OFAC–Exodus Settlement: Web 3.0 Infrastructure Providers on Notice

OFAC’s December 2025 settlement with Exodus Movement, Inc. puts U.S. Web 3.0 infrastructure providers on notice that sanctions compliance controls are mandatory.

On 16 December 2025, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) announced a more than $3.1M settlement with Exodus Movement, Inc. (Exodus), a U.S. publicly-listed (EXOD-NYSE) developer of non‑custodial (unhosted) digital asset wallet software, for 254 apparent violations of Iranian sanctions resulting from customer support interactions that helped facilitate Iranian user access to digital asset exchanges via Exodus’ wallet[1].

Notably, the impetus for the settlement was not direct transactions with blocked Iranian persons, but rather technical and customer support “services” to persons resident in sanctioned jurisdictions. In addition, OFAC deemed 12 violations to be “egregious behavior” on the part of Exodus whereby its customer support personnel recommended the use of virtual private networks (VPNs) to circumvent platform geoblocking controls at partner exchanges while being generally aware of U.S. sanctions restrictions against Iran. OFAC’s focus on geoblocking circumvention is not new, having previously criticized Binance for circumventing their own platform controls to capture more users in the 2023 watershed settlement with Binance Holdings.[2]  However, Exodus staff behavior was especially problematic because not only did Exodus fail to develop their own sanctions compliance controls, but its staff actively counseled persons in a sanctioned jurisdiction on mechanisms for evading the geoblocking sanctions controls of other U.S. exchanges.

Moreover, while Exodus maintained a terms of use (ToU) policy that prohibited the use of its technology in comprehensively sanctioned jurisdictions, including Iran, the ToU were not reinforced by platform level controls and Exodus failed to train staff on appropriate protocols for sanctions-related inquiries, resulting in violative customer service advice.

The Exodus action follows OFAC’s ShapeShift AG settlement in September 2025 related to 17,183 apparent violations of multiple sanctions programs involving users in comprehensively sanctioned jurisdictions. [3] The ShapeShift settlement reiterated OFAC’s stance that centralized digital asset exchanges subject to U.S. jurisdiction must implement effective, risk-based sanctions compliance controls.[4] These controls should include geoblocking where IP addresses are available as an indicator of a party’s location, as well as use of analytics tools to identify improbable logins (refer to OFAC’s 2021 “Sanctions Compliance Guidance for the Virtual Asset Industry” [5]). In contrast, the Exodus action is unique in setting a clear precedent that U.S. Web 3.0 firms, including non‑custodial wallet providers, front‑end developers, and infrastructure companies, are also subject to OFAC sanctions and face enforcement risk if they fail to establish appropriate sanctions compliance programs.

Implications for Web 3.0, Digital Assets, and Technology Firms

What does this mean for so-called Web 3.0 and decentralized finance (DeFi) services, including unhosted wallet providers and decentralized exchanges, and U.S. technology providers more broadly?

