OFAC Cyber Sanctions and Crypto Mixers: 2026 Compliance Risk

The Fifth Circuit's August 2024 reversal in Van Loon v. Department of the Treasury — holding that OFAC exceeded its authority by sanctioning Tornado Cash's immutable smart contracts as "property" — didn't end the mixer compliance story. It complicated it. OFAC's Cyber-related Designations authority under Executive Order 13694 (as amended by E.O. 13757 and E.O. 14024) remains fully intact, and the agency has continued designating mixer-adjacent infrastructure, wallet clusters, and developer entities throughout 2025 and into 2026.

If your firm touches mixing protocols, privacy coins, or cross-chain bridges, the legal ground is still shifting under your feet.

TL;DR

• The Van Loon ruling narrowed OFAC's reach over immutable smart contracts but left sanctions on human actors, mutable contracts, and mixer-linked wallets fully in force.
• Tornado Cash's mutable contracts and associated developer wallets remain on the SDN List; transacting with them is still prohibited for U.S. persons.
• OFAC's Cyber-related Designations framework (E.O. 13694/13757/14024) gives Treasury broad authority to sanction entities that materially support ransomware, North Korean cyber actors, and other designated threat groups — mixers are a primary vector.
• VASPs, DeFi front-ends, and on/off-ramp providers face strict liability for SDN hits; "we didn't know" is not a defense.
• Operationalizing compliance requires real-time blockchain analytics, SDN screening at the wallet level, and documented escalation procedures.

What This Regulation Actually Requires

The Statutory and Executive Order Framework

OFAC's authority to sanction crypto mixers flows from multiple overlapping legal instruments. E.O. 13694 (April 2015) authorized sanctions against persons engaged in "significant malicious cyber-enabled activities." E.O. 13757 (December 2016) expanded that to cover interference with elections and critical infrastructure. E.O. 14024 (April 2021) added a broad Russia-related sanctions program that has been used to target Garantex and other crypto exchanges facilitating sanctions evasion.

The International Emergency Economic Powers Act (IEEPA) underpins all of these orders. IEEPA gives Treasury the power to block transactions and freeze assets — and critically, it applies to "any property in which any foreign country or a national thereof has any interest." That phrase is doing a lot of work in the mixer context.

What the Van Loon Decision Actually Changed

The Fifth Circuit held in August 2024 that Tornado Cash's immutable smart contracts — code that no person controls or can modify — don't qualify as "property" under IEEPA because no entity holds a cognizable property interest in them. The court did not disturb the designation of Tornado Cash's mutable contracts, its DAO governance tokens, or the individual developers (Roman Storm, Roman Semenov) who remain on the SDN List.

Practical upshot: the immutable pool contracts at specific Ethereum addresses were removed from the SDN List following the ruling. Everything else stayed. And OFAC has since made clear it views the Van Loon holding narrowly — the agency's position is that most real-world mixer infrastructure involves some degree of human control or upgradeability, which keeps it within IEEPA's reach.

The Strict Liability Standard

OFAC sanctions violations are strict liability offenses. There is no intent requirement for a civil penalty. Under 31 C.F.R. Part 501, Appendix A, OFAC evaluates violations using a multi-factor framework that includes: willfulness, awareness of conduct, harm to sanctions program objectives, individual characteristics of the violator, and remedial response. But the baseline civil penalty can still apply even when a firm had no knowledge that a counterparty was SDN-listed.

For crypto specifically, OFAC's 2021 Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments made explicit that virtual currency exchanges, wallets, and payment processors must implement risk-based compliance programs — including blockchain analytics — or face heightened penalty exposure.

Mixer-Specific Guidance

OFAC's October 2022 Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, and the agency's separate 2022 action against Tornado Cash, established several mixer-specific compliance expectations:

• Blockchain analytics is expected, not optional. OFAC has cited the absence of analytics tools as an aggravating factor in enforcement.
• Indirect exposure counts. Receiving funds that passed through a sanctioned mixer — even several hops removed — can create exposure if the firm had reason to know.
• Front-end operators bear responsibility. Even if the underlying protocol is decentralized, a company operating a web interface, API, or fiat on-ramp connected to a mixer is a U.S. person subject to OFAC jurisdiction.

