The Sanctions Gap — Why 18,108 Lazarus-Attributed Wallets Are Not On Any Official Sanctions List In 2026

Of the 18,168 wallets attributed to Lazarus in our intelligence dataset via the curated Tayvano Lazarus source:

- **11 wallets** appear in OFAC SDN Advanced — the source-of-truth crypto-attribution extension of the US Treasury sanctions list. - **49 additional wallets** appear in Tether's blacklist or USDT-specific freeze records. - **18,108 wallets** appear in neither. They are tracked by Monahan's methodology, cross-confirmed by independent analysts including Elliptic and Chainalysis, but are not on any official sanctions list and have not been frozen by any major stablecoin issuer.

The percentage breakdown: 99.67 percent of Lazarus-attributed wallets are tracked-only — known to be DPRK-operated, but not designated.

The chain distribution of the 18,168 wallets:

- **Ethereum**: 13,466 wallets (74.1 percent) - **Bitcoin**: 3,792 wallets (20.9 percent) - **TRON**: 910 wallets (5.0 percent)

The OFAC SDN coverage breakdown:

- Ethereum: 11 wallets in SDN of 13,466 (0.08 percent) - Bitcoin: 0 in SDN of 3,792 (0.00 percent) - TRON: 0 in SDN of 910 (0.00 percent)

This is the precise gap. Of the chain where Lazarus operates most heavily, OFAC has officially designated eight one-hundredths of one percent of identified wallets. On Bitcoin and TRON — the two chains carrying the most active DPRK laundering flow as of 2026 (per Elliptic's Bybit anniversary post and TRM's May 2026 report) — the OFAC coverage is zero.

The gap is not a failure of intelligence — Monahan's list is the gold standard for community DPRK attribution, and Elliptic, Chainalysis, and TRM Labs maintain functionally equivalent lists internally. The gap is a structural feature of how official sanctions work.

OFAC designates specific wallets when:

1. **There is a named target** in a Treasury enforcement action (a person, entity, or organization), and the wallet is attributed to that target through evidence sufficient to support the designation legally. 2. **The designation passes Treasury's internal review** — including the legal sufficiency of the attribution, the policy rationale for the specific designation, and the operational consequences (the designated wallet effectively becomes uncashable in regulated venues).

OFAC does not, as a matter of operational practice, designate every wallet that is attributed to a sanctioned group by community intelligence. The legal standard for SDN designation is higher than the analytic standard for cluster attribution. A wallet that Tayvano Monahan's tracing methodology has clustered with confirmed Lazarus addresses through transaction-graph analysis may be analytically Lazarus-attributed without being legally designation-ready.

The structural consequence: the official sanctions list captures a small fraction of the actual adversary infrastructure. Compliance teams that rely solely on OFAC's published list — without supplementing through community intelligence, vendor tooling, or in-house attribution — are screening against approximately 0.06 percent of the Lazarus-attributed wallet universe.

A parallel case study sharpens the picture. LockBit was a Russia-based ransomware operation that targeted Western institutions through 2022-2024. The group was OFAC-sanctioned as an entity in early 2024. In May 2024, the National Crime Agency obtained an operational leak from LockBit's internal infrastructure that revealed approximately 60,000 victim-payment and operator wallet addresses.

Sanctuary ingested the leak data into our attribution dataset. The breakdown:

- **59,975 wallets** total in the `lockbit_leak` source - **All 59,975** are on Bitcoin (LockBit's exclusive operational chain) - **0 wallets** are in OFAC SDN Advanced - **0 wallets** are in Tether's blacklist (Tether's freeze pipeline does not act on Bitcoin addresses because Tether's freeze authority operates at the USDT contract level on chains where USDT exists; Bitcoin is not one of those chains)

LockBit's group-level OFAC sanction did not produce wallet-level designations. The 59,975 leaked addresses remain outside the official sanctions universe. Compliance teams screening against the OFAC list see no LockBit-attributed wallets — but the wallets are documented in public infrastructure leaks.

For a US-regulated exchange that processes Bitcoin deposits, the LockBit ghost cluster is a known threat-intelligence dataset with zero official sanctions coverage. Screening against it requires either ingesting the public leak data directly or using a compliance vendor that does. The OFAC list, by itself, is silent on these 59,975 wallets.

