News

Bittrex, a cryptocurrency platform headquartered in Washington state, will pay more than $29 million in penalties to the Treasury Department after willfully violating U.S. sanctions and the Bank Secrecy Act over a period of several years, federal officials said Tuesday.

Operating just east of Seattle in Bellevue, Washington, Bittrex hosted digital wallets for clients and offered exchange services for more than 250 cryptocurrencies from February 2014 until at least December 2018, including Bitcoin, Ether, Monero, Zcash and Dash, Treasury’s Financial Crimes Enforcement Network, or FinCEN, explained in a 23-page consent order.

Bittrex on average handled 11,000 deposits and withdrawals a day for an aggregate value of $1.5 million in 2016, the year the company finally installed software to automatically screen transactions for compliance with sanctions administered by Treasury’s Office of Foreign Assets Control, or OFAC.

“One of the challenges was they had thousands of individuals [customers] in sanctioned jurisdictions that were not being screened,” Brian Nelson, Treasury Under Secretary for Terrorism and Financial Intelligence, told attendees of the ACAMS conference in Las Vegas on Tuesday. “If you’re operating on a global scale, it’s important to screen for location information, either through IP addresses or information that is provided by customers and verified.”

Such indicia could include an Iranian passport, or a customer openly operating from Iran or Crimea.

But the software Bittrex acquired in 2016 only monitored for parties targeted by a handful of list-based sanctions programs. Bittrex as a result did not screen any payments or clients for links to Iran, Syria, Cuba and other blacklisted jurisdictions until October 2017, after OFAC subpoenaed the platform for more information on certain transfers.

“Only after OFAC issued Bittrex a subpoena … to investigate potential sanctions violations did Bittrex realize that the vendor was not scrutinizing whether customers were in a sanctioned jurisdiction, and begin restricting accounts and screening IP and other addresses associated with sanctioned locations,” the agency stated in a 5-page enforcement notice Tuesday.

Bittrex’s daily transactional volume by that point had jumped to nearly 24,000 payments for $98 million combined, but the company still waited until the waning months of 2017 to hire a qualified compliance officer and file its first suspicious activity report.

In December 2017, two months after the IRS disclosed plans to assess Bittrex’s compliance with the Bank Secrecy Act, the company also hit pause on any new account openings and took initial steps towards implementing stronger know-your-customer procedures.

“This is OFAC’s largest virtual currency enforcement action to date,” the agency said Tuesday. “It also represents the first parallel enforcement actions by FinCEN and OFAC in this space.”

Too little, too late

Tuesday’s enforcement actions suggest that Bittrex undermined its own compliance overhaul by waiting until September 2018 to install a second round of “widely available software” for screening payments for suspicious activity, and continuing to task only a handful of poorly trained staff with manually reviewing tens of thousands of transactions a day until December 2018.

Those shortcomings and Bittrex’s broader failure to adequately finance its AML program combined to expose the platform to money launderers, terrorist financiers and sanctions evaders, including in jurisdictions targeted by comprehensive U.S. sanctions.

From March 2014 to December 2017, an unspecified number of individuals in those countries and regions opened 1,730 digital wallets with Bittrex and processed more than 116,000 U.S.-prohibited, cryptocurrency-denominated transactions worth $260 million.

Nearly 95,000 of the transactions in question benefited parties in Iran, around 8,000 involved Syria, a little more than 300 traced back to Cuba and nearly 14,000 showed a nexus with Crimea, which the U.S. placed under a near-total financial embargo after Russia invaded and stole the region from Ukraine in 2014.

“Through these accounts, some individuals conducted transactions that were suspicious above and beyond the fact that they involved a comprehensively sanctioned jurisdiction,” FinCEN noted.

The subset of payments which on their face should have appeared suspicious to Bittrex included direct transactions with AlphaBay, Agora, Silk Road and other darknet markets where customers buy and sell illegal products and services like cocaine, child pornography and murder-for-hire.

FinCEN also found that the 250 cryptocurrencies to which Bittrex extended exchange services included Monero, Zcash, Pivx, Dash and other digital protocols with near-impenetrable anonymity-enhancing characteristics that on their own pose a heightened risk of financial crime.

“Monero’s protocol includes features that prevent tracking by using advanced programming to purposefully insert false information into every transaction on its private blockchain,” the bureau explained Tuesday. “The false information is impossible to separate from the valid payment details, effectively concealing sender data and completely hiding all transaction amounts.”

Contact Fred Williams at fwilliams@acams.org