On September 20, 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced a settlement agreement with ShapeShift AG, which was formerly a prominent cryptocurrency exchange. The company agreed to pay $750,000 to settle its potential civil liability stemming from violations related to multiple sanctions programs. Over the course of nearly two years, ShapeShift allowed users located in Cuba, Iran, Sudan, and Syria to exchange approximately $12,570,956 in cryptocurrency. This enforcement action highlights the sanctions risks inherent in cryptocurrency protocols and the need for these services to assess the need to implement risk-based sanctions compliance controls.
Background on ShapeShift
ShapeShift was a prominent cryptocurrency exchange founded by crypto-pioneer Erik Vorhees. ShapeShift operated as both a market maker and as the counterparty for every transaction. While other exchanges simply matched buyers and sellers, Shapeshift instead allowed its customers to trade against the company’s own reserves of 79 different digital assets. Most unique, all of these transactions settled on chain, with all transactions publicly recorded on the relevant blockchains. The company generated revenue by executing these exchanges at favorable rates, similar to how a foreign exchange currency converter operates. Before ceasing operations in 2021, ShapeShift handled approximately 20,000 transactions per day.
ShapeShift was ultimately incorporated in Switzerland. However, the company was registered as a foreign corporation in good standing with the Colorado Secretary of State. The company also maintained its headquarters in Denver, Colorado where much of its senior leadership resided and worked. The company’s U.S.-based leadership controlled and directed the company, while U.S.-based engineers developed and maintained the code base. By all accounts, ShapeShift was required to adhere to U.S. sanctions laws and regulations.
ShapeShift Services Users in Sanctioned Jurisdictions
Despite these obvious U.S. connections, ShapeShift did not maintain any sanctions compliance program. This means that ShapeShift did not screen its users or transactions for sanctions risks, whether by screening individual names against relevant sanctions lists or identifying connections to sanctioned jurisdictions. ShapeShift also failed to incorporate any type of IP blocking software. ShapeShift ultimately acknowledged that they collected IP information, but did not restrict users from sanctioned locations based on this information. ShapeShift also conceded it did not collect or require any other information regarding a party’s location.
Lacking these controls, ShapeShift processed 17,183 prohibited transactions by exchanging digital assets valued at $12,570,956 between December 10, 2016 and October 9, 2018. These included 39 violations of the Cuban Assets Control Regulations, 16,839 violations of the Iranian Transactions and Sanctions Regulations, 33 violations of the Sudanese Sanctions Regulations, and 272 violations of the Syrian Sanctions Regulations.
OFAC found the following to be aggravating factors:
- ShapeShift failed to maintain even the minimal controls for sanctions compliance.
- ShapeShift, by collecting IP addresses, had actual reason to know users accessed the service from sanctioned jurisdictions.
- ShapeShift conveyed economic benefit to persons in sanctioned jurisdictions, thereby harming the integrity of multiple OFAC programs.
OFAC found the following to be mitigating factors:
- ShapeShift was a relatively small company during the time the violations occurred. Furthermore, the company has ceased operations, making it unlikely to engage in any further violations. Additionally, the company Is in a highly constrained financial position.
- ShapeShift did not have any other prior violations.
- ShapeShift cooperated with the OFAC investigation and timely responded to all requests for information.
- The volume of violations amounts to a small percentage of total volume of transactions conducted on ShapeShift.
- ShapeShift undertook a number of remedial measures, including:
- Requiring mandatory screening of new customers and implementing IP blocking of sanctioned jurisdictions.
- Requiring screening of all new and current customers against applicable sanctions lists.
- Daily monitoring of its users against updates to the SDN List.
- Conducting sanctions training.
Lessons Learned from ShapeShift’s OFAC Enforcement Action
This enforcement action highlights the need for cryptocurrency exchanges, protocols, and services to implement risk-based sanctions compliance controls. While these regulations were designed with traditional financial institutions in mind, they still apply to these new technologies. Below are the key takeaways from sanctions compliance in the burgeoning web3 industry.
- Risk-Based Compliance is Essential: Digital asset companies must adopt compliance programs tailored to their size, operations, and global reach. It does not need to be overly complicated, but it must exist. OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry emphasizes integrating sanctions checks from the development stage to avoid exposure.
- U.S. Jurisdiction Applies Broadly: Even foreign-incorporated entities can be deemed U.S. persons if they have enough U.S. touchpoints. Here, Shapeshift’s headquarters, leadership, and core operations in Denver base and U.S. staff made it subject to OFAC regulations.
- Leverage All Available Data: Companies should use IP geolocation, wallet screening, and SDN List checks to prevent prohibited transactions. Delaying compliance until after an issue arises—as ShapeShift did—can lead to hefty fines.
- Remediation Matters: ShapeShift’s post-subpoena improvements helped mitigate the penalty. Proactive steps can demonstrate good faith. ShapeShift could have further reduced its exposure by identifying these issues earlier and voluntarily disclosed to OFAC.