OFAC Crypto Sanctions: How the SDN List Targets Wallets and Entities

Key Takeaways

• The OFAC SDN list now contains over 1,200 crypto wallet addresses across 17 blockchains.
• Real‑time screening (updates every 15 minutes) is the industry standard for U.S. exchanges.
• DeFi protocols, DAOs, and even AI‑driven trading bots are now subject to sanctions.
• Traditional financial sanctions focus on institutions; crypto sanctions pinpoint individual addresses.
• Compliance teams need to ingest OFAC’s XML feed, support layer‑2 networks, and monitor stablecoins like USDT and USDC.

When you hear "OFAC crypto sanctions," you might picture a long list of names on a spreadsheet. In reality, it’s a constantly shifting web of wallet addresses, smart contracts, and even whole decentralized organisations that the U.S. Treasury’s Office of Foreign Assets Control (OFAC) has marked as off‑limits. If you run a crypto exchange, a DeFi platform, or even a fintech app that lets users move tokens, you need a clear picture of how the sanctions list works, which addresses are blocked, and what you must do to stay compliant.

What is the OFAC sanctions list?

OFAC sanctions list is a set of designations published by the Office of Foreign Assets Control, a bureau of the U.S. Department of the Treasury. The list flags individuals, entities, vessels, and increasingly, cryptocurrency wallet addresses that are prohibited from doing business with U.S. persons or accessing the U.S. financial system.

The core of the crypto‑focused effort lives in the Specially Designated Nationals (SDN) section of the list. As of October 2025, the SDN list includes more than 1,200 wallet addresses spanning Bitcoin, Ethereum, Monero, and a host of newer tokens.

How OFAC targets crypto addresses

Unlike a traditional bank account, a crypto wallet is a string of alphanumeric characters on a public ledger. To block a bad actor, OFAC simply adds that exact address to the SDN list. The challenge for compliance teams is that an address can appear on multiple blockchains (e.g., a wrapped token) or be obscured behind a privacy coin.

Key points about the current scope:

• Seventeen blockchain families are covered, from Bitcoin (XBT) and Ethereum (ETH) to newer ecosystems like Arbitrum (ARB) and Binance Smart Chain (BSC).
• Stablecoins (USDT, USDC) are heavily monitored because they enable quick cross‑border value transfer.
• DeFi protocols, DAOs, and even AI‑driven autonomous trading bots can be designated.
• Layer‑2 networks (e.g., Optimism, zkSync) are now part of the OFAC Blacklist v2.0, closing a previous loophole.

Each address in the SDN feed carries a risk score (low, medium, high) that helps platforms prioritize alerts.

Major crypto types covered

Below is a quick rundown of the 17 assets that OFAC presently monitors. These are the tokens most likely to appear in a sanction designation.

1. Bitcoin (XBT)
2. Ethereum (ETH)
3. Monero (XMR)
4. Litecoin (LTC)
5. ZCash (ZEC)
6. DASH
7. Bitcoin Gold (BTG)
8. Ethereum Classic (ETC)
9. Bitcoin Satoshi Vision (BSV)
10. Bitcoin Cash (BCH)
11. Verge (XVG)
12. USD Coin (USDC)
13. Tether (USDT)
14. Ripple (XRP)
15. Tron (TRX)
16. Arbitrum (ARB)
17. Binance Smart Chain (BSC)

Technical infrastructure and 2025 upgrades

In early 2025 OFAC rolled out the Crypto Compliance Guidance 2025, which makes real‑time monitoring a regulatory requirement for any U.S.-based exchange. The guidance forced a shift from daily CSV imports to an XML feed (sdn_advanced.xml) that can be parsed into JSON or plain‑text lists.

Key technical milestones:

• March 2025 - OFAC endorsed three new wallet‑screening engines designed for DeFi platforms.
• May 2025 - Launch of OFAC Blacklist v2.0, adding real‑time alerts and layer‑2 coverage.
• January 2025 - Expansion of sanction criteria to cover DAOs and protocols without a formal legal entity.

