OFAC Fines Crypto Wallet Provider Exodus $3.1 Million Over Iran Sanctions Violations

Key Takeaways

• Sanctions Apply Beyond Transactions: OFAC treated customer support and technical assistance as prohibited services when provided to users in Iran.
• VPN Guidance Triggered Egregious Findings: Recommending VPNs to help users bypass sanctions-related controls significantly increased enforcement exposure.
• Terms of Use Are Not Enough: Written prohibitions without employee training or technical enforcement failed to mitigate sanctions risk.
• Compliance Programs Matter Early: OFAC highlighted the risks for fintech and crypto startups that delay building sanctions compliance into core operations.
• Remediation Can Reduce Penalties: Extensive cooperation and investment in compliance controls materially reduced the final settlement amount.

Deep Dive

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has reached a $3.1 million settlement with Exodus Movement, Inc., concluding a multi-year investigation into the crypto wallet provider’s dealings with users in Iran in violation of U.S. sanctions.

OFAC announced that Exodus agreed to pay $3,103,360 to resolve its potential civil liability for 254 apparent violations of Iran-related sanctions between October 2017 and January 2019. According to the agency, Exodus provided customer support services to users who identified themselves as being located in Iran, including assistance that helped those users access third-party digital asset exchanges through Exodus’s wallet software.

While Exodus does not custody digital assets or directly execute exchange transactions, OFAC said the company’s customer support activity amounted to providing prohibited services to individuals in a comprehensively sanctioned jurisdiction.

Customer Support Became a Sanctions Risk

Exodus, a Delaware-incorporated fintech company headquartered in Omaha, Nebraska, launched its Exodus Wallet product in 2016. The software allows users to generate and store private keys and connect to third-party exchanges for digital asset transactions. During the period under review, Exodus earned revenue by collecting fees when users completed transactions through those exchange partners.

OFAC’s investigation focused not on the wallet technology itself, but on how Exodus’s customer service unit interacted with users in Iran. Over a roughly 15-month period, Exodus staff provided technical support to Iranian users on 254 occasions, despite the company’s own Terms of Use explicitly prohibiting access from embargoed countries.

In several instances, users directly asked whether U.S. sanctions affected their ability to use the wallet. OFAC found that Exodus employees continued to assist those users, enabling them to access exchange services through Exodus’s platform even when sanctions-related restrictions were clearly understood internally.

VPN Guidance Crossed a Line

The most serious conduct cited by OFAC involved 12 interactions deemed egregious. In those cases, Exodus customer service staff acknowledged that U.S. sanctions or U.S. law prevented Iranian users from accessing certain exchange partners, yet still recommended using virtual private networks to obscure their location.

OFAC highlighted multiple examples from 2018 in which Exodus staff explained that exchange partners were blocking Iranian users to comply with U.S. regulations, then suggested VPN use as a workaround. These recommendations allowed users to alter their IP addresses and bypass the exchanges’ compliance controls.

By that point, OFAC noted, Exodus management and staff were aware that at least one exchange partner had implemented IP-based blocking specifically to comply with U.S. sanctions. Internal communications, including statements from the company’s CEO, reflected that understanding. Despite this, customer support continued to provide guidance that undermined those controls.

OFAC concluded that these 12 incidents reflected willful or reckless conduct designed to evade sanctions, while the remaining violations reflected broader compliance failures.

Compliance Gaps and Penalty Calculation

According to OFAC, Exodus lacked an effective sanctions compliance program during the relevant period. While its Terms of Use barred access from embargoed jurisdictions, the company failed to adequately train employees on sanctions obligations or implement technical or procedural controls to prevent prohibited access.

Under OFAC’s Economic Sanctions Enforcement Guidelines, the agency calculated a base penalty of $4.77 million. That figure included statutory maximum penalties for the 12 egregious violations and scheduled penalties for the remaining 242 non-egregious violations.

The final settlement amount of $3.1 million reflects mitigating factors, including Exodus’s cooperation with OFAC over a years-long investigation and extensive remedial measures. OFAC said Exodus invested millions of dollars to strengthen its compliance program, hired additional compliance staff, implemented automated sanctions screening tools, enhanced employee training, and added technical measures to block dealings with sanctioned cryptocurrency addresses.

As part of the settlement, Exodus also agreed to invest an additional $630,000 in sanctions compliance controls.

A Broader Signal to the Digital Asset Industry

OFAC framed the enforcement action as a reminder that digital asset companies are subject to the same sanctions obligations as traditional financial services providers. The agency emphasized that providing access to financial services, even indirectly through software or customer support, can trigger sanctions exposure when services reach sanctioned jurisdictions.

The case also underscores OFAC’s expectation that compliance be embedded across business functions, including customer service, rather than treated as a legal formality buried in terms and conditions. Management commitment, employee training, and practical controls were cited as critical failures in this case.

OFAC reiterated its guidance that there is no one-size-fits-all sanctions compliance program, but that companies operating globally should adopt a tailored, risk-based approach grounded in management commitment, risk assessment, internal controls, testing, and training.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.