OFAC Fines US Crypto Software Firm That Told Iranian Customers to Use VPNs

The company, Exodus Movement, reached a $3,103,360 settlement with the Office of Foreign Assets Control and agreed to devote $630,000 of that fine toward improving its compliance program. OFAC said the company didn’t voluntarily disclose the 254 alleged violations of the Iranian Transactions and Sanctions Regulations, calling 12 of the violations “egregious.”

Exodus disclosed in corporate filings in August that it reached the settlement with OFAC over alleged sanctions breaches involving Iran (see 2508120043). It also said OFAC was reviewing a subpoena response involving transactions related to North Korea, but that the matter was still under review.

Exodus, incorporated in Delaware and headquartered in Nebraska, first began offering a digital asset wallet software in 2016 called Exodus Wallet, which allowed users to create and store private keys used to send and receive digital assets through third party exchanges. The company earned revenue through fees each time a customer used its wallet to carry out a transaction.

OFAC said the violations began in 2017, when Exodus customer service employees helped Exodus Wallet users in Iran continue to use third-party exchanges despite U.S. sanctions. Those employees did this by “regularly” recommending those Iranian customers use virtual private networks, or VPNs, to “address technical issues experienced by users in Iran.” The agency said this violated Exodus’ own terms of use, which stated that Exodus Wallet and other related services were blocked from being exported to U.S.-embargoed countries or anyone subject to sanctions.

“However, Exodus did not adequately notify or train its employees regarding these sanctions-related prohibitions in the Terms of Use,” OFAC said, “nor were the Terms of Use accompanied by any other practical mechanism to prevent the use of Exodus Wallet in sanctioned jurisdictions for a significant portion of the relevant time period.”

OFAC pointed to an example in which Exodus Wallet customers used the service to carry out transactions with one third-party digital asset exchange, which it called “Exchange A.” The agency said Exchange A in 2018 began blocking users in Iran from using its platform by screening against their Internet Protocol addresses, meaning Exodus Wallet users in Iran no longer could carry out transactions involving the exchange.

Exodus began receiving questions from its Iranian customers about this, and OFAC said the company “understood” that the restrictions imposed by Exchange A “may be a measure to comply with U.S. sanctions regulations and other applicable U.S. laws.” The agency also noted that Exodus’ CEO said Exchange A was likely blocking Iranian such customers to comply with U.S. sanctions, an “understanding” which “was shared internally between Exodus management and its customer service staff.”

Despite this, Exodus customer service employees continued to explain to Iranian users that they could use VPNs to hide their location and continue using Exchange A, OFAC said. The agency pointed to 12 of those occasions, which it said “demonstrated willful and reckless conduct.”

In one conversation in May 2018, OFAC said an Exodus customer service employee told an Iranian customer that they were facing issues using Exchange A because the exchange was “following USA law/regulations.” The employee said: “I’m terribly sorry to have to relay this news to you, as it came [] as a shock to many of us here at Exodus .... A few of my Iranian customers said that they were able to still use the exchange feature through utilizing a VPN.”

In another instance that same month, an Exodus employee told an Iranian customer that they likely would be able to use Exchange A if they used a VPN. “When you create an exchange with Exodus, it just forwards your current IP address to [Exchange A],” the employee said, according to OFAC. “I expect that [Exchange A] will not be able to detect you are from Iran if you use a VPN to change your IP address.”

OFAC said these Exodus employees were “at least generally aware” of U.S. sanctions laws on 12 of these occasions, and their recommendations to Iranian users led to the “circumvention of the control measures employed by the exchanges to block users located in Iran.”

The agency added that Exodus “failed to employ an effective compliance program to screen such users for sanctioned jurisdictions” from about October 2017 to December 2018, and the company “lacked policies and controls to prevent Exodus staff from providing them with customer support.”

OFAC said it could have imposed a $4,774,400 penalty but settled on a lesser amount because Exodus invested “millions of dollars in enhancing its sanctions compliance program” and took other “remedial actions,” including launching a stand-alone “Export Control and Sanctions Compliance Policy,” hiring more compliance employees, improving its internal compliance policies and procedures, putting in place third-party automated sanctions screening and other wallet address monitoring tools, and mandating sanctions compliance training for all Exodus staff.

Exodus also updated its sanctions compliance representations and warranties in its contracts with third-party exchanges and introduced “technical measures to prevent dealings with sanctioned cryptocurrency addresses,” OFAC said.

The agency also noted that Exodus “provided substantial cooperation” to OFAC over a “yearslong investigation,” including through prompt responses to OFAC questions, cooperating with witness interviews, submitting internal communications, and more. Exodus also hadn’t received a penalty notice in the previous five years, the agency said, and the violations represented a “fraction of a percent of the total number of downloads of the Exodus Wallet and customer support inquiries annually during the relevant time period.”

As part of its settlement agreement with OFAC, Exodus agreed to invest $630,000 in “additional sanctions compliance controls” and submit a “work plan” to OFAC within six months that details an “itemized budget of the sanctions compliance expenditures to be spent within two years.” Exodus also must submit an expense report to OFAC by November 2027 outlining all the “actual expenditures claimed against the” $630,000. If those figures don’t add up to $630,000, OFAC said Exodus will have to pay the difference to the agency within 30 days.

The settlement also said Exodus “recognizes the seriousness of apparent violations of the laws and regulations” and “represents that it has terminated the apparently violative conduct.” Exodus must also maintain a sanctions compliance program for five years that is “designed to minimize the risk of recurrence of similar conduct.”

Exodus also agreed to carry out regular sanctions risk assessments, design and implement written sanctions compliance procedures, carry out testings and audits of its program, “expeditiously identify for OFAC any apparent sanctions violation identified through such audits,” provide sanctions training to employees, and more. Exodus must certify annually for five years that it’s complying with the settlement.

OFAC said the case highlights the importance of new companies incorporating sanctions compliance into their business functions and employee training, noting that Exodus was a relatively new “venture” in the financial technology sector. This is “especially crucial” for companies serving customers around the world, OFAC said.

It said digital asset companies should develop a compliance program “tailored” to their risks, adding that the program will depend on the type of business, its size and sophistication, the products and services offered, its customers and counterparties, and the “geographic locations served.”

OFAC also said the case highlights the importance of upper management committing to a “sound” sanctions compliance program. “By internally acknowledging that a separate company was bound by sanctions regarding the transactions at issue without addressing the applicability of sanctions to Exodus’s business,” the agency said, “management failed to prevent these apparent violations.”

A spokesperson for Exodus didn’t immediately respond to a request for comment.