OFSI’s Cryptoassets Threat Assessment, July 2025: key risks and compliance gaps

In its July 2025 Cryptoassets Threat Assessment, the UK’s Office of Financial Sanctions Implementation (“OFSI”) states that it is “almost certain” that UK-based cryptoasset firms have under-reported suspected breaches of financial sanctions. The report highlights growing concerns around inadvertent non-compliance, delayed attribution and exposure to high-risk jurisdictions such as Russia, Iran and North Korea. This blog explores the assessment’s key findings, outlines current reporting obligations for relevant firms and considers how crypto businesses can strengthen their compliance frameworks in response.

On 11 March 2022, OFSI (which is part of HM Treasury), the UK Financial Conduct Authority and the Bank of England issued a joint statement reiterating that all UK financial services firms were expected to play their part in ensuring that sanctions are complied with. This includes firms in the cryptoasset sector.  At the time, we wrote about the additional measures which need to be implemented to reduce risks and what could constitute additional red flags.

In September 2022, we noted how firms providing services of cryptoasset exchanges and cryptoasset custodians must report suspect sanctions breaches, as well as comply with additional sanctions reporting requirements.

In July 2025, OFSI published a Cryptoassets Threat Assessment (the “Threat Assessment”), which we now explore in more detail.

What is the purpose of the Threat Assessment?

The Threat Assessment provides information on suspected sanctions breaches only and is intended to assist stakeholders with prioritising as part of a risk-based approach to compliance.

What are the reporting obligations?

In August 2022, cryptoasset firms were added to the list of “relevant firms” in sanctions regulations.

Relevant firms (as defined in the UK regulations under the Sanctions and Anti-Money Laundering Act 2018) are required to inform OFSI as soon as practicable if they know or have reasonable cause to suspect a person:

• Is a designated person;
• Has committed a breach or failed to comply with an obligation under the UK regulations.

A relevant firm is only subject to the reporting obligations when the information or other matter on which the knowledge of reasonable cause for suspicion is based came to it in the course of carrying on its business.

When reporting to OFSI, relevant firms must include:

• The information or other matter on which the knowledge or suspicions is based; and
• Any information the relevant firm holds about the person by which they can be identified.

If the relevant firm knows or has reasonable case to suspect that a person is a Designated Person (“DP”) and that this person is a customer of the relevant firm, it must also state the nature and amount or quantity of any funds or economic resources held by it for that customer.

What are the identified key threats?

The Threat Assessment notes that:

1. It is almost certain that UK cryptoasset firms have under-reported suspected breaches of financial sanctions to OFSI since August 2022.
2. It is likely that most non-compliance by UK cryptoasset firms has occurred inadvertently due to common issues, such as direct and indirect exposures to DPs and suspected breaches being identified after a delay in attribution, with attribution delays also contributing to failures to implement asset freezes.
3. It is highly likely that UK cryptoasset firms have been directly or indirectly exposed to the designated Russian exchange Garantex since its designation in 2023, resulting in breaches of UK financial sanctions.
4. It is highly likely that UK-based cryptoasset firms are currently at risk of being targeted by DPRK-linked hackers and IT workers seeking to steal or obtain funds through illicit means.
5. It is likely that UK cryptoasset firms are currently facilitating transfers to Iranian cryptoasset firms with suspected links to DPs.

As such, relevant firms will need to ensure they have in place appropriate policies and procedures to manage the risks and comply with all requirements as part of a risk-based approach to compliance.

How Gherson can assist

The Gherson team have years of experience advising on compliance matters, including sanctions. We regularly advise clients on sanctions rules and regulations and can assist companies with developing policies and systems aimed at preventing sanctions risks.

If you have any questions arising from this blog, please do not hesitate to contact us for advice, send us an e-mail or, alternatively, follow us on X, Facebook, Instagram or LinkedIn to stay-up-to-date.

The information in this blog is for general information purposes only and does not purport to be comprehensive or to provide legal advice. Whilst every effort is made to ensure the information and law is current as of the date of publication it should be stressed that, due to the passage of time, this does not necessarily reflect the present legal position. Gherson accepts no responsibility for loss which may arise from accessing or reliance on information contained in this blog. For formal advice on the current law please do not hesitate to contact Gherson. Legal advice is only provided pursuant to a written agreement, identified as such, and signed by the client and by or on behalf of Gherson.

©Gherson 2025