Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Feb 04, 2026 · 5 min read

The UK Just Opened Its First Cyber Sanctions Investigation—And Financial Firms Are the Target

After years of designating hackers and ransomware gangs, Britain is finally investigating who's been paying them.

First Ever Cyber Sanctions Enforcement

The UK's Office of Financial Sanctions Implementation (OFSI) has recorded up to five potential breaches of the cyber sanctions regime—the first suspected violations since the framework was established.

All of the suspected breaches involve firms in the financial services sector. HM Treasury has not identified the companies involved or disclosed whether the suspected violations involved completed payments to sanctioned entities.

This marks a significant shift. For years, the UK has sanctioned hackers, ransomware operators, and their enablers. Now it's investigating who's been providing them with funds.

Government document with official seal and cyber elements representing UK sanctions enforcement

Who's on the Sanctions List

The UK's cyber sanctions regime currently designates 82 individuals and 13 entities. These include:

  • Evil Corp members, including leader Maksim Yakubets, who has a $5 million US bounty and documented ties to Russia's FSB intelligence service
  • LockBit affiliates, including Dmitry Khoroshev (aka LockBitSupp), unmasked as the group's leader through Operation Cronos
  • State backed operatives working for Russian military intelligence (GRU) and other hostile actors
  • Infrastructure providers like ZSERVERS, sanctioned in February 2025 for enabling ransomware attacks against UK targets

Sanctions impose asset freezes and prohibit anyone from providing funds or economic resources to designated persons.

Why Enforcement Is Difficult

Unlike traditional sanctions cases, cyber related violations are hard to prove. The challenges include:

  • Complex payment chains that obscure the ultimate recipient of funds
  • Cryptocurrency transactions designed to evade traditional financial tracking
  • Cross border intermediaries that make it difficult to establish intent or identify sanctioned parties
  • Overlapping criminal investigations that slow enforcement timelines

OFSI has recently expanded its monitoring capabilities, investing in advanced data analytics, specialist datasets, and cryptocurrency investigation tools.

The Penalties

Financial services firms face substantial penalties for sanctions breaches:

  • Civil penalties up to £1 million or 50% of the breach value, whichever is higher
  • Criminal prosecution carrying unlimited fines and up to seven years imprisonment for senior managers

A Treasury spokesperson noted that OFSI uses "a full range of enforcement tools, including non public actions such as warning letters and referrals." No enforcement actions, penalties, or criminal referrals have been completed yet—these investigations are ongoing.

What This Means for Ransomware Payments

The timing is significant. The UK government is currently consulting on proposals that would require mandatory reporting of ransomware attacks and potentially restrict ransom payments.

Companies facing ransomware attacks already operate in legal gray zones. Paying a ransom could mean inadvertently funding a sanctioned entity—especially since ransomware groups frequently rebrand, merge, or share affiliates with sanctioned organizations.

Evil Corp, for example, was forced to change tactics after 2019 sanctions damaged their brand. Members pivoted from using their own tools like WastedLocker and Hades to becoming affiliates of LockBit—a group that has also been the subject of international enforcement.

What Compliance Teams Should Do

The days of cyber sanctions being theoretical are ending. Compliance teams at financial institutions should:

  • Screen against cyber sanctions lists as part of standard due diligence, not just traditional financial sanctions
  • Review cryptocurrency exposure and understand whether any wallet addresses are linked to sanctioned entities
  • Establish clear escalation procedures for ransomware incidents that include sanctions considerations from the start
  • Document decision making thoroughly—if you're ever questioned about a payment, the reasoning behind it matters

Ministers have warned that Britain risks leaving itself exposed to cyber and hybrid threats if it cannot credibly impose costs on hostile states. These investigations suggest the government is getting serious about enforcement.

The Bottom Line

For years, designating hackers under sanctions regimes was largely symbolic. The practical enforcement challenge—tracing payments through cryptocurrency mixers and shell companies—seemed insurmountable.

These investigations signal that OFSI is willing to try. Whether they result in penalties or prosecutions remains to be seen. But for financial services firms, the message is clear: sanctions compliance now includes cyber threats.