A third case study illustrates a different dimension of the gap. A7A5 — the ruble-backed stablecoin issued by Old Vector LLC (Kyrgyzstan, 51-percent owned via parent A7 LLC by Moldovan fugitive Ilan Shor) — was added to the EU's Annex LIII in the 19th sanctions package (effective November 25, 2025) and reinforced in the 20th package (taking full effect May 24, 2026, nine days from this article's intended publication).

Sanctuary's internal scan source `a7a5_token_scan` tracks 271 wallets in the A7A5 cluster: - 264 TRON wallets tagged as `grey_exchanger` - 5 TRON wallets tagged as `sanctioned_entity` - 2 Ethereum wallets tagged as `grey_exchanger`

Cross-referenced against four major sanctions data sources:

- **OFAC SDN Advanced**: 0 overlap - **OpenSanctions** (which aggregates approximately 250 sanctions-related feeds worldwide): 0 overlap - **Israel NBCTF** (the Israeli National Bureau for Counter Terror Financing list, focused on Iran/Hezbollah-related addresses): 0 overlap - **Tether blacklist / USDT blacklist**: 0 overlap

The A7A5 cluster has zero wallet-level coverage in any of the four major sanctions data feeds. The EU has designated the asset by name. The wallets in the cluster — which carry the asset and operate the secondary market — are not on any wallet-level sanctions list as of mid-May 2026.

For an EU CASP preparing for the May 24 entry-into-force, this matters operationally. If the CASP's screening pipeline depends on wallet-level designations (the standard architecture), it will not catch A7A5 cluster wallets through OpenSanctions or OFAC feeds. The CASP must either implement asset-level screening (which is what the EU 20th package requires) or ingest direct A7A5 wallet attribution from a vendor that has it.

Sanctuary maintains the 271-wallet cluster as a discrete source. Chainalysis, TRM Labs, and Elliptic have analogous internal attributions. None of these is in the OFAC SDN feed because the US has not separately designated A7A5 wallets — OFAC's August 2025 designation hit the issuer entities (A7 LLC, Old Vector LLC, Payeer, Grinex) but not the specific A7A5 holder wallets.

To understand what the official sanctions universe does capture, the relevant figure from our database is the cross-verified core: wallets that appear in two or more independent sanctions-related data sources. The query produces 3,378 wallets across all chains.

The chain distribution:

- **Ethereum**: 2,655 (78.6 percent) - **Bitcoin**: 544 (16.1 percent) - **TRON**: 127 (3.8 percent) - **BSC**: 24 (0.7 percent) - **Polygon**: 23 (0.7 percent) - **Arbitrum**: 23 (0.7 percent) - **Base**: 23 (0.7 percent) - **Solana**: 21 (0.6 percent) - Smaller representations on Litecoin, Monero, Bitcoin Cash, Dash, Zcash, Ripple

The cross-verified core skews heavily toward Ethereum because the major sanctions feeds (OFAC, OpenSanctions, Tether, USDT, Tayvano) all maintain dense Ethereum attribution. Bitcoin's share is smaller despite Bitcoin having more total entity labels (10.1M of our 10.58M total) because OFAC's crypto-attribution work and Tether's freeze authority operate primarily on EVM chains and TRON.

The 3,378 is, by any reasonable definition, the highest-confidence operator core in the public sanctions universe. These are wallets that have been independently corroborated by multiple, non-coordinated threat-intel pipelines as sanctions-related. For Sanctuary's risk scoring, the cross-verified status produces the engine's highest confidence tier.

But 3,378 is small relative to 18,168 (Lazarus alone), to 59,975 (LockBit alone), to the 271 A7A5 cluster, and to the broader universe of attribution-only entries in our database. The cross-verified core is the operationally-actionable subset; the broader attribution dataset is the situational-awareness subset.

Within the database, one source-set produces a paradoxical signature worth noting. Our `tornado_cash_depositor` source contains 7,708 wallets — every Ethereum address that has interacted with Tornado Cash's deposit contract since its inception, ingested for screening purposes.

Of these 7,708:

- **Only 100 wallets** have any other risk flag in our database — meaning 100 of the 7,708 Tornado depositors are flagged in our other sources as Lazarus, ransomware, sanctions, fraud, or any other risk category. - The remaining 7,608 (98.7 percent) appear in our database only as Tornado depositors.

This is operationally informative. The vast majority of Tornado Cash depositors do not have other risk flags. Tornado was used disproportionately by users who, by Sanctuary's screening, present no other red signal — supporting the post-OFAC-delisting industry consensus that the Tornado Cash user base is broadly composed of legitimate privacy seekers rather than concentrated criminal flow.

