumbler services claim that they advance financial privacy, their critics claim that they make law enforcement’s job more difficult by obscuring the source of a digital transaction and aid money laundering by tumbling illicit and ‘clean’ funds to obscure criminal proceeds.

In February 2020, the US Attorney’s Office for the District of Columbia indicted and arrested Larry Harmon, the alleged founder, operator and administrator of Helix, a bitcoin tumbler. Harmon was charged with money laundering conspiracy, operating an unlicensed money transmitting business and conducting money transmission without a DC licence.

The DOJ alleged that Helix laundered hundreds of millions of dollars of illicit narcotics proceeds and other criminal profits by allowing customers, for a fee, to send bitcoin in a manner intentionally designed to conceal the path of the bitcoin. ‘Harmon advertised Helix to customers on the darknet as a way to conceal transactions from law enforcement.’^[42] Harmon was sentenced to three years in prison.^[43]

In addition to the criminal prosecution, FinCEN assessed a US$60 million civil penalty against Harmon, the founder, administrator and primary operator of Helix, and another mixer, Coin Ninja, for wilful violations of the BSA and related regulations by failing to register Helix as an MSB, failing to implement and maintain an effective AML programme, and failing to report suspicious activities.^[44] This marked the first penalty FinCEN levied against a bitcoin mixer.

In April 2021, the DOJ brought another action concerning a mixer, Bitcoin Fog, ‘the longest-running cryptocurrency “mixer”’ and ‘a go-to money laundering service for criminals’.^[45] The DOJ charged Roman Sterlingov with money laundering conspiracy, operating an unlicensed money transmitting business and conducting money transmission without a DC licence. Allegedly, Sterlingov was involved with moving more than 1.2 million bitcoin through Bitcoin Fog – valued at approximately US$335 million. Much of this activity came from darknet marketplaces and was linked to illegal narcotics, computer fraud and identity theft.^[46] In 2024, a federal jury convicted Sterlingov, who was sentenced to serve 150 months in prison.^[47]

While the use of mixers and tumblers presents obstacles to law enforcement with respect to the tracing of digital assets, these actions show that it is possible to ‘untumble’ or ‘de-mix’ digital assets and determine the source and provenance of the criminal funds. Analytics tools with advanced tracing algorithms can enable investigators to follow the flow of illicit funds from a known cryptocurrency address. Given investigators’ increasing access to sophisticated technology, mixers and tumblers do not provide a safe haven for criminals as they once did.

Laundering proceeds of cybercrime

Digital assets can provide an avenue for criminals to launder the proceeds of ransomware attacks, hacking and other cybercrime into clean funds. One example arose out of the 2016 hack of digital currency exchange Bitfinex, which resulted in the theft of 119,754 bitcoin.^[48] In August 2023, Ilya Lichtenstein and Heather Morgan pleaded guilty to conspiracy to launder cryptocurrency arising from the hack, then valued at approximately US$4.5 billion.^[49] Lichtenstein was ultimately sentenced to five years in prison, and Morgan was sentenced to 18 months.^[50] According to the DOJ, unauthorised transactions moved bitcoin into a digital wallet controlled by Lichtenstein, which was then laundered through a series of complicated transactions, including depositing and withdrawing the funds at a variety of virtual currency exchanges as well as converting between different virtual currencies. At the time of the arrests, law enforcement had seized US$3.6 billion in involved cryptocurrency.^[51]

In February 2025, Aux Cayes Fintech Co Ltd, which operates OKX, one of the largest cryptocurrency exchanges in the world, pleaded guilty to operating an unlicensed money transmitting business.^[52] The DOJ alleged that OKX ‘knowingly violated’ AML laws, including by ‘advis[ing] individuals to provide false information to circumvent’ KYC policies and a prohibition on US customers.^[53] The DOJ also alleged that OKX failed to register with FinCEN as a money services business and also did not implement certain necessary KYC practices and other controls. As a result, OKX was used to facilitate over US$5 billion worth of suspicious transactions and criminal proceeds.^[54] As part of its plea, OKX agreed to pay monetary penalties totalling more than US$504 million.

