Sanctions spotlight: Australia targets illicit crypto flows

On the anniversary of Russia’s invasion of Ukraine, the Australian Government introduced new sanctions targeting 180 individuals, entities and vessels linked to Russia including a number of cryptocurrency related businesses. For the first time, Australia is targeting cryptocurrency entities that enable cross-border payments to sustain Russia’s military operations. The announcement makes clear that businesses using cryptocurrency to circumvent sanctions are now potential enforcement targets.

Australian sanctions compliance has traditionally focused on banks, exporters and trade finance providers, reflecting the central role of the banking and finance sector in facilitating the acquisition of technology and equipment used in conflict. Building on the Australian Sanctions Office (ASO)’s 2025 guidance, the latest sanctions announcement makes clear that fintech and digital asset businesses, including decentralised finance (DeFi)), will be held accountable for sanctions compliance.

Australian sanctions, which are imposed under the Autonomous Sanctions Act 2011 (Cth) and associated regulations, prohibit dealings with designated individuals, entities, vessels and sectors, as well as certain activities connected with sanctioned countries. The rules apply to everyone, not just regulated entities.

In 2025, the ASO issued updated sector‑specific guidance for cryptocurrency exchanges as well as new guidance for fintech and "DeFi companies" identifying four recurring risk categories that firms are expected to address:

1. Customer risk

The ASO expects fintech companies to screen customers against Australia’s Consolidated List at onboarding and on an ongoing basis, including by identifying beneficial owners. Sanctioned individuals or entities may be concealed through layered or complex ownership structures. This is in line with the Anti-money Laundering and Counter-Terrorism Financing Amendment Act 2024 (AML/CTF Amendment Act), which broadened regulatory obligations for digital asset businesses, payment providers and other higher‑risk sectors.

2. Jurisdiction risk

Given the inherently cross‑border nature of fintech and DeFi business models, firms must ensure they are not inadvertently dealing with sanctioned persons or entities, including through intermediaries such as sanctioned banks. This risk is heightened for businesses operating in adjacent areas such as trade finance or commodities‑related payments.

The guidance highlights elevated risk in dealings connected to Russia, Iran, Myanmar and the Democratic People’s Republic of Korea, and expects robust IP and address‑based controls to prevent services being provided in sanctioned regions.

3. Transaction risk

Even where counterparties initially clear screening, individual transactions may still breach sanctions, including where payments are routed through a sanctioned bank or structured to avoid detection. Businesses are expected to take reasonable precautions and exercise due diligence, including monitoring both crypto and fiat transactions for indicators of sanctions evasion.

4. Product and service risk

The ASO expects sanctions controls should be applied at the product level, proportionate to risk exposure. To that end, ASO implies that it will be no defence to say that a product (including decentralised software) was simply misused by bad actors. Services such as crypto trading, peer‑to‑peer transfers, prepaid cards and correspondent‑style arrangements each present distinct risk profiles. Expanding into new product lines should trigger an updated sanctions risk assessment before launch.

Strict liability and penalties

Sanctions offences are strict liability for body corporates and attract significant penalties, calculated by reference to the value of the contravening transaction. Individuals face up to 10 years’ imprisonment and/or substantial fines. Penalties may be cumulative.

Areas lacking clarity

While the announcement signals that industry should be alert to sanctions compliance, there remains significant ambiguity as to how sanctions framework applies to decentralised protocols with no clear operator, governance body or Australian nexus. Uncertainty also remains for developers, infrastructure providers or interface operators, particularly where they lack direct customer relationships. However, given the seriousness of the penalties for non-compliance, businesses and software developers operating in this space should take steps to understand their obligations. Previous US enforcement actions indicate the very serious ramifications of sanctions breaches.

Conclusion

The Australian Government has clearly signalled that sanctions compliance is an increasing priority for digital asset businesses. If you require assistance understanding your obligations and the impact of these developments - including the reforms implemented by the Anti-Money Laundering and Counter Terrorism Financing Amendment Act commencing on 31 March 2026, please reach out to the Piper Alderman Blockchain team.

Written by Steven Pettigrove, Katrina Sharman and Tahlia Kelly