BitGo

🔴 High Risk

This case of BitGo exposes how a U.S.‑anchored digital‑asset platform, despite its technical capacity to track user locations, deliberately under‑invested in sanctions‑compliance infrastructure, allowing sanctioned‑jurisdiction actors to exploit American‑linked infrastructure for unmonitored crypto flows and thereby eroding the integrity of the U.S. financial‑control regime.

BitGo, a U.S.‑based digital‑asset wallet provider headquartered in Palo Alto, California, faced an enforcement action by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) for sanctions‑compliance failures related to its non‑custodial “hot wallet” service. Between approximately March 2015 and December 2019, BitGo processed 183 digital‑currency transactions for users whose IP addresses placed them in comprehensively sanctioned jurisdictions—Crimea (Ukraine region), Cuba, Iran, Sudan, and Syria—despite having access to those IP data for security and login purposes. The company initially allowed account creation with only a name and email address, later adding a self‑reported country field without independently verifying location or implementing IP‑based geo‑blocking or sanctions‑list screening. As a result, BitGo enabled users in blocked jurisdictions to route virtual currency over U.S.‑connected infrastructure, effectively circumventing U.S. sanctions by failing to apply its own technical capabilities for compliance. OFAC characterized the case as non‑egregious, assessed a civil settlement of $98,830 for the 183 “apparent violations,” and required BitGo to adopt a formal OFAC Sanctions Compliance Policy, designate a sanctions‑compliance officer, and implement IP‑address blocking and sanctions‑list screening. The case underscores how weak geolocation and sanctions‑controls on a U.S.‑based crypto‑wallet platform can create systemic vulnerabilities for sanctions‑evasion and potential money‑laundering, even when the underlying transaction values are small.

Countries Involved

United States (BitGo’s jurisdiction of operation), plus Crimea (Ukraine region), Cuba, Iran, Sudan, and Syria (sanctioned jurisdictions where users accessed the service).

BitGo is a U.S.‑formed and U.S.‑regulated entity, governed by U.S. federal export‑controls and sanctions laws, yet its non‑custodial hot‑wallet service allowed users in Crimea, Cuba, Iran, Sudan, and Syria to transact using U.S.‑connected digital‑asset infrastructure. These jurisdictions are all subject to comprehensive U.S. sanctions regimes—meaning that U.S. persons, including technology companies, are generally prohibited from providing financial services or facilitating transactions for or on behalf of persons in these areas, even through digital means. By failing to block IP addresses originating from these regions, BitGo effectively let U.S.‑based technology and infrastructure be used to route digital‑currency transactions around U.S. sanctions, which is a core concern for U.S. enforcement authorities aiming to prevent extraterritorial evasion of U.S. financial‑control rules. The U.S. emphasis here is on protecting the integrity of the U.S. financial‑sanctions system, not on proving that BitGo itself laundered drug‑, terror‑, or corruption‑related funds; instead, the case shows that weak geographic controls on a U.S.‑based wallet platform can undermine U.S. foreign‑policy and national‑security objectives.

Date Discovered / Reported

Apparent violations occurred between approximately March 10, 2015, and December 11, 2019; the OFAC settlement was announced on December 30, 2020.

OFAC’s enforcement release states that BitGo processed the 183 sanctioned‑jurisdiction transactions over a period of roughly five years, beginning in March 2015 and continuing until December 2019. Throughout this time, BitGo logged IP‑address data for security and login purposes but did not use that data to flag or block users in Crimea, Cuba, Iran, Sudan, or Syria, even though such information could have been cross‑checked against OFAC‑defined blocked jurisdictions. The U.S. authorities did not become aware of the pattern via a voluntary self‑disclosure by BitGo, which is a mitigating factor under OFAC’s enforcement guidelines; instead, OFAC discovered the issue through its routine screening and investigation processes, underscoring the proactive posture of U.S. regulators in monitoring novel financial‑technology channels. The December 30, 2020, announcement formalized the settlement, signaling that the U.S. government would treat even “light‑touch” wallet‑management platforms as subject to the same sanctions‑compliance expectations as traditional financial institutions, thereby reinforcing U.S. regulatory reach over digital‑asset activity linked to American companies.

Cryptocurrency Involved

Digital currency / virtual currency (BTC‑type assets implied)

Type of Crime

Sanctions‑evasion / sanctions‑compliance failure (economic sanctions violations under multiple U.S. sanctions programs), not a formal money‑laundering prosecution under the BSA or AML‑related statutes.

