Treasury fines virtual currency exchange Bittrex for failing to catch ransomware payments

The virtual currency exchange based in Washington state failed to catch more than 100,000 transactions from sanctioned regions.
Treasury Department
(Michelle Lee / Flickr)

The Treasury Department announced on Tuesday parallel settlements with Bittrex, a virtual currency exchange based in Washington state, for allegations the company violated U.S. sanctions and anti-money laundering laws.

The agencies brought $24 and $29 million dollar fines respectively, resulting in a total of $29 million in fines after remittance.

An investigation by Treasury’s Office of Foreign Assets Control and Financial Crimes Enforcement Network, or FinCEN, found that Bittrex repeatedly failed to identify thousands of prohibited transactions, including direct transactions with dark web marketplaces such as AlphaBay, Agora and Silk Road. The company also failed to detect and investigate transactions connected to ransomware attacks against individuals and small businesses in the U.S.

“Bittrex failed to implement effective transaction monitoring on its trading platform, relying on as few as two employees with minimal anti-money laundering training and experience to manually review all of the transactions for suspicious activity, which at times were over 20,000 per day,” FinCEN said in the consent decree.


Bittrex also allegedly conducted over 116,000 transactions, valued at over $263 million, with individuals and entities in sanctioned jurisdictions including Iran, Cuba, Sudan, Syria and Crimea. OFAC determined that because Bittrex had access to customer IP addresses at onboarding, it had reason to know that the customers were in sanctioned jurisdictions. However, the company didn’t begin screening IPs until 2017.

U.S. officials called the penalties a warning to virtual currency firms that fail to enact effective anti-money laundering and sanctions compliance.

“When virtual currency firms fail to implement effective sanctions compliance controls, including screening customers located in sanctioned jurisdictions, they can become a vehicle for illicit actors that threaten U.S national security,” OFAC Director Andrea Gacki said in a statement. “Virtual currency exchanges operating worldwide should understand both who—and where—their customers are. OFAC will continue to hold accountable firms, in the virtual currency industry and elsewhere, whose failure to implement appropriate controls leads to sanctions violations.”

This isn’t the first time FinCEN brought civil penalties against a U.S. virtual currency entity for failing to report activity related to cybercrime.

In 2020, FinCEN fined the operator of the mixer service “Helix” $60 million for failing to meet federal anti-money laundering standards. It has also taken starker actions, sanctioning exchanges and mixers, most recently Tornado Cash, which was used by North Korean hackers.


In response to a March executive order on virtual currencies by President Biden, Treasury is currently drafting a report on the potential illicit finance and national security risks posed by virtual currencies and is seeking public comment.

“Bittrex is pleased to have fully resolved this matter with OFAC and FinCEN on mutually agreeable terms,” the company said in a statement provided by its lawyer. “The settlement provides full resolution of both OFAC’s inquiry into transactions in sanctioned jurisdictions that occurred predominantly through 2017, and FinCEN’s assertion that Bittrex did not fully implement all of its Anti-Money Laundering Program controls through 2018.”

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts