OFAC sanctions enforcement in fintech and crypto: Key takeaways from Exodus and ShapeShift

Recent enforcement actions by the Office of Foreign Assets Control (OFAC) underscore that United States sanctions laws and regulations apply to fintech firms, including virtual currency businesses. The measures also reflect the potential benefits of sanctions controls across products, integrations, and customer support from launch.

This alert discusses OFAC’s recent enforcement actions involving Exodus Movement, Inc. (Exodus) and ShapeShift AG (ShapeShift) and provides key takeaways for businesses.

Exodus

On December 16, 2025, OFAC announced a USD3.1 million settlement for alleged sanctions violations with Exodus, a US-based, non-custodial, multi-asset software wallet provider. The company’s wallet enabled customers to conduct digital asset transactions on a variety of blockchains through decentralized cryptocurrency exchanges or other third-party exchanges from within the wallet’s user interface. While Exodus did not process digital asset transactions itself, it acted as a front end for third-party services, generating a fee each time a user conducted digital asset transactions within the wallet.

As a US entity, Exodus was required to comply with US sanctions laws. OFAC found Exodus to have violated the Iranian Transactions and Sanctions Regulations (ITSR) more than 254 times, including 12 violations that were deemed egregious and not voluntarily disclosed.

OFAC’s allegations against Exodus

Between October 17, 2017 and January 4, 2019, Exodus provided support on 254 occasions to users who self-identified during onboarding or in the course of a customer support interaction as being located in Iran, enabling continued wallet use and access to integrated exchanges. OFAC identified the provision of the self-custodied wallets as prohibited exports of services to Iran under ITSR § 560.204.

OFAC emphasized that these exports to Iran occurred even though Exodus operated a non-custodial wallet and relied on third-party exchanges to conduct the digital asset exchange transactions, confirming that supporting transactions or interactions can trigger sanctions exposure.

Key findings: Egregious, willful, and reckless

OFAC deemed 12 of the 254 instances egregious, finding that Exodus’s customer support amounted to prohibited sanctions evasion, attempted evasion, or causing a violation. Specifically, OFAC highlighted that, in those 12 instances, the Exodus support staff:

• “Repeatedly recommended the use of virtual private networks (VPNs) to circumvent IP-based controls and geo-blocking,” even after users raised sanctions concerns
  
  
• Understood that certain exchange partners prohibited users in Iran but nonetheless advised the use of VPNs, thereby facilitating circumvention of third-party exchange partners’ geo-blocking controls and undermining their partner exchanges’ controls intended to prevent access from sanctioned jurisdictions

OFAC found that the conduct was willful and egregious, therefore enhancing the penalty amount related to those 12 instances.

Further, OFAC noted that Exodus’s Terms of Use prohibited its use in embargoed countries and that personnel were aware that a key exchange partner began blocking Iranian users in 2018. However, according to OFAC, Exodus “continued to provide assistance enabling users in Iran to circumvent those partner controls.” OFAC further faulted Exodus for failing to voluntarily disclose the apparent violations.

Penalty and settlement terms

OFAC calculated a base penalty of USD4,774,400 and accepted a USD3,103,360 settlement, crediting the company’s mitigation and cooperation efforts; the base reflected statutory maximums for 12 egregious violations and scheduled amounts for the remaining 242 non-egregious violations. Additionally, the resolution requires Exodus to:

• Invest USD630,000 in additional sanctions controls (with expense reporting and potential re-instatement of suspended amounts if disallowed)
  
  
• Maintain a sanctions program aligned with OFAC’s 2019 Framework for Compliance Commitments, with annual certifications, cooperation commitments, and breach provisions for five years

OFAC’s enforcement message to companies providing digital asset support services indicated that sanctions obligations apply to customer support practices, user-experience decisions, and technical configurations even where a company does not directly process digital transactions. OFAC particularly noted that repeated customer-support recommendations to use VPNs to bypass geo-blocking contributed to violations and formed part of 12 egregious instances.

ShapeShift

In another enforcement action announced in September 2025, OFAC penalized ShapeShift, a digital asset exchange. ShapeShift agreed to pay USD750,000 to settle its potential civil liability for 17,183 apparent violations of multiple sanctions programs totaling more than USD12.5 million in transactions between December 2016 and October 2018. The violations stemmed from ShapeShift’s failure to implement any sanctions compliance program, which allowed users in Cuba, Iran, Sudan, and Syria to access its platform.