The official characterization is that BitGo committed “apparent violations” of multiple OFAC‑administered sanctions programs, including those covering Crimea, Cuba, Iran, Sudan, and Syria, by allowing users in those areas to access and use its digital‑wallet services. These violations fall under economic‑sanctions law, not under traditional money‑laundering statutes such as the Bank Secrecy Act, which would require a finding that BitGo knowingly or recklessly facilitated concealment or integration of criminally derived funds. Nevertheless, the case is highly relevant from a U.S.‑policy perspective because weak sanctions‑control infrastructure on a U.S.‑based crypto platform can create a vector for broader illicit finance, including potential money‑laundering and sanctions‑evasion by third‑party users. OFAC used this case to stress that U.S. persons, including digital‑asset companies, must treat IP‑based geo‑identification and sanctions‑list screening as basic compliance tools, thereby reinforcing the U.S. position that virtual‑asset platforms are not safe havens for evading U.S. financial‑control laws.

Entities Involved

BitGo, Inc. (U.S.‑based digital‑asset security and wallet‑platform company), the U.S. Department of the Treasury / OFAC, and end users in Crimea, Cuba, Iran, Sudan, and Syria.

The primary regulated entity is BitGo, Inc., a U.S.‑registered firm that provides non‑custodial hot‑wallet management and security services for digital‑asset holders, enabling them to send and receive virtual currency via public blockchains. On the enforcement side, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) led the investigation and settlement, representing the U.S. government’s interest in upholding sanctions against comprehensively blocked jurisdictions. The end‑user side includes individuals whose IP addresses were located in Crimea, Cuba, Iran, Sudan, and Syria, who opened BitGo wallets and executed 183 digital‑currency transactions over the five‑year period. This triad—U.S. technology provider, U.S. regulator, and users in sanctioned regions—illustrates how U.S. enforcement extends to U.S.‑situated platforms that indirectly facilitate transactions with sanctioned actors, even if those platforms do not handle the underlying criminal conduct themselves. By naming BitGo in the settlement, OFAC underscored that U.S. persons are responsible for configurative decisions (e.g., IP‑blocking, onboarding, and sanctions‑list screening), not just the immediate criminal origin of the funds.

PEP Involvement

No. There is no public allegation or evidence that Politically Exposed Persons (PEPs) were involved in the BitGo‑OFAC case.

The OFAC settlement release and related legal‑commentary pieces focus exclusively on geographic location (sanctioned jurisdictions) and absence of sanctions‑controls, without mentioning state‑linked officials, PEPs, or corruption‑related actors. The emphasis is on systemic compliance failures—such as missing IP‑blocking and sanctions‑screening—rather than on any specific politically sensitive individuals or entities. This absence of PEP‑related allegations is consistent with the non‑egregious characterization of the case and reinforces that the U.S. enforcement priority here was structural sanctions‑compliance rather than a high‑level corruption‑or‑kleptocracy‑targeted action.

Laundering Techniques Used

Indirect sanctions‑evasion via unhosted wallet infrastructure, weak IP‑based geolocation controls, and self‑reported user‑location data without verification.

BitGo’s technical architecture allowed users in sanctioned jurisdictions to open non‑custodial hot wallets and send digital currency over public blockchains, effectively using BitGo’s U.S.‑based platform as a front‑end interface for cross‑border crypto‑flows that would otherwise be blocked by traditional financial channels. The platform initially accepted only name and email for account creation and later added a self‑reported country field, but BitGo did not independently verify that information or use IP‑address geolocation data—which it already collected for security purposes—to block access from Crimea, Cuba, Iran, Sudan, and Syria. This created a latent laundry‑channel configuration: users in sanctioned areas could route small‑value transactions through BitGo‑managed wallets, leveraging the anonymity‑enhancing properties of public blockchains to obscure the ultimate source and destination of funds, while BitGo’s weak controls failed to raise red flags. From a U.S.‑enforcement perspective, this pattern illustrates how even modestly sized wallet‑platforms must treat IP‑based geo‑controls and sanctions‑list screening as core AML‑adjacent safeguards, because otherwise they can become passive conduits for sanctions‑evasion and potential money‑laundering.

Estimated Value Laundered

Approximately $9,127.79 across 183 transactions from users in sanctioned jurisdictions; OFAC did not allege a higher underlying criminal‑proceeds value or systemic laundering operation.

