OFAC Enforcement Impacts NFTs: As Crypto Enforcement Ramps Up To Combat Ransomware, Robust Compliance Is Key – Technology

The Treasury Department’s Office of Foreign Assets Control
(OFAC) took action last Monday, November 8, 2021, and sanctioned a
Latvia-based exchange, Chatex, its associated support network, and
two ransomware operators for facilitating financial transactions
for ransomware actors. In total, OFAC designated Chatex and 57
cryptocurrency addresses (associated with digital wallets) as
Specially Designated Nationals (SDNs). OFAC took this action
pursuant to Executive Order 13694, issued in 2015, which
provides broad sanctions authority to address the national security
threat posed by malicious cyber-actors outside the United
States.

It is clear that the designations were part of the Biden
Administration’s response to counter ransomware attacks and
criminal actors’ “abuse of the virtual currency ecosystem
to launder ransom payments.” The Treasury Department stated
that it will use “all available authorities to disrupt
malicious cyber actors, block ill-gotten criminal proceeds, and
deter additional actions against the American people”
(see here). The Treasury Department recently updated
its guidance on the risks companies face for playing a part in
ransomware payments (see here).

While the designation of Chatex and the other cryptocurrency
addresses are itself significant, what is interesting is that these
designations appear to be the first time NFTs have been publicly
impacted as “blocked property” – as one of the designated
cryptocurrency addresses owns non-fungible tokens (NFTs). Because
U.S. persons are essentially prohibited from transacting with the
individuals and entities associated with the designated
cryptocurrency addresses, dealing in those NFTs is prohibited for
U.S. persons as well.

Background

We have seen a steady rise of ransomware attacks, including
“supply chain attacks,” which have been targeting and
impacting a range of industries in the United States. OFAC’s
designation of Chatex and other cryptocurrency addresses are
related to its direct ties with SUEX – a cryptocurrency exchange
that laundered money to ransomware attackers (see our post here). According to OFAC, Chatex provided
material support to SUEX, which was the basis for Chatex’s
designation. Apparently, one of the co-founders of SUEX established
Chatex.

According to reports, certain designated crypto addresses
associated with Chatex held 42 NFTs worth approximately $531,600.
The account at issue collected varied NFTs, including “digital
magazine covers, superhero figures, digital land parcels and
relatively little-known digital art collections.” Four of the
42 NFTs were created by the account itself. Aside from NFTs, the
sanctioned wallets also own a range of cryptoassets, including
virtual currency and ERC-20 tokens. The account had a profile on
the NFT platform Opensea, which commented that it blocks addresses on the
sanctions list from buying, selling or transferring items on
OpenSea.

Additionally, OFAC designated two ransomware operators (Yevgeniy
Igorevich Polyanin and Yaroslav Vasinskyi) for their role in the
ransomware attacks on a Miami-based software company, Kaseya,
earlier this year. According to reports, sanctioned addresses associated with
these two individuals have received more than $18 million in
cryptocurrencies.

The recent designations are notable because it represents the
second time that a cryptocurrency exchange has been designated and
the eighth time OFAC has designated cryptocurrency addresses.
Although the designations of SUEX and now Chatex do not directly
impact broader cryptocurrency exchanges, it does show that OFAC has
ramped up its enforcement efforts to combat ransomware payments
that are happening via cryptocurrency – through designations that
may essentially cut them off from the U.S. market. Companies in the
cryptocurrency business should take the designations and OFAC’s
guidance as a warning and ensure that they are screening
transactions appropriately and not facilitating payments to bad
actors.

Key Takeaways

• Increased Enforcement – What is clear
  from these recent designations coupled with the DOJ’s creation
  of a National Cryptocurrency Enforcement Team (NCET) (see here) and OFAC’s advisory on the risks companies face for
  playing a part in ransomware payments, enforcement related to
  malicious cyber activities involving cryptocurrency and digital
  assets will ramp up. In the upcoming months, we expect to see
  additional designations as well as indictments by the DOJ
  (see here).




• Compliance is Key – Last month, OFAC
  published more targeted guidance for digital asset companies
  related to compliance with sanctions and best practices for
  mitigating risks (see our post here). This guidance is helpful because it
  provides important insight into what OFAC expects from
  companies’ compliance programs. At a minimum, it is critical
  for companies to have internal controls in place to screen
  transactions to ensure that no designated cryptocurrency addresses
  or assets owned by those sanctioned parties are involved. If a
  company does identify violations, OFAC considers the existing of a
  robust compliance program as a mitigating factor when assessing
  penalties.




• NFTs  – The existing regulatory landscape
  is not necessarily designed for the rapidly changing digital asset
  environment – it often appears that the law is ten (or 100) steps
  behind technology. There are a number of unique legal
  considerations for NFT owners and creators, including securities
  laws, anti-money laundering and sanctions, IP considerations, and licensing issues, among others. The key
  is to develop a holistic legal and compliance strategy early on, so
  you can integrate it into your business from the onset. We will
  continue to update on emerging regulatory issues impacting NFTs as
  they evolve.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.