What This Means for Your Company

The Van Loon ruling gave some DeFi developers breathing room on the question of whether deploying immutable code creates sanctions liability. That's a real and meaningful legal development. But it didn't create a compliance holiday.

For VASPs — exchanges, custodians, OTC desks, payment processors — the obligations are unchanged. You must screen counterparty wallet addresses against the SDN List before processing transactions. You must have procedures for handling blockchain analytics alerts that flag mixer-tainted funds. And you must be able to demonstrate, in writing, that your compliance program is calibrated to the actual risk profile of your customer base and transaction flows.

DeFi protocol teams operating front-ends face a harder question post-Van Loon. The ruling suggests that deploying truly immutable code may not itself be sanctionable. But running a website, collecting fees, or maintaining admin keys almost certainly brings you back within OFAC's reach. The Tornado Cash developer prosecutions — Roman Storm was convicted in November 2024 on money laundering and sanctions charges — confirm that DOJ and OFAC view the human layer of "decentralized" protocols as fully accountable.

Bridge operators and cross-chain infrastructure providers are the next frontier. OFAC has been increasingly focused on bridges as mixer-substitutes, particularly those used by Lazarus Group (North Korea's state-sponsored hacking unit) to launder proceeds from exchange hacks. The Ronin Bridge hack ($625 million, March 2022) and subsequent Lazarus Group designations set the template.

How to Operationalize

Step 1: Map your exposure surface. Identify every point where your product touches blockchain transactions: deposits, withdrawals, swaps, bridge interactions, smart contract calls. Each is a potential sanctions touchpoint.

Step 2: Implement real-time SDN screening at the wallet level. Static name screening is insufficient for crypto. You need a blockchain analytics provider (Chainalysis, Elliptic, TRM Labs, or equivalent) integrated into your transaction flow. Screening should occur before transaction execution, not after.

Step 3: Configure mixer-taint alerts. Set thresholds for indirect exposure — funds that passed through a sanctioned mixer within a defined number of hops or within a defined time window. Document your threshold rationale. OFAC doesn't prescribe specific hop counts, but your methodology needs to be defensible.

Step 4: Build a blocking and reporting workflow. When a transaction hits an SDN match or exceeds your taint threshold, you need a documented escalation path: block the transaction, freeze associated funds if required, file a blocked property report with OFAC within 10 business days (31 C.F.R. § 501.603), and notify your BSA Officer.

Step 5: Train your team. Compliance staff, customer support, and engineering teams that touch transaction infrastructure all need baseline OFAC training. Document it. OFAC's penalty mitigation framework explicitly credits robust training programs.

Step 6: Conduct periodic lookback reviews. Run historical transaction data against updated SDN lists quarterly. New designations can retroactively implicate prior transactions if funds remain in your custody.

Step 7: Maintain a written sanctions compliance program. OFAC expects a documented program proportionate to your risk profile. For a crypto-native business, that means written policies covering: SDN screening procedures, blockchain analytics protocols, escalation and reporting workflows, training cadence, and annual program review.

Common Mistakes and How to Avoid Them

Mistake 1: Treating Van Loon as a green light for mixer integration. The ruling addressed a narrow question about immutable smart contracts as "property." It didn't immunize mixer interactions, mixer-tainted funds, or human actors associated with mixing protocols. Don't let your legal team's relief about the ruling translate into relaxed operational controls.

Mistake 2: Screening only at onboarding. KYC/KYB at account opening doesn't catch SDN designations that happen after a customer is onboarded. You need ongoing monitoring — both of customer wallet activity and of new SDN additions that might match existing customers.

Mistake 3: Relying on a single blockchain analytics provider without calibration. Different analytics tools use different methodologies for tracing mixer-tainted funds. A tool configured with default settings may miss exposure that a more calibrated setup would catch. Understand your tool's methodology and document why your configuration is appropriate for your risk profile.