In March 2025, the DOJ announced conspiracy charges against two administrators of Garantex, a cryptocurrency exchange that allegedly ‘facilitated money laundering by transnational criminal organizations’ and ‘sanctions violations’.^[55] In a coordinated action with Germany and Finland, the DOJ worked to disrupt and take down the online infrastructure used to operate Garantex. According to the DOJ, since April 2019, Garantex processed at least US$96 billion in cryptocurrency transactions. OFAC had previously sanctioned Garantex for its role in ‘money laundering of funds from ransomware actors and darknet markets’.^[56] According to the DOJ, Garantex’s administrators subsequently redesigned its operations to evade these sanctions, such as by moving operational cryptocurrency wallets to different addresses on a daily basis to make it difficult for cryptocurrency exchanges to identify and block affiliated transactions.

Regulatory actions

In an effort to prevent money laundering through virtual assets, federal and state regulators have brought various enforcement actions based on alleged AML deficiencies. Additionally, regulators have made collaborative cross-agency efforts and various regulatory authorities to address this rapidly developing space.

Federal BSA/AML enforcement actions

Regulators have undertaken cross-agency enforcement actions to address AML issues in the digital assets space. In one collaborative action in August 2021, the CFTC and FinCEN entered into settlements with BitMEX, a virtual currency derivative exchange, to resolve allegations that, among other things, it operated as an unregistered futures commission merchant and provided money transmission services, wilfully failing to comply with its obligations under the BSA.^[57]

In addition to violating the Commodity Exchange Act, the CFTC found that BitMEX failed to maintain adequate customer due diligence policies and procedures. FinCEN found that BitMEX failed to maintain a compliant AML programme, file suspicious activity reports or implement adequate controls to restrict Americans from accessing its platforms.^[58]

The joint CFTC–FinCEN investigation resulted in a total combined penalty of US$100 million for both agencies, with a credit for US$20 million assuming completion of remediation.^[59] The FinCEN settlement also required the engagement of an independent consultant to conduct a historical analysis of its transaction data, to determine whether BitMEX must file additional reports of suspicious activity.

In 2022, three of BitMEX’s co-founders and another top executive pleaded guilty to violations of the BSA, and, in July 2024, BitMEX itself entered a guilty plea and was ultimately sentenced to a US$100 million fine.^[60] All four individuals, as well as the BitMEX’s operating entity, were pardoned in 2025 by President Trump.^[61]

In October 2022, Bittrex, a virtual currency exchange, settled charges with FinCEN for US$29 million for alleged failures in its AML programme.^[62] FinCEN charged Bittrex with wilful violations of the BSA, including insufficient transaction monitoring and a lack of risk-based policies and procedures. FinCEN noted that Bittrex failed to appropriately address the risks associated with certain anonymity-enhanced cryptocurrencies traded on Bittrex. As a result, FinCEN found that Bittrex failed to detect, investigate and report a multitude of transactions linked to darknet marketplaces and sanctioned jurisdictions. Bittrex simultaneously agreed to pay US$24 million to settle potential civil liability with OFAC (its largest digital asset enforcement action to date) for thousands of apparent violations of multiple sanctions programmes.^[63]

State regulatory actions

State regulators have also expanded their regulatory footprint to include virtual asset service providers. In particular, the New York State Department of Financial Services (NYDFS) has become a significant player. It maintains a system of licensure for digital asset businesses, awarding ‘BitLicenses’ and enforcing regulation, including the requirement that a licensee maintain an effective and compliant AML programme.^[64] The NYDFS has pursued several recent actions that demonstrate its keen interest in crypto regulation and its ability to control entry into the space within its jurisdiction.

Robinhood is a mobile-based stock trading platform that also offers cryptocurrency trading through a subsidiary, Robinhood Crypto.^[65] In August 2022, in its first virtual currency enforcement action, the NYDFS fined Robinhood Crypto US$30 million for failures in its AML programme and other violations.^[66] In announcing the fine, the NYDFS emphasised that Robinhood Crypto’s AML programme and transaction monitoring were inadequate, understaffed and provided insufficient resources given its size and risk profile.^[67] As part of its settlement with the NYDFS, Robinhood Crypto agreed to hire an independent consultant to oversee its remediation efforts.^[68]

In January 2023, cryptocurrency exchange Coinbase agreed to a US$50 million penalty to settle NYDFS claims and agreed to invest another US$50 million in its compliance function.^[69] Among other issues, the NYDFS found that Coinbase’s KYC practices were ‘immature and inadequate’. The NYDFS also found that Coinbase was unable to keep up with the growth of alerts generated by its transaction monitoring programme and, as a result, failed to investigate and report some suspicious activity in a timely manner. During the course of the investigation, the NYDFS installed an independent monitor to evaluate and assist in the remediation.^[70]

In January 2025, state regulators from 48 states and Washington, DC announced a US$80 million settlement with Block, Inc, which operates Cash App, a digital wallet that allows users to store and send fiat currency and digital assets. The regulators alleged that Block was non-compliant with certain BSA/AML regulations in some areas, ‘potentially creating opportunities for its services to be used in supporting terrorism financing, money laundering, or other illegal activities’.^[71] As part of the settlement, Block will hire an independent consultant to assess its BSA/AML programme and recommend improvements.