The XML feed includes fields for address, blockchain, risk score, and a brief description of the underlying entity. Most compliance vendors (Scorechain, Chainalysis, Elliptic) have built parsers that pull the feed every 15 minutes and automatically flag transactions that match.

Real‑world case studies

Understanding the abstract list becomes clearer when you look at actual designations.

• Iranian oil network (Sept2025) - Two Iranian nationals used Ethereum and TRON wallets to move over $600million, with $100million directly tied to oil sales. OFAC froze the wallets and required exchanges to block any further transfers.
• SECONDEYE SOLUTION - Linked to the INTERNET RESEARCH AGENCY LLC, this entity operated multiple Bitcoin addresses, including 1NE2NiGhhbkFPSEyNWwj7hKGhGDedBtSrQ and 19D8PHBjZH29uS1uPZ4m3sVyqqfF8UFG9o. The addresses were used to funnel money for alleged election‑interference operations.
• Garantex seizure (Mar2025) - Joint U.S., German, and Finnish action seized $26million in crypto held by the exchange. After the initial sanction, the operators tried to re‑launch as "Grinex," prompting a second designation.
• Lazarus Group (Q12025) - North‑Korean hackers moved $200million through sanctioned DeFi protocols, exploiting smart‑contract loopholes before being blocked by updated OFAC filters.
• AI‑driven trading bot (Feb2025) - The first autonomous bot used for money‑laundering was added to the SDN list after moving $60million through a mix of stablecoins and privacy tokens.

Compliance requirements for exchanges and service providers

If your platform lets users deposit, withdraw, or trade crypto, you must implement the following steps:

1. Subscribe to the sdn_advanced.xml feed directly from OFAC’s website.
2. Parse the XML into a searchable database that maps address → blockchain → risk score.
3. Integrate the database with your transaction monitoring engine so that each inbound/outbound transaction is checked against the list in real time.
4. Set alert thresholds (e.g., block high‑risk matches, flag medium‑risk for manual review).
5. Update the database at least every 15 minutes - most providers automatically pull the feed on that schedule.
6. Maintain audit logs showing when a match occurred and what action was taken.
7. Train compliance staff on how to interpret risk scores and handle false‑positive appeals.

Compliance teams also need to support multiple networks simultaneously. A single transaction might involve a wrapped token on BSC that ultimately settles on Ethereum, so your scanner must resolve cross‑chain bridges.

Traditional financial sanctions vs. cryptocurrency sanctions

Best practices and common pitfalls

Even with the right tools, teams stumble on a few recurring issues.

• Ignoring layer‑2 activity. Many scammers move funds to Optimism or Arbitrum before jumping back to mainnet. Your scanner must ingest those feeds.
• Relying on a single vendor. If your provider’s parser fails during a feed outage, you lose compliance coverage. Keep a backup XML pull script.
• Hard‑coding address lists. Addresses change; always pull the live feed instead of static CSVs.
• Over‑blocking. Flagging every match without context can freeze legitimate user funds and attract regulator scrutiny. Use risk scores to tier responses.
• Neglecting smart‑contract developers. The May2025 proposal holds developers liable for enabling evasion. Conduct code reviews for any contract that interacts with sanctioned addresses.

Pro tip: Set up a sandbox environment that simulates a real‑time feed. Run test transactions against known sanctioned addresses (e.g., 1NE2NiGhhbkFPSEyNWwj7hKGhGDedBtSrQ) to verify your alerts.

Future outlook

Looking ahead, expect three trends to shape the sanctions landscape:

1. Expansion into privacy‑coin monitoring. OFAC is already drafting guidance for Monero and ZCash tracing.
2. More joint international operations. The FATF‑OFAC joint directive of 2025 predicts synchronized sanctions lists across G7 economies.
3. Liability for DeFi protocol developers. Pending May2025 regulations could make every smart‑contract code audit a compliance requirement.

Staying ahead means treating sanctions as a continuous data‑stream, not a quarterly compliance checklist.