Mistake 4: Ignoring indirect exposure. OFAC has not published a bright-line rule on how many hops of separation from a sanctioned mixer creates liability. Some firms assume that two or three hops of separation is safe. That assumption isn't grounded in any OFAC guidance. Your risk-based approach needs to account for indirect exposure, with documented rationale for whatever threshold you set.

Mistake 5: Failing to file blocked property reports. When you block a transaction involving SDN-listed property, you're required to file a report with OFAC within 10 business days. Many crypto firms — especially smaller ones — don't know this requirement exists. Failure to file is itself a violation.

Mistake 6: Assuming decentralization is a legal shield. The Roman Storm conviction is the clearest signal yet that DOJ and OFAC will look through protocol architecture to find the humans making decisions. If you're earning fees, controlling admin functions, or operating user-facing infrastructure, you're in scope.

FAQ

Q: Does the Van Loon ruling mean I can interact with Tornado Cash's immutable contracts without OFAC risk?

A: Technically, the immutable pool contracts were removed from the SDN List following the Fifth Circuit's ruling. But "removed from the SDN List" doesn't mean "safe to use." Funds flowing through those contracts may still be traceable to SDN-listed wallets or entities, creating indirect exposure. And OFAC's broader Cyber-related Designations framework means that using mixer infrastructure to process funds linked to ransomware or North Korean actors creates independent sanctions risk. Proceed with extreme caution and get specific legal advice before any interaction.

Q: We're a DeFi protocol with no U.S. users. Does OFAC apply to us?

A: OFAC's jurisdiction extends to U.S. persons wherever located, and to transactions that occur in whole or in part in the United States. If your protocol's smart contracts are deployed on a U.S.-based node, if your team includes U.S. persons, or if your front-end is hosted on U.S. infrastructure, you likely have OFAC exposure. The "no U.S. users" argument has not been tested as a complete defense, and OFAC has not endorsed it.

Q: What's the penalty exposure for a sanctions violation involving a crypto mixer?

A: Civil penalties under IEEPA can reach the greater of $356,579 per violation (adjusted annually for inflation) or twice the value of the transaction. For willful violations, criminal penalties include up to 20 years imprisonment and $1 million per violation. OFAC's penalty mitigation framework can reduce civil penalties significantly for firms with robust compliance programs and voluntary self-disclosure — but the baseline exposure is severe.

Q: How do I handle a situation where a customer's deposit is flagged as mixer-tainted after the fact?

A: Freeze the funds, escalate to your BSA Officer and legal counsel, and assess whether the taint level and SDN connection meet your threshold for a blocked property report. If the funds are traceable to a specifically designated wallet or entity, you're likely required to block and report. Document every step of your decision-making process.

Q: Are privacy coins like Monero treated the same as mixers under OFAC's framework?

A: OFAC hasn't issued specific guidance treating privacy coins as equivalent to mixers. But the agency's risk-based approach means that privacy coins used to obscure the origin of funds linked to designated actors create the same underlying concern. Several exchanges have delisted Monero and similar assets precisely because of the compliance complexity. If your business handles privacy coins, your blockchain analytics program needs to account for the limits of traceability.

---

Sources

• U.S. Department of the Treasury, Office of Foreign Assets Control, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (September 2021, updated October 2022)
• Executive Order 13694, "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities" (April 1, 2015), as amended by E.O. 13757 (December 28, 2016)
• Executive Order 14024, "Blocking Property With Respect To Specified Harmful Foreign Activities of the Government of the Russian Federation" (April 15, 2021)
• 31 C.F.R. Part 501, Appendix A — OFAC Economic Sanctions Enforcement Guidelines

---

Disclaimer

This article is provided for general informational purposes only and does not constitute legal advice. The information herein reflects publicly available regulatory guidance and legal developments as of the date of publication and may not reflect subsequent changes in law, regulation, or enforcement practice. No attorney-client relationship is created by reading or relying on this content. Compliance obligations vary based on your specific business model, jurisdiction, and risk profile. Consult qualified legal counsel before making compliance decisions.