1. Sanctions obligations apply to all U.S. persons, including those that are non-financially regulated entities: All U.S. persons and entities (including those with U.S. touchpoints as in the case of Binance and ShapeShift) involved in virtual asset activity must comply with U.S. sanctions. This includes establishing an effective, risk-based sanctions compliance program inclusive of an assessment of their sanctions risk exposure, implementing internal controls such as geolocation monitoring and blocking, escalation protocols in the event of potential sanctions exposure detection, appropriate training for staff, and recordkeeping (subject to a 10-year retention period).
2. Sanctions restrictions against comprehensively sanctioned jurisdictions will typically[6] apply to all services, not just core transaction processing: Exodus’s business model was such that it did not charge users for downloading its unhosted wallet infrastructure and instead Exodus generated its revenue through fees collected on all transactions involving Exodus Wallet processed through third-party exchange partners. Accordingly, OFAC noted that Exodus did not itself process any digital asset exchange transactions, thereby neatly sidestepping the ongoing DeFi regulatory debate over the role of unhosted wallet providers in facilitation of transaction processing. Instead, OFAC confirmed that regardless of the nature of services provided, and whether they were provided for free or not, Exodus was still subject to U.S. sanctions obligations. OFAC regulations generally prohibit: (i) the sale or supply, directly or indirectly, by a U.S. person or from the United States, of any goods, technology, or services to certain comprehensively sanctioned jurisdictions[7] and (ii) transactions that evade or attempt to evade sanctions. Thus, OFAC found that the provision of customer support services to persons located in Iran was itself a sanctions violation, while counseling customers on circumventing geoblocking controls constituted sanctions evasion. Therefore, firms that may be subject to OFAC sanctions ought to assess whether their provision of services (beyond mere transaction processing), such as technology and customer services, may expose them to sanctions risk and design appropriate controls accordingly.
3. Terms of Use and contractual agreements alone won’t shield a firm from enforcement: The Exodus settlement reinforced that ToU and customer agreement language related to sanctions compliance are insufficient. This follows OFAC’s now-established practice that contractual undertakings, generally speaking, are toothless and will not serve as a mitigating circumstance in an enforcement action. In Exodus, OFAC clarified that such contractual terms must be accompanied by a “practical mechanism” to prevent usage in a comprehensively sanctioned jurisdiction, such as geoblocking/IP-monitoring and reinforced through training for all applicable staff and in particular, staff in user-facing/customer support roles.
4. While direct knowledge amplifies enforcement risk, sanctions are strict liability: The quantum of the Exodus settlement was driven by what OFAC deemed to be 12 instances of egregious conduct on Exodus’s part, specifically the customer service advice designed to bypass sanctions compliance controls at partner exchanges. Further, OFAC homed in on the fact that Exodus’ records and communications indicated that staff had direct knowledge that they were providing services to users in Iran, which typically heightens the severity of violations. But direct knowledge is not a requirement. Prior OFAC settlements, including 2021’s BitPay[8] and BitGo[9] settlements, previously clarified that a “reason to know” can be inferred where virtual asset companies possess geolocation data, including IP metadata, suggestive of exposure to comprehensively sanctioned jurisdictions. Moreover, an aggravating condition of the Exodus settlement was the fact that Exodus failed to voluntarily self-disclose its violative conduct to OFAC despite having known about this conduct since at least December 2018 when it received advice from external counsel related to its sanctions compliance obligations. Had Exodus filed such a voluntary self-disclosure, it may have mitigated its penalties and reputational risks. While the Exodus settlement demonstrates that knowledge, intent, and subsequent failure to self-disclose all serve as aggravating factors for enforcement, these conditions need not be present. OFAC has always been clear that it may impose “civil penalties for sanctions violations based on a strict liability legal standard,”[10] meaning that “a U.S. person may be held civilly liable for sanctions violations even without having knowledge or reason to know [that it was engaging in violative conduct].”[11] Given this strict liability standard, firms that may be subject to OFAC sanctions ought to assess their risk exposure and the quality of their preventive controls lest they inadvertently run afoul of regulation.
5. Be wary of sanctions risks through third-party partners: In addition to the direct enforcement risks faced by Exodus given its failure to establish an effective sanctions compliance program, the settlement highlights the risk that third-party partners, including wallet providers, pose to other U.S. entities, including financially regulated exchanges, banks, and payment processors if these third parties fail to maintain appropriate sanctions compliance programs and training. Accordingly, the settlement helps to reinforce third-party risk management principles related to performing adequate due diligence on third-party providers for compliance with sanctions requirements and ongoing monitoring of third-party relationships to ensure that partners and vendors do not engage in practices that violate regulations and contractual agreements. Where third parties introduce undue risks, this should prompt a reassessment of the partner relationship. In Exodus’ case, this would have been especially tricky given that, as a publicly listed U.S. person, a financial partner might reasonably expect compliance with U.S. sanctions obligations, thereby demonstrating the importance of ongoing partner monitoring.

How K2 Integrity Can Help

If you’re a Web 3.0 ecosystem participant or technology company worried about your sanctions risk exposure or if you’re looking to develop a fit-for-purpose, technology-enabled sanctions compliance program that will withstand OFAC scrutiny and evolving regulatory expectations, consider the different services that K2 Integrity can offer:

