Exodus Movement Settles with OFAC for $3.1 Million Over Iran Sanctions Violations

On December 16, 2025, OFAC announced that Exodus Movement, Inc., a Delaware-incorporated financial technology company headquartered in Omaha, Nebraska, agreed to pay $3,103,360 to settle potential civil liability for 254 apparent violations of Iran sanctions. If you’re in the digital asset space, you should pay attention to this case. It shows that OFAC expects a working compliance program from day one, not boilerplate terms of service – a compliance program that our expert OFAC Sanctions Attorneys can help you design.

What Did Exodus Do?

Exodus launched in 2016 with a free digital asset wallet, called Exodus Wallet. Exodus Wallet is a “non-custodial” wallet, meaning it doesn’t hold customer funds or process exchange transactions directly. Users instead download the software to generate and store private keys, which they then use to authorize peer-to-peer transfers, or to access third-party exchanges integrated into the Exodus platform. Exodus collected fees each time users transacted through those third-party partners.

The company also ran a customer support team, made up mostly of independent contractors spread around the world, that handled technical inquiries by email.

Between October 2017 and January 2019, Exodus provided technical support to wallet users who identified themselves as located in Iran on 254 separate occasions. In doing so, they committed apparent violations of U.S. sanctions regulations. Under Section 560.204 of the Iranian Transactions and Sanctions Regulations (ITSR), exporting services from the United States, or by a U.S. person, to Iran is generally prohibited. This includes support for Iranian customers.

Exodus’s own Terms of Use already said the wallet could not be exported into countries under a U.S. embargo or to anyone on the SDN List. Iran obviously fell under that prohibition, but Exodus never trained its employees on what those terms meant in practice. And, for much of the relevant period, it had no way to enforce them.

12 Egregious Violations

Not all 254 apparent violations were treated the same. OFAC found that 12 of them were egregious, meaning they involved willful or reckless conduct, and those 12 drove the bulk of the penalty.

In April 2018, one of Exodus’s third-party exchange partners (“Exchange A”) announced it would start using IP-based blocking to prevent users in Iran from accessing its services. Exodus’s customer service team quickly started getting complaints from Iranian users who could no longer complete transactions through Exchange A.

By May 2018, Exodus’s CEO acknowledged internally that Exchange A was likely blocking Iranian users because of U.S. sanctions. That understanding made its way to customer service staff. Even so, Exodus kept helping Iranian users. On 12 occasions, customer service reps went further: they told users in Iran that Exchange A had blocked them because of U.S. sanctions or regulations, and then suggested using a VPN to change their IP address and get around those controls.

OFAC cited specific examples. In one May 2018 exchange, a support rep told an Iranian user that Exchange A had geo-restricted Iran due to U.S. law, expressed sympathy, and mentioned that other Iranian customers had been able to use the exchange feature through a VPN. In another interaction the same week, a different rep straight-up told an Iranian user that Exchange A wouldn’t be able to detect their location if they used a VPN to change their IP address.

This went beyond violating Section 560.204. OFAC also found violations of Section 560.203, which prohibits transactions that evade or attempt to evade sanctions. Telling a user in Iran how to get around sanctions controls moves you from a compliance failure into active evasion territory.

How OFAC Calculated the Penalty

OFAC determined the violations were not voluntarily self-disclosed. That distinction matters. Voluntary disclosure typically leads to significantly lower penalties under OFAC’s Enforcement Guidelines.

For the 12 egregious violations, OFAC applied the statutory maximum for each, totaling $4,532,400. For the remaining 242 non-egregious violations, it applied the applicable schedule amount for each, totaling $242,000. The combined base penalty came to $4,774,400.

The final settlement of $3,103,360, roughly 65% of the base, reflects OFAC’s weighing of aggravating and mitigating factors.

Aggravating Factors

OFAC identified four aggravating factors.

The biggest: on at least 12 occasions, Exodus staff appeared to willfully violate sanctions by acknowledging that exchanges blocked Iranian users and then recommending VPNs to get around those controls. Paired with Exodus’s broader awareness of Iran sanctions, this showed knowledge that the conduct was likely prohibited.

Beyond those 12 incidents, Exodus acted with reckless disregard by providing customer support to Iran-based users on 254 occasions despite knowing about the prohibition. Its own Terms of Use and internal communications from its CEO reflected that awareness.

Management and staff knew they were serving Iranian users. Those users typically identified their location directly.

