444. How will Treasury decide whom to sanction under this authority?
Executive Order (E.O.) 13694, as amended on December 29, 2016, focuses on specific harms caused by significant malicious cyber-enabled activities, and directs the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions on those persons he or she determines to be responsible for or complicit in activities leading to such harms. Acting pursuant to delegated authority, Treasury’s Office of Foreign Assets Control (OFAC) works in coordination with other U.S. government agencies to identify individuals and entities whose conduct meets the criteria set forth in E.O. 13694, as amended, and designate them for sanctions. Persons designated under this authority are added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List).
E.O. 13694, as amended, is intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. government. [12-29-2016]
445. What are my compliance obligations with respect to E.O. 13694, as amended?
As with many of the sanctions programs that Treasury administers, U.S. persons (and persons otherwise subject to OFAC jurisdiction) must ensure that they are not engaging in trade or other transactions with persons named on OFAC’s SDN List pursuant to E.O. 13694, as amended, or any entity owned by such persons.
As a general matter, U.S. persons, including firms that facilitate or engage in online commerce, are responsible for ensuring that they do not engage in unauthorized transactions or dealings with persons named on any of OFAC’s sanctions lists or operate in jurisdictions targeted by comprehensive sanctions programs. Such persons, including technology companies, should develop a tailored, risk-based compliance program, which may include sanctions list screening or other appropriate measures. An adequate compliance solution will depend on a variety of factors, including the type of business involved, and there is no single compliance program or solution suitable for every circumstance.
The names of, and identifying information for, all individuals and entities included on OFAC’s sanctions lists may be located via OFAC’s free, online search engine at the following URL: http://sanctionssearch.ofac.treas.gov. In addition, OFAC offers text and PDF versions of these lists for manual review and a number of data file versions of its lists that are designed to facilitate automated screening. Depending on the scale, sophistication, and risk profile of your business, you may consider one of the numerous commercially available screening software packages. [12-29-2016]
447. What will significant malicious “cyber-enabled” activities mean for the purposes of Executive Order (E.O.) 13694?
We anticipate that regulations to be promulgated will define “cyber-enabled” activities to include any act that is primarily accomplished through or facilitated by computers or other electronic devices. For purposes of E.O. 13694, malicious cyber-enabled activities include deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain. These activities are often the means through which the specific harms enumerated in the E.O. are achieved, including compromise to critical infrastructure, denial of service attacks, or massive loss of sensitive information, such as trade secrets and personal financial information.
E.O. 13694 is tailored to address cyber-enabled activities that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. As this language indicates, it is intended to counter the most significant cyber threats that we face, whether they target our critical infrastructure, our companies, our citizens, or our economic health or financial stability.
448. I conduct cyber-related activities for legitimate educational, network defense, or research purposes only. Am I vulnerable to the application of sanctions under this authority for these activities?
The measures in this order are directed against significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms, and are not designed to prevent or interfere with legitimate cyber-enabled academic, business, or non-profit activities. The U.S. government supports efforts by researchers, cybersecurity experts, and network defense specialists to identify, respond to, and repair vulnerabilities that could be exploited by malicious actors.
Similarly, these measures are not intended to target persons engaged in legitimate activities to ensure and promote the security of information systems, such as penetration testing and other methodologies, or to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events
449. I administer a network for my employer and I regularly deny access to certain services and systems (e.g., retail websites, social media platforms) in order to ensure the performance of the network for authorized business activities. Could I or my employer be sanctioned for this?
The measures in this order are designed to address the threat posed by individuals and entities engaged in significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms. These measures are not designed to prevent or interfere with legitimate network defense or maintenance activities performed by computer security experts and companies as part of the normal course of business on their own systems, or systems they are otherwise authorized to manage.
450. Will Treasury impose sanctions on persons whose personal computers (or other networked electronic devices) are, without their knowledge or consent, used in malicious cyber-enabled activities (e.g., in denial-of-service attacks against U.S. financial institutions)?
No. These sanctions are designed to target those actors whose malicious cyber-enabled conduct is reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. These measures are not intended to target victims of such activities, including the unwitting owners of compromised computers.
For more information about best practices for securing home networks and engaging in responsible online behavior, visit the Federal Trade Commission’s website at OnGuardOnline.gov.
451. How do financial sanctions relate to existing legal authorities in this context?
The United States’ whole-of-government strategy to combat cyber threats draws from a broad range of tools and authorities to respond to the growing and evolving threat posed by malicious cyber actors. Similar to our approach to global threats from terrorists, narcotics traffickers, and transnational criminal organizations, we will use financial sanctions in the fight against malicious cyber actors as a complement to existing tools, including diplomatic outreach and law enforcement authorities.