• Sanctions Compliance Inherent Risk Assessment: Analyze your business model, technologies (e.g., unhosted wallet, user interface/front end, etc.), user geography, and data flows to identify inherent sanctions exposures, including potential for exposure to comprehensively sanctioned jurisdictions and designated wallets/clusters, resulting in an inherent risk profile and mapping of risk-prioritized control enhancements.
• Sanctions Compliance Program Gap Analysis: Benchmark your policies, procedures, governance, and control framework against OFAC’s five pillars and leading industry practices, pinpointing control gaps across geoblocking and high-risk VPN detection, wallet address screening, escalation protocols, and recordkeeping, resulting in an action-oriented remediation plan with clear owners, timelines, and success metrics.
• Sanctions Compliance Program Design and Documentation: Work in close coordination with your team to build a customized sanctions compliance program tailored to your unique risks and control environment, including advising on vendor selection and implementation, system settings, design of policy manuals and standard operating procedures, incident response guides, regulatory reporting, and recordkeeping requirements. Program documentation will be tailored to your business to ensure that the program is operationally effective rather than merely a templated paper program.
• Technical Control Effectiveness Testing and Enhancement: Test the effectiveness of your geoblocking and IP/TOR/VPN detection controls, your wallet address screening controls, your name screening configurations (where enabled), and review associated system settings and documentation to reduce both evasion risk exposures and false positives.
• Training and Culture of Compliance: Develop and deliver role-based training for executive leadership, customer support, product and engineering, and other teams as applicable, on sanctions compliance risks, obligations, and escalation protocols to support a culture of sanctions compliance and vigilance at your organization.
• Third-Party and Partner Risk Management: Evaluate the effectiveness of your third-party risk management framework in managing sanctions compliance risk and review your applicable third parties and partners for potential sanctions risk exposure, including contractual agreements, service level agreements, geographic footprint, and controls for continuous monitoring.
• Lookbacks and Investigations: Perform a retrospective review of available geolocation data, wallet addresses, and customer/user communications to identify potential sanctions-relevant interactions and facilitation/evasion risks. Where findings are identified, we will perform a root-cause analysis of control failures and corrective actions to ensure alignment with regulatory expectation.
• Support with Voluntary Self-Disclosures and OFAC Engagement: Our team of former OFAC Treasury personnel and industry practitioners can partner with, or recommend appropriate legal partners, to assess whether VSDs are warranted, prepare submission packages, and conduct analysis of potentially violative conduct. Where inquiries arise, we can support you in managing regulatory responses and remediation narratives to mitigate penalties and reputational risk.

Contact our K2 Integrity sanctions and digital asset experts to learn how we can support your compliance and risk management efforts.

[1] U.S. Treasury, (December 16, 2025), “Exodus Movement, Inc. Settles with OFAC for $3,103,360 for Apparent Violations of Iran-related Sanctions Regulations”,<https://ofac.treasury.gov/media/934831/download?inline>.

[2] U.S. Treasury, (November 21, 2023), “OFAC Settles with Binance Holdings, Ltd. for $968,618,825 Related to Apparent Violations of Multiple Sanctions Programs”, <https://ofac.treasury.gov/media/932351/download?inline>.

[3] U.S. Treasury, (September 22, 2025), “ShapeShift AG Settles with OFAC for $750,000 Related to Apparent Violations of Multiple Sanctions Programs”, <https://ofac.treasury.gov/media/934641/download?inline>.

[4] Ibid.

[5] U.S. Treasury, (October 15, 2021), “Sanctions Compliance Guidance for the Virtual Currency Industry”, <https://ofac.treasury.gov/media/913571/download?inline>.

[6] Note: we say “typically” here because the Berman Amendment under the International Emergency Economic Powers Act (IEEPA) protects the import/export of information and informational materials such as publications, news, and personal communication from presidential sanctions to ensure the free flow of ideas even to embargoed nations, however, this amendment is typically very narrowly scoped and does not exempt technology services or flow of software or technology subject to U.S. export controls. Reliance on this exemption without a robust legal opinion is inadvisable.

[7] See 31 CFR 560.204.

[8] U.S. Treasury, (February 18, 2021), “OFAC Enters Into $507,375 Settlement with BitPay, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions”, <https://ofac.treasury.gov/media/54341/download?inline>.

[9] U.S. Treasury, (December 30, 2020), “OFAC Enters Into $98,830 Settlement with BitGo, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions”, <https://ofac.treasury.gov/media/50266/download?inline>.

[10] U.S. Treasury, (October 15, 2021), “Sanctions Compliance Guidance for the Virtual Currency Industry”, <https://ofac.treasury.gov/media/913571/download?inline>.

[11] Ibid.