Designation as a primary money laundering concern

On 18 January 2023, in its first action under the Combating Russian Money Laundering Act, FinCEN determined that Bitzlato Limited (Bitzlato), a virtual currency exchange, facilitated money laundering transactions for Russian ransomware actors.^[72] Accordingly, it designated Bitzlato as a ‘primary money laundering concern’ and prohibited transmittals involving Bitzlato by any covered financial institution.^[73] As set forth in a related criminal complaint filed against its co-founder, Bitzlato marketed itself as requiring minimal identification from its users and allowed customers to provide information belonging to ‘straw man’ registrants.^[74] Bitzlato is estimated to have exchanged more than US$700 million in cryptocurrency with Hydra Market, its largest counterparty in cryptocurrency transactions and the largest and longest-running darknet market in the world.^[75] FinCEN’s designation of Bizlato prevents certain financial institutions from transacting with that entity, limiting its access to the US financial system.

FinCEN has continued to exercise its ability to designate virtual currency exchanges as a ‘primary money laundering concern’, particularly those alleged to be involved in Russian illicit financial activity. For example, in September 2024, FinCEN designated PM2BTC, a crypto-to-fiat exchange, as a primary money laundering concern, concurrently with OFAC sanctioning PM2BTC’s operators and Cryptex, another affiliated exchange.^[76] In its order, FinCEN explained that ‘nearly half of PM2BTC’s exchange activity had links to illicit activity,’ and that it ‘facilitates a substantially greater proportion of transactions with apparent links to money laundering activity in connection with Russian illicit finance as compared to 99 percent of other virtual asset service providers’.^[77]

OFAC designations

OFAC’s designation of an entity in the digital asset space restricts US persons and anyone in the United States from transacting with that entity.

In August 2022, the Department of the Treasury sanctioned Tornado Cash, a virtual currency mixer.^[78] Tornado Cash is an open-source, non-custodial, fully decentralised tumbler that was considered the most popular coin-mixing service on the Ethereum blockchain.^[79] OFAC found that bad actors had laundered more than US$7 billion of cryptocurrency through Tornado Cash, including approximately US$455 million in funds allegedly stolen by the Lazarus Group, a sanctioned state-sponsored hacking group in North Korea.^[80] OFAC’s designation of Tornado Cash followed the May 2022 designation of Blender.io, another virtual currency mixer, which was used to process more than US$20.5 million from another hack by Lazarus Group.

On 8 September 2022, six individuals who had previously used Tornado Cash for lawful purposes filed a complaint in the Western District of Texas challenging OFAC’s authority to designate the protocol.^[81] The plaintiffs succeeded on appeal after the Fifth Circuit determined that Tornado Cash’s immutable smart contracts (the lines of privacy-enabling software code) were not ‘property’ and OFAC had, therefore, exceeded its statutory authority.^[82] Ultimately, in March 2025, the Department of the Treasury announced that it had removed the sanctions against Tornado Cash while noting that it ‘remain[s] deeply concerned about the significant state-sponsored hacking and money laundering’ of digital assets by North Korea.^[83]

Conclusion

Although innovation continues to evolve the digital assets industry, the regulatory landscape and enforcement priorities have taken great strides to keep pace. The prized anonymity and access to sophisticated laundering techniques that incentivise some criminals to use digital assets to launder crime proceeds have also drawn law enforcement interest and regulatory scrutiny in the United States and globally. As the digital assets industry continues to mature, it can be expected that actions by regulators and law enforcement agencies will be significant in shaping how the industry both operates and addresses the risks of money laundering.

Acknowledgement

The authors wish to thank Lisa Mendola-D’Andrea and Sheeva Nesva, associates at Sullivan & Cromwell LLP, for their many contributions to this chapter.