Key findings

• ShapeShift had no sanctions compliance program and failed to screen wallet addresses and transactions. OFAC found that ShapeShift processed thousands of transactions involving persons in sanctioned jurisdictions because it had no sanctions compliance program and failed to screen users or transactions for a nexus to those jurisdictions, despite possessing IP address information that could indicate a user's location. OFAC noted that ShapeShift only implemented a sanctions compliance program after it received an administrative subpoena from OFAC
  
  
• ShapeShift was required to comply with US sanctions despite being incorporated outside the US. Although incorporated in Switzerland, OFAC determined that US sanctions applied because its headquarters, senior leadership, and most employees who directed, controlled, and coordinated its activities were located in Denver, Colorado, including the engineers who developed the code for the exchange

In reaching the resolution, OFAC identified the following as aggravating factors:

1. ShapeShift failed to exercise a minimal degree of caution or care regarding sanctions compliance obligations
   
   
2. The company had actual or constructive knowledge of user location in sanctioned jurisdictions, as indicated by Internet Protocol (IP) address data
   
   
3. ShapeShift conferred economic benefits to persons in Cuba, Iran, Sudan, and Syria, undermining multiple OFAC sanctions programs

In contrast, mitigating factors included ShapeShift’s relatively small size at the time of the violations, its subsequent cessation of operations (making further violations unlikely), its highly constrained financial situation, and its cooperation with OFAC’s investigation, including timely responses to information requests and entry into tolling agreements.

The settlement amount also noted that the volume of apparent violations represented a small percentage of ShapeShift’s total transaction volume. These factors collectively resulted in a penalty significantly below the maximum schedule amount.

Key takeaways from Exodus and ShapeShift

Fintech and crypto companies – including those that are not Bank Secrecy Act-regulated – are encouraged to carefully consider 1) whether their existing sanctions controls and training adequately address the services provided and 2) the risks identified in the Exodus and ShapeShift enforcement actions.

Companies may consider the following compliance lessons:

• Providing “customer support” may constitute an export of services to sanctioned jurisdictions, even for non-custodial products and third-party exchanges. Companies are encouraged to treat support touchpoints, routing logic, and technical configurations as a sanctions-relevant compliance stack, as well as ensure appropriate training and controls are in place
  
  
• Companies may also be liable for sanctions violations for “causing” another US person (or entity) to violate sanctions, as may have been the case for Exodus
  
  
• Companies are encouraged to carefully review service agreements with other ecosystem providers with personnel, offices, and/or operations in the US to ensure that sanctions and anti-money laundering compliance processes, procedures, and liability that have been agreed to – and which may go above and beyond US legal requirements – are appropriately addressed
  
  
• A robust, risk-based sanctions compliance program may help identify and prevent potential sanctions violations. In turn, this may position companies to conduct reviews or investigations before receiving an OFAC subpoena, allowing them to voluntarily self-disclose violations and work cooperatively with OFAC or law enforcement. This could substantially reduce penalty amounts. Neither Exodus nor ShapeShift voluntarily disclosed their violations

A risk-based OFAC compliance program may include:

• A visible management commitment
  
  
• Tailored risk assessments covering customers, products (including on-chain tools), jurisdictions, and partners
  
  
• Internal controls across product, engineering, and support, such as:
  
  
  • IP-based geofencing
    
    
  • VPN, proxy, or device intelligence
    
    
  • Jurisdiction blocking at both the user interface and integration layers
    
    
  • Dynamic Specially Designated National list address screening at the smart-contract level
    
    
  • Blockchain risk analytics
    
    
• Background checks and identity validation for employees, especially remote workers
  
  
• Testing and auditing with documented remediation
  
  
• Role-specific, recurring training, and escalation playbooks

These compliance measures are consistent with OFAC’s virtual currency guidance and its 2019 Framework for Compliance Commitments.

Learn more

For more information on US sanctions in the fintech sector and how DLA Piper can advise on risk-based compliance strategies, please contact any of the authors.