452. Are these sanctions consistent with international obligations?
As with all financial sanctions programs Treasury administers, these measures will be implemented in accordance with domestic law and our international obligations.
489. The President has amended E.O. 13694 to cover “misappropriation of information.” What does that term mean? Does that mean that Treasury will impose sanctions related to the publication of information by American whistleblowers or members of the press?
No. This authority does not target American whistleblower activity or constitutionally protected activity. The E.O. defines misappropriation to be the “taking or obtaining by improper means, without permission or consent, or under false pretenses.” Importantly, to be eligible for sanctions under this provision, an individual or entity must not only “misappropriate” information, but it must also do so with the purpose or effect of interfering with or undermining election processes or institutions.
501. What does General License 1C (GL 1C), “Authorizing Certain Transactions with the Federal Security Service,” authorize?
GL 1C authorizes transactions with the Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a. FSB) that are ordinarily incident and necessary to requesting, receiving, utilizing, paying for, or dealing in certain licenses and authorizations for the importation, distribution, or use of certain information technology products in the Russian Federation. It also authorizes transactions ordinarily incident and necessary to compliance with rules and regulations administered by, and certain actions or investigations involving, the Federal Security Service.
This general license does not authorize U.S. persons to engage in transactions with the Federal Security Service, except for the limited purposes described above, nor does it authorize the exportation, reexportation, sale or supply, directly or indirectly, from the United States, or by a United States person, wherever located, of any goods, services, or technology to the so-called “Donetsk People’s Republic” or “Luhansk People’s Republic” (DNR/LNR) regions of Ukraine, or such other regions of Ukraine as may be determined by the Secretary of the Treasury, in consultation with the Secretary of State, pursuant to Executive Order 14065, or to the Crimea region of Ukraine.
Date Updated: April 27, 2023
502. What sanctions remain in place on the Federal Security Service following the issuance of GL 1C?
GL 1C only authorizes certain transactions and activities with the Federal Security Service acting in its administrative and law enforcement capacities. The GL was issued in order to ensure that U.S. persons engaging in certain business activities in Russia that are not otherwise prohibited are not unduly impacted. All other transactions and activities involving any property subject to U.S. jurisdiction or within the possession or control of U.S. persons in which the Federal Security Service has an interest, including all other transactions and activities directly or indirectly with the Federal Security Service, remain prohibited unless exempt or otherwise authorized by OFAC.
Date Updated: April 27, 2023
503. Does GL 1C authorize the exportation of hardware or software directly to the Federal Security Service, or where the Federal Security Service is the end user of such hardware and software?
No. GL 1C does not authorize the export of any goods, technology, or services directly or indirectly to the Federal Security Service or any other blocked person, except for the limited purposes of complying with rules and regulations administered by, and certain actions and investigations involving, the Federal Security Service or requesting certain licenses or authorizations for the importation, distribution, or use of information technology products in the Russian Federation.
Date Updated: April 27, 2023
504. I understand that travel to Russia involves clearing Russian border control, which is part of the FSB. Do I need a license from OFAC to travel to Russia, or to clear Russian customs?
No, the sanctions on the FSB do not apply to transactions by U.S. persons that are ordinarily incident to travel to or from Russia, including those transactions required to enter into or exit the country (i.e., complying with Russian border control requirements).
1076. What is prohibited as a result of OFAC’s designation of Tornado Cash?
On August 8, 2022, OFAC designated the entity Tornado Cash pursuant to Executive Order (E.O.) 13694, as amended, for facilitating the laundering of proceeds of cybercrimes, including those committed by the Lazarus Group, a North Korea state-sponsored hacking group that was sanctioned in 2019. On November 8, 2022, OFAC simultaneously designated Tornado Cash pursuant to E.O. 13722 for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of the Government of North Korea and redesignated Tornado Cash pursuant to E.O. 13694, as amended, for facilitating the laundering of proceeds of cybercrimes, including those committed by the Lazarus Group, and as such the August 8, 2022 designation of Tornado Cash is no longer operative and is wholly replaced. As described in FAQs 561 and 562, OFAC may include as identifiers on the Specially Designated Nationals and Blocked Persons List (SDN List) specific virtual currency wallet addresses associated with blocked persons. As part of the SDN List entry for Tornado Cash, OFAC included as identifiers certain virtual currency wallet addresses associated with Tornado Cash, as well as the URL address for Tornado Cash’s website. The Tornado Cash website has since been deleted from the Internet, but it currently remains available through certain Internet archives.
