On September 22, 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced the resolution of an enforcement action against ShapeShift AG (“ShapeShift”), a now defunct digital asset exchange incorporated in Switzerland but headquartered and operated from Denver, Colorado. ShapeShift agreed to remit $750,000 to settle its potential civil liability for apparent violations of multiple U.S. sanctions programs, including those directed against Cuba, Iran, Sudan, and Syria. Between December 2016 and October 2018, the company facilitated 17,183 digital asset transactions totaling approximately $12.6 million for users located in comprehensively sanctioned jurisdictions. OFAC determined that the conduct, although not egregious in nature, was not voluntarily self-disclosed, and stressed that the company’s defunct status, limited financial resources, and cessation of exchange operations were relevant factors in reaching the settlement amount.

The enforcement release describes the company’s operations during the relevant period in detail. From 2014 until 2021, ShapeShift operated a platform through which users could exchange digital assets directly with the company as counterparty. A user would transfer a selected digital asset to a ShapeShift-controlled wallet, after which the company would remit the requested digital asset from its own inventory, priced at prevailing market rates plus a premium. Transactions were conducted entirely “on chain,” ensuring that they were publicly visible upon completion. At its height, the platform processed as many as 20,000 transactions daily and supported at least 79 different digital assets. Despite its Swiss incorporation, the exchange was directed and managed from Denver, Colorado, where senior leadership resided and U.S.-based engineers developed and maintained the algorithms and systems necessary for the platform’s functioning.

OFAC found that during the period at issue, ShapeShift had no sanctions compliance program in place. The company failed to screen users or transactions for ties to sanctioned jurisdictions, even though it consistently possessed IP address data that provided a clear indicator of user location. This absence of controls led to more than 17,000 transactions involving users in Cuba, Iran, Sudan, and Syria, giving rise to apparent violations of several sanctions regulations. Importantly, ShapeShift did not begin implementing sanctions compliance measures until after receiving an administrative subpoena from OFAC, at which time it adopted customer screening protocols, denied access to IP addresses linked to sanctioned jurisdictions, and began reviewing users against the Specially Designated Nationals and Blocked Persons List.

Under OFAC’s Economic Sanctions Enforcement Guidelines, the base civil monetary penalty for the apparent violations was calculated at $39,515,000. That figure was ultimately reduced to $750,000 in light of both aggravating and mitigating factors. Aggravating considerations included ShapeShift’s failure to adopt even rudimentary internal controls, its reason to know of sanctioned-jurisdiction users based on available IP address information, and the economic benefit conferred to individuals in jurisdictions subject to comprehensive sanctions, which undermined the integrity of multiple U.S. sanctions regimes. Mitigating considerations included the company’s relatively small size at the time of the conduct, its cessation of operations as a now defunct digital asset exchange, the absence of prior OFAC enforcement actions in the preceding five years, its cooperation with the investigation through timely responses and tolling agreements, the limited proportion of total transactions implicated, and the remedial steps it later adopted, such as daily rescreening against updated sanctions lists, the introduction of internal blacklists of malign digital asset addresses, and sanctions-related training.

As with other enforcement actions involving the virtual currency sector, OFAC underscored that firms operating in the digital asset space must adopt risk-based sanctions compliance programs that integrate all available customer and transactional data, including IP address information, into screening processes. The agency emphasized that foreign incorporation does not exempt an entity from U.S. jurisdiction when its headquarters, leadership, and core operations are physically situated within the United States. More broadly, the enforcement action serves as a cautionary reminder that the deferral of compliance program development until after a commercial launch exposes firms to substantial sanctions risk. The ShapeShift matter illustrates the importance of implementing robust sanctions controls from the outset and maintaining vigilance even when faced with the rapid pace and technological complexity of digital asset markets.