The settlement documents state that the 183 apparent violations involved transactions totaling about $9,127.79, which is far below the maximum potential penalty OFAC could have imposed. This low aggregate value reflects the fact that OFAC treated the case as non‑egregious, focusing on the presence of controls (or lack thereof) rather than the size of the illicit flows. There is no public indication that BitGo’s customers were moving large volumes of narcotics‑, terrorism‑, or corruption‑derived funds through this channel, nor that BitGo itself was aware of or profited from specific criminal activity. Instead, the case is framed as a compliance‑failure test case, where the U.S. government used even a small‑dollar sanctions‑evasion pattern to demonstrate its willingness to enforce sanctions obligations against U.S.‑based digital‑asset platforms that enable access from blocked jurisdictions.

Transaction Analysis Summary

183 digital‑currency transactions from IP addresses in Crimea, Cuba, Iran, Sudan, and Syria, routed through BitGo’s non‑custodial hot‑wallet service, with no effective sanctions‑screening or IP‑blocking controls.

OFAC’s analysis shows that BitGo processed 183 discrete transactions for users whose IP addresses originated in the five sanctioned regions, each transaction simply moving virtual currency from a BitGo‑managed wallet to another wallet on‑chain. BitGo had reason to know those users were in blocked jurisdictions because it actively logged IP data for security and login monitoring, but it did not integrate that data into any sanctions‑risk workflow, such as automated blocking or manual review. Over the five‑year period, the platform’s onboarding and account‑management practices remained lightweight and user‑attestation‑driven, without meaningful verification of user location or sanctions‑list checks, which OFAC viewed as a failure to exercise due care commensurate with a U.S.‑regulated financial‑technology provider. From a U.S.‑enforcement standpoint, the transaction pattern is less about the criminal content of the funds and more about the systemic absence of controls that could have alerted BitGo or U.S. authorities to potential sanctions‑evasion and money‑laundering risks.

Regulatory/Enforcement Actions Taken

OFAC settlement of $98,830, requiring BitGo to implement an OFAC Sanctions Compliance Policy, IP‑blocking for sanctioned jurisdictions, and sanctions‑list screening; no criminal prosecution or AML‑specific enforcement.

OFAC concluded that BitGo’s violations were non‑egregious and accepted a $98,830 civil settlement, far below the maximum potential penalty of about $183,000 under OFAC’s guidelines. The settlement required BitGo to strengthen its internal controls, including designating an OFAC sanctions‑compliance officer, adopting a formal OFAC Sanctions Compliance Policy, and implementing IP‑address blocking for users in Crimea, Cuba, Iran, Sudan, and Syria, as well as screening against OFAC’s Specially Designated Nationals (SDN) list. The U.S. enforcement outcome is pro‑US in that it reinforces jurisdictional reach over U.S.‑based digital‑asset platforms, demonstrates willingness to penalize even small‑scale sanctions‑evasion patterns, and sets a precedent that **IP‑based geolocation

Links to Reports / Sources

Case Title / Operation Name:

BitGo

Country(s) Involved:

Cuba, Iran, Sudan, Syria, United States

Platform / Exchange Used:

BitGo (non‑custodial “hot wallet” service)

Cryptocurrency Involved:

Digital currency / virtual currency (BTC‑type assets implied)

Volume Laundered (USD est.):

Approximately $9,127.79 across 183 transactions (sanctions‑evasion pattern, not formal laundering)

Wallet Addresses / TxIDs :

N/A

Method of Laundering:

Indirect sanctions‑evasion via unhosted‑wallet infrastructure, weak IP‑based geolocation controls, and absence of sanctions‑list screening; enabled users in sanctioned jurisdictions to route crypto over U.S.‑linked infrastructure without effective monitoring.

Source of Funds:

N/A

Associated Shell Companies:

N/A

PEPs or Individuals Involved:

N/A

Law Enforcement / Regulatory Action:

U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) imposed a $98,830 civil settlement for 183 “apparent” sanctions violations; required BitGo to implement an OFAC Sanctions Compliance Policy, IP‑address blocking for sanctioned jurisdictions, and sanctions‑list screening.

Year of Occurrence:

2020 (violations discovered and settlement announced in December 2020; activity spanned 2015–2019)

Ongoing Case:

Closed

AML Network Risk Rating:

🔴 High Risk