While engaging in any transaction with Tornado Cash or its blocked property or interests in property is prohibited for U.S. persons, interacting with open-source code itself, in a way that does not involve a prohibited transaction with Tornado Cash, is not prohibited. For example, U.S. persons would not be prohibited by U.S. sanctions regulations from copying the open-source code and making it available online for others to view, as well as discussing, teaching about, or including open-source code in written publications, such as textbooks, absent additional facts. Similarly, U.S. persons would not be prohibited by U.S. sanctions regulations from visiting the Internet archives for the Tornado Cash historical website, nor would they be prohibited from visiting the Tornado Cash website if it again becomes active on the Internet.
Updated: November 8, 2022
1077. Can U.S. persons engage in transactions involving identified Tornado Cash virtual currency wallet addresses absent a specific license from OFAC?
No. U.S. persons are prohibited from engaging in transactions involving Tornado Cash, including through the virtual currency wallet addresses that OFAC has identified. If U.S. persons were to initiate or otherwise engage in a transaction with Tornado Cash, including or through one of its wallet addresses, such a transaction would violate U.S. sanctions prohibitions, unless exempt or authorized by OFAC.
1078. Do OFAC reporting obligations apply to “dusting” transactions?
OFAC is aware of reports following the August 8, 2022 designation of Tornado Cash that certain U.S. persons may have received unsolicited and nominal amounts of virtual currency or other virtual assets from Tornado Cash smart contracts, a practice commonly referred to as “dusting.” Technically, OFAC’s regulations would apply to these transactions. To the extent, however, these “dusting” transactions have no other sanctions nexus besides Tornado Cash, OFAC will not prioritize enforcement against the delayed receipt of initial blocking reports and subsequent annual reports of blocked property from such U.S. persons. Persons who received a “dusting” transaction can also apply to OFAC for a specific license.
For guidance related to filing an initial and annual report of blocked property, please see FAQs 49, 50, and 646, respectively, and 31 C.F.R. § 501.603. Please note that the annual filing requirement for 2022 applies only to persons holding blocked property as of June 30 of this year.
Updated: November 8, 2022
1079. I sent virtual currency to Tornado Cash but did not complete the mixing transaction or otherwise withdraw my virtual currency before Tornado Cash’s August 8, 2022 designation. How can I complete the transaction or withdraw my virtual currency without violating U.S. sanctions regulations?
For transactions involving Tornado Cash that were initiated prior to its designation on August 8, 2022 but not completed by the date of designation, U.S. persons or persons conducting transactions within U.S. jurisdiction may request a specific license from OFAC to engage in transactions involving the subject virtual currency. Applicants should be prepared to provide, at a minimum, all relevant information regarding these transactions with Tornado Cash, including the wallet addresses for the remitter and beneficiary, transaction hashes, the date and time of the transaction(s), as well as the amount(s) of virtual currency. OFAC would have a favorable licensing policy towards such applications, provided that the transaction did not involve other sanctionable conduct.
In order to apply for a specific license to complete a transaction or withdraw virtual currency involving Tornado Cash that was deposited prior to its designation, or to engage in other transactions or dealings with Tornado Cash, you are encouraged to file a licensing request by visiting the following link: https://ofac.treasury.gov/ofac-license-application-page.
Updated: November 8, 2022
1095. Who is the Tornado Cash “person” that OFAC designated pursuant to E.O. 13722 (“Blocking Property of the Government of North Korea and the Workers’ Party of Korea, and Prohibiting Certain Transactions with Respect to North Korea”) and Executive Order (E.O.) 13694 (“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”), as amended?
A “person” subject to designation under E.O. 13722 or E.O. 13694, as amended, includes an individual or an entity, defined as “a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization.” Once OFAC has determined that a person is subject to sanctions, OFAC adds that person to the Specially Designated Nationals and Blocked Persons List.
OFAC designated the entity known as Tornado Cash, which is a “partnership, association, joint venture, corporation, group, subgroup, or other organization” that may be designated pursuant to IEEPA. Tornado Cash’s organizational structure consists of: (1) its founders and other associated developers, who together launched the Tornado Cash mixing service, developed new Tornado Cash mixing service features, created the Tornado Cash Decentralized Autonomous Organization (DAO), and actively promoted the platform’s popularity in an attempt to increase its user base; and (2) the Tornado Cash DAO, which is responsible for voting on and implementing new features created by the developers. Tornado Cash uses computer code known as “smart contracts” to implement its governance structure, provide mixing services, offer financial incentives for users, increase its user base, and facilitate the financial gain of its users and developers. OFAC has not designated Tornado Cash’s individual founders, developers, members of the DAO, or users, or other persons involved in supporting Tornado Cash at this time. However, all Tornado Cash property and interests in property are blocked, and U.S. persons cannot transact with Tornado Cash or deal in its property and interests in property, absent authorization from OFAC. See FAQs 1077 and 1078.