1. Insights
  2. Publications
  3. Alerts

OFAC Settlement with Blockchain Wallet Provider Spotlights Sanctions Risks for Digital Assets Intermediaries

January 21, 2026

Reading Time : 4 min
Jump to
View Authors' DetailsView Related Services, Sectors, and Regions

By: Lance Jasper, John C. Murphy, Jason E. Prince, Andrew R. Schlossberg, Michael A. Asaro, Peter I. Altman

Key Points

  • A U.S. provider of blockchain-based wallet software agreed to pay over $3.1 million to settle 254 apparent violations of U.S. sanctions on Iran.
  • The apparent violations resulted from technical and customer support services provided by company employees, some of whom recommended that customers use VPNs to disguise their locations from third parties, including a crypto exchange.
  • “Terms of Use” designed to promote sanctions compliance proved insufficient, as OFAC faulted a lack of training and practical mechanisms to prevent violations.
  • In the digital assets space in particular, the case counsels for conspicuous commitment to sanctions compliance and tailored, risk-based sanctions programs that, where possible, include customer screening based on available location information.

Background

On December 16, 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced an agreement with Exodus Movement, Inc. (Exodus), a provider of digital asset wallets headquartered in Omaha, Nebraska, to settle the company’s potential civil liability for apparent violations of U.S. sanctions laws.

Exodus is a provider of free digital asset wallet software called Exodus Wallet. According to the settlement, between October 17, 2017 and January 4, 2019, Exodus provided technical and customer support services on 254 occasions to users of its Exodus Wallet who identified themselves as located in Iran, in violation of § 560.204 of the Iranian Transactions and Sanctions Regulations (ITSR). These services generally enabled Iranian users to continue using the Exodus Wallet or services provided by Exodus’s exchange partners, notwithstanding the users’ location in a sanctioned jurisdiction.

With respect to 12 of the 254 apparent violations, OFAC deemed Exodus’s conduct “egregious” (i.e., subject to heightened penalties), as Exodus staff appeared to willfully violate applicable U.S. sanctions in violation of § 560.203 of the ITSR. Notably, in April 2018, one of Exodus’s partner exchanges implemented service changes to comply with U.S. regulations, including blocking users from Iran based on Internet Protocol (IP) information. This led to a surge in Exodus customer service requests from Iranian users who could no longer conduct transactions through the partner exchange using Exodus Wallet.

In internal communications cited in the OFAC enforcement release, Exodus management and customer support staff acknowledged that the exchange’s actions were likely driven by the need to comply with U.S. sanctions. Nevertheless, Exodus continued to provide support to users in Iran, including on 12 occasions explicitly recommending that customers known to be located in Iran use virtual private networks (VPNs) to obscure their locations and circumvent the exchange’s controls. In addition, on several occasions, Exodus apparently provided support to self-identified Iranian customers who had explicitly questioned whether U.S. sanctions could impact their use of the wallet.

Exodus’s Terms of Use during this period prohibited users located in embargoed countries, including Iran, from accessing Exodus Wallet and related services. However, OFAC faulted Exodus for failing to provide adequate notice and training to employees regarding these prohibitions and for failing to implement other practical mechanisms to prevent access by users in sanctioned jurisdictions.

Exodus agreed to pay $3,103,360 to settle its potential liability for the 254 apparent violations of U.S. sanctions on Iran, but given Exodus’s “extensive” remedial efforts and in view of the “individual facts” of the case, “as partial satisfaction of the settlement amount[,] Exodus [agreed] to invest $630,000 in additional sanctions compliance controls,” which requires Exodus to provide a “work plan to OFAC including an itemized budget of the sanctions compliance expenditures to be spent within two years” of the Settlement Agreement’s execution date.

Compliance Considerations and Key Takeaways

The Exodus settlement provides important guidance for technology and fintech companies operating in the digital assets space. Key compliance considerations include:

  • Risk-based sanctions compliance. OFAC emphasized that companies should develop customized, risk-based sanctions compliance programs. For the digital assets industry, OFAC noted that an adequate compliance solution will depend on several factors, including the type of business involved, its size and sophistication, products and services offered, customers and counterparties, and geographic locations served.
  • Components of an adequate compliance program. Although the details of a compliance program should be driven by a risk-based assessment, OFAC noted that, in general, there are five essential components: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. OFAC elaborates on these five components in its A Framework for OFAC Compliance Commitments and Sanctions Compliance Guidance for the Virtual Currency Industry publications.
  • Importance of management commitment. Commitment of senior management is critical to a successful compliance program. OFAC emphasized that Exodus senior management failed to prevent sanctions violations, notwithstanding their awareness that Exodus’s partner exchanges were bound by sanctions in relation to the same transactions at issue.
  • Use of geolocation and related controls. Where a company provides financial services to a global customer base, OFAC emphasized that the company should screen location data, including IP address or self-identifying information.

The Exodus settlement is the latest in a series of OFAC enforcement actions targeting the digital assets space, and is a reminder that in addition to core securities- and commodities-related regulations administered by the SEC and CFTC, respectively, OFAC maintains broad jurisdiction over the conduct of U.S. persons engaged in direct and indirect transactions (including the provision of services) to comprehensively sanctioned jurisdictions. Digital asset companies should undertake a risk-based approach to ensure that they do not engage in conduct not authorized by OFAC sanctions.

Share This Insight

Related Services, Sectors, and Regions

View All
© 2026 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.