OFAC also noted that the conduct undermined longstanding U.S. policy aimed at cutting Iran off from the U.S. and international financial system. Exodus’s services let people in a comprehensively sanctioned jurisdiction transact through U.S. services, and its staff taught them how to hide their location from exchanges that were trying to follow the law.

Mitigating Factors

Three things worked in Exodus’s favor.

Exodus spent millions of dollars on compliance remediation after the violations came to light. The company adopted a standalone Export Control and Sanctions Compliance Policy, hired compliance staff, brought in third-party sanctions screening and wallet address monitoring tools, rolled out mandatory training for all employees, and updated sanctions-related language in its exchange partner agreements.

Exodus also cooperated extensively with OFAC during the investigation, which stretched over several years. The company responded quickly to information requests, handed over large volumes of data, made witnesses available for interviews, turned over internal communications, and agreed to toll the statute of limitations.

Finally, Exodus had no prior OFAC penalty history and was a small company during the period in question. The 254 violations were a tiny fraction of total wallet downloads and support interactions at the time.

The Compliance Investment Credit

There’s an unusual wrinkle in this settlement. As partial satisfaction of the $3,103,360, Exodus agreed to put $630,000 toward additional sanctions compliance controls. So the direct cash payment to the Treasury was $2,473,360, with the remaining $630,000 earmarked for compliance improvements under a detailed work plan due to OFAC within six months. OFAC will review an expense report by November 30, 2027. Any portion of the $630,000 that OFAC decides wasn’t properly spent on qualifying measures becomes due as an additional payment.

Compliance Commitments Going Forward

The settlement requires Exodus to maintain extensive compliance commitments for at least five years, tracking the five pillars from OFAC’s 2019 Framework for Compliance Commitments: management commitment, risk assessment, internal controls, testing and auditing, and training.

Exodus also has to submit annual certifications to OFAC for five years, signed by a senior executive, spelling out how the company is meeting each commitment. If OFAC decides Exodus has breached the agreement, it can reopen the investigation into the original violations.

What Crypto and Fintech Companies Should Take from This

The most obvious lesson: OFAC takes willful sanctions violations extremely seriously, and will impose strong penalties on those it finds responsible for them. Exodus advising its users on how to get around compliance controls turned what might have been a standard violation into an egregious one under Section 560.203. The penalty difference between the two categories in this case was enormous.

Exodus also received higher penalties because they failed to make a voluntary self-disclosure of these violations. The company cooperated fully once OFAC came calling, but the lack of a voluntary disclosure likely pushed the settlement higher. Companies that discover potential violations should do their best to proactively disclose them to OFAC whenever possible. If you believe you may have discovered a sanctions violation, contact a Sanctions Lawyer at Sanctions Law Center immediately in order to figure out what your legal obligations are.

Another important takeaway is that compliance has to be operational, not just words on a webpage. Exodus had Terms of Use that prohibited access from embargoed countries. But without training, screening tools, or internal procedures to back them up, those terms did nothing. A self-certification checkbox during onboarding is not a compliance program.

Companies sometimes assume that because they don’t have custody over customer assets or process transactions, they aren’t providing “services” to sanctioned jurisdictions. This is wrong. OFAC treated Exodus’s technical support and troubleshooting for Iranian users as an export of services under the ITSR. If you have a support team fielding tickets, you’re exporting a service.

OFAC also stressed that companies should be screening for location data they already have. When users tell your support team they’re in Iran, through an IP address or by saying so directly, you need a system that flags that interaction right away. What you don’t want is a support culture where staff just keep helping.

And if you’re an early-stage company, don’t wait to create a compliance program. OFAC specifically advised new companies serving a global customer base that they need sanctions compliance built into their operations from the start, not bolted on after something goes wrong. And to design a compliance program which meets OFAC’s rigorous standards, it is essential to have expert legal advice. At the Sanctions Law Center, our OFAC Sanctions Lawyers are specialized in developing and implementing comprehensive compliance programs on behalf of our clients.

How an OFAC Sanctions Lawyer Can Help

Exodus never had custody of any customer funds, and didn’t think of itself as a traditional financial services company. OFAC didn’t care. If your company touches digital assets, serves users globally, or has any interaction with sanctioned jurisdictions, you need a compliance program that holds up to scrutiny.

At Sanctions Law Center, we work with fintech and digital asset companies by designing tailor-made sanctions compliance programs, responding to OFAC inquiries and investigations, and preparing voluntary self-disclosures. If you have questions about your company’s sanctions exposure, contact us for a consultation.