Key Highlights from FinCEN’s Russia Sanctions Evasion Alert

Before the ongoing Russo-Ukrainian conflict reignited in late February, the U.S. and several other jurisdictions have already imposed sanctions and economic pressure on Russia. More recently, after Russian troops positioned in Belarus launched an invasion of Ukraine, the U.S. Department of Treasury stepped up its sanctions against Russia and imposed additional sanctions on Belarusian financial institutions and the defense sector. 

Keeping in mind that sanctioned individuals and entities may make attempts to evade sanctions through crypto and other means, the Financial Crimes Enforcement Network (FinCEN) issued an alert on March 7, 2022, urging the financial institutions (FIs) to remain vigilant against potential efforts to evade the expansive sanctions and other U.S.-imposed restrictions implemented. The alert provides examples of behavioral “red flags” that will assist FIs in identifying suspected sanctions evasion activities and remind them of their reporting obligations under the Bank Secrecy Act.

In addition to using crypto to evade sanctions, Russia may also make use of currently unsanctioned Russian and Belarusian banks or other FIs that retain at least some access to the international financial system. FinCEN noted that while large-scale sanctions evasion using crypto by the Russian government is not necessarily practicable, sanctioned persons, illicit actors, and their related networks or facilitators may attempt to use crypto and anonymizing tools to evade U.S. sanctions and protect their assets around the globe. Therefore, the FinCEN has asked FIs and money service businesses (MSBs), including crypto businesses such as exchanges, to identify and quickly report suspicious activity associated with potential sanctions evasion, and conduct appropriate risk-based customer due diligence or, where required, enhanced due diligence. 

Acting director of the U.S. Department of Treasury, Him Das, explained that “although we have not seen widespread evasion of our sanctions using methods such as cryptocurrency, prompt reporting of suspicious activity contributes to our national security and our efforts to support Ukraine and its people.”

Red flag indicators related to virtual currencies 

Red flag: Transactions that are initiated from or sent from non-trusted IP addresses, and IP addresses from previously flagged sources from within Russia and Belarus, FATF-identified jurisdictions with AML/CFT/CP deficiencies such as the greylisted jurisdictions, and comprehensively sanction jurisdictions must be flagged as suspicious.

FIs can use geolocation tools to identify addresses that are located in sanctioned jurisdictions. This can help FIs prevent persons in sanctioned jurisdictions from accessing their platform and services. FIs should also make use of analytic tools that can recognize IP misattribution by identifying customers who may be hiding behind a different IP address, such as through the use of VPN services.

Red Flag: Addresses included in the OFAC’s Specially Designated Nationals and Blocked Person List (SDN list) should also be flagged.

In 2018, the OFAC began adding certain known cryptocurrency addresses on the SDN list. These addresses can be searched using the ID # field in the OFAC’s Sanctions List Search tool. Further, unlisted crypto addresses that are associated with addresses listed on the SDN list should also be categorized as high risk. The OFAC also advises MSBs to consider conducting a historic lookback of transactional activity after OFAC lists a crypto address on the SDN List to identify connections to the listed address. 

Entities that are based out of high-risk jurisdictions such as sanctioned jurisdictions are categorized in Merkle Science’s transaction monitoring tool —  Compass — as “Entity from Sanctioned Country.” Merkle Science also provides sanction screenings for wallet addresses that are tagged against sanctioned entities. Using the sanctioned addresses, we run clustering algorithms to identify addresses that may — with a high degree of confidence — potentially belong to the sanctioned entities. Our behavioral rule engine also takes into consideration the OFAC guidance, which provides specific examples of red flag behaviors that indicate an entity’s sanctions nexus. 

Merkle Science’s multi-hop feature equips compliance officers to investigate both direct and indirect risks, such as those originating from associated addresses. Therefore, addresses interacting either directly or indirectly with the sanctioned addresses will be flagged as high-risk alerts. Compass can monitor the transactional history of all the wallet addresses associated with a user.

Red Flag: Transactions made by a customer using a foreign-located MSB, including crypto exchanges, in high-risk jurisdictions with AML/CFT/CP deficiencies should also be flagged.

Jurisdictions that have inadequate due diligence and compliance requirements, especially those jurisdictions that have weak AML/KYC/CFT framework will be considered high-risk jurisdictions. Further, jurisdictions that have been sanctioned or have been added to the FATF's greylist and the blacklist will also be considered high-risk. Merkle Science identifies said entities under type “High-Risk Jurisdictions” and subtypes “FATF Blacklist” and “FATF Greylist”.

Red flag indicators related to ransomware and other cybercrimes 

FinCEN reminded FIs and MSBs about the threat posed by the Russian-related ransomware campaign and encouraged them to refer to the previous FinCEN and OFAC publications and other relevant recourses involving Russian and other ransomware activities. This is due to previous efforts by sanctioned countries such as North Korea and Russia to launch ransomware attacks in order to mitigate the impact of Western sanctions. For example, in November 2021, the U.S. Department of Treasury sanctioned Russian crypto exchange Chatex and also designated Yevgeniy Polyanin for his part in perpetuating Sodinokibi/REvil ransomware incidents against the U.S. Similarly, in September 2021, the U.S. Department of Treasury sanctioned Russia-based virtual currency exchange SUEX OTC  for facilitated transactions involving illicit proceeds from at least eight ransomware variants.

Red Flag: When a customer receives virtual currency from an external wallet and immediately initiates multiple, rapid trades amongst multiple cryptocurrencies, without any specific reason, followed by a transaction off the platform. This may be indicative of attempts to break the chain of custody.

In this case, customers may use transit addresses or one-time addresses to evade sanctions. Transit addresses are addresses that have received funds and subsequently withdrawn at least 50% of the deposited funds within a specified time — usually a few hours. 

To facilitate evasion of sanctions through this red flag, the chain peeling method could also be used by the customers to obfuscate illicit funds. Basically, in the peel chain pattern, the illicit proceeds can be broken down and passed through a chain of multiple crypto wallets concealing the trail of funds. For example, a large amount of  Ether (ETH) sitting at one address is sent out through a series of transactions in which a slightly smaller amount of ETH is transferred to a new address each time.

Merkle Science’s behavioral rule engine checks if an address has been transacting more frequently than average during a specified window of time i.e multiple transactions have been made from the address in short intervals. Each subsequent transaction is then monitored to conduct outgoing fund analysis, for instance, the customer may send the smaller amount of ETH to the Russian darknet marketplace Hydra using a chain peeling pattern.

Red Flag: When a customer initiates a transaction using coin mixing services

Coin mixing services are cryptographic facilities that mix different streams of potentially traceable crypto funds concealing the trail leading back to the fund’s original source. Funds are pooled with others’ holdings and are scrambled and redistributed on the other end, thereby breaking down the link between users’ transaction logs and their identities. Merkle Science attributes addresses associated with coin mixers — such as Wasabi and Samourai — and alerts our users should they have direct or indirect exposure to funds from these entities.

Red Flag: ​​ A customer has either direct or indirect receiving transaction exposure identified by blockchain tracing software as related to ransomware.

Compass can identify the proceeds of ransomware payments through flagging for transaction patterns and behaviors. Should an address receive payments of similar amounts from many different counterparties, the address is immediately flagged and escalated to compliance teams. Further, any rule created can be combined with other rules — such as range-bound transactions — to identify if the address is receiving many payments of similar size, which may indicate a scam. Ultimately, putting more conditions into a rule will make it difficult for an attacker to satisfy all of them, thereby reducing the chance of him engaging in criminal activity.