The Treasury Department's Office of Foreign Assets Control continued through 2025 to expand its use of sanctions against the infrastructure that makes ransomware profitable, designating cryptocurrency exchanges, mixing services, bulletproof hosting providers, and individuals accused of laundering or facilitating extortion payments. The strategy reflects a deliberate shift from pursuing elusive attackers to targeting the financial and technical enablers that convert stolen access into revenue. Coordinated actions with foreign partners underscored that the campaign is as much about cutting off the cash-out as about naming the perpetrators.

The legal architecture is the interesting part. OFAC's designations rest on cyber-focused executive authorities that permit sanctioning those who materially assist malicious cyber-enabled activity, a standard broad enough to reach facilitators well removed from the keyboard. That breadth is also the source of controversy: sanctions can impose strict-liability exposure on U.S. persons who unwittingly transact with a designated entity, and victims who pay ransoms risk running afoul of the very regime meant to deter payment.

Sanctions as cyber strategy

In a Lawfare analysis, commentators have described sanctions as one of the few tools that can impose real cost on actors beyond the reach of extradition, while cautioning that designations are only as effective as the enforcement and international coordination behind them. A Council on Foreign Relations report argued that financial-sector pressure on illicit crypto flows can meaningfully raise the cost of ransomware operations, but works best as part of a layered strategy rather than a standalone deterrent. An Atlantic Council commentary noted that the facilitator-targeting approach usefully shifts the battlefield to chokepoints the attackers cannot easily relocate, though it raises hard questions about notice and due process for designated parties.

The unresolved issue is whether sanctions deter or merely displace, pushing laundering to new services faster than designations can follow. That is an empirical question the current campaign is, in effect, testing in real time.

The Journal examined this instrument before it became central to ransomware policy. Volume 6, Issue 1's "Cyber Enhanced Sanction Strategies: Do Options Exist?" directly interrogates the promise and limits of sanctions as a response to cyber-enabled harm, and Volume 6, Issue 2's "The Ransomware Assault on the Healthcare Sector" situates the payment dilemma in one of its most acute victim contexts. Read together, they anticipate the strategic and legal debates now playing out at OFAC.

As designations accumulate, the lesson from that earlier work holds: sanctions can raise costs and shrink safe harbors, but only within a coordinated strategy that accounts for displacement and due process. For the foundational analysis, we point readers to JLCW Volume 6, Issue 1.

– JLCW Staff Writers