This does not change the legal framework for Roman Storm's prosecution, which targets the protocol's operation rather than the user base composition. It is, however, a data point that recalibrates the public narrative. When Treasury delisted Tornado Cash on March 21, 2025 after the Fifth Circuit's Van Loon v. Treasury ruling, the policy effect was to remove the protocol from the sanctions universe; the empirical reality is that the protocol's user base was, in our screening, mostly composed of users our risk engine would otherwise have not flagged.

Of the 100 Tornado depositors who do carry other flags, the breakdown by source-of-cross-flag includes seven from the Lazarus list (these are the DPRK operators who personally signed Tornado deposit transactions, rather than receiving Tornado withdrawals downstream), plus broader phishing, scam, and sanctions-adjacent flags.

Five operational implications for compliance teams in 2026.

**First, do not rely solely on OFAC SDN.** The published list captures approximately 0.06 percent of the Lazarus-attributed universe. Compliance pipelines that screen only against the OFAC SDN crypto-extended list are missing 99.94 percent of identified DPRK wallet infrastructure. Supplemental sources are required: community-curated lists like Tayvano's, vendor-curated lists from Chainalysis / TRM / Elliptic / Sanctuary, and direct attribution from your own intelligence.

**Second, EU sanctions ride a different track.** The EU 20th package designates A7A5 by name (asset-level) without designating specific wallets. Compliance pipelines that expect to see wallet-level designations cascade from OFAC or OpenSanctions for A7A5 will not see them through May 24, 2026, and likely not for months afterward as designations are still backstopped through US enforcement frameworks. EU CASPs must implement asset-level screening (contract-address matching) or accept gap exposure on A7A5 and adjacent EU-listed assets (RUBx, Russian and Belarusian digital rubles).

**Third, group-level sanctions do not produce wallet-level coverage.** LockBit's group-level OFAC designation did not propagate to the 59,975 wallets revealed by the NCA operational leak. Compliance frameworks that interpret a group-level sanction as covering all attributable operator infrastructure are over-reading the legal effect. Specific wallets need specific designations or specific intelligence-list inclusion to flow into screening.

**Fourth, cross-source verification matters for confidence tiering.** The 3,378-wallet cross-verified core is the highest-confidence operator dataset. Compliance pipelines should expose cross-source-verified flagging as a discrete confidence tier separate from single-source-flagged. This permits risk-based policy: refuse high-confidence cross-verified at the deposit layer; require enhanced documentation for single-source-flagged; pass low-attribution flow through standard monitoring.

**Fifth, Tornado Cash deposits warrant calibrated treatment.** Of 7,708 historical Tornado depositors in our screening, 7,608 (98.7 percent) have no other risk flag. Treating Tornado depositors uniformly as high-risk produces false positives at industrial scale. Treating them as ignorable misses the 100 who do carry other flags, including seven direct Lazarus operators. The calibrated treatment is to apply cross-flag adjustment: a Tornado-only flag should not produce Critical scoring; a Tornado + other-source flag should.

Looking forward from May 2026 through May 2027, three structural shifts are likely to narrow the sanctions gap:

**AMLR effective July 10, 2027** will impose a €1,000 self-hosted-wallet enhanced-CDD trigger across all EU CASPs. The framework will likely produce additional wallet-level designations in OpenSanctions as member-state national competent authorities flag operational wallets they observe in their AMLR-compliance monitoring.

**T3 Financial Crimes Unit expansion** through 2026-2027 will continue producing Tether-level freezes. Each freeze adds a wallet to the Tether blacklist source. At the May 2026 run-rate of approximately $514M frozen across 370 addresses in 30 days, the Tether blacklist could add 4,000+ wallets to the sanctions-coverage universe in the next twelve months — most concentrated on TRON.

**OFAC follow-on designations on specific 2026 enforcement actions** (April 23 Iran Operation Economic Fury, March 12 DPRK IT worker network, and likely additional Russia-corridor actions in the EU 21st package timeframe) will add wallet-level entries to SDN Advanced. The April 23 Iran action alone added 2 wallets to OFAC; the March 12 DPRK action added 21. The cumulative pace is approximately 30-50 wallet-level OFAC additions per major enforcement action.

If these three trends continue, the OFAC SDN crypto-extended list could grow from approximately 1,200 wallets today to 2,500-3,500 wallets by mid-2027. The cross-verified core could similarly grow from 3,378 to 6,000-8,000.

These projections do not close the Lazarus 18,108 gap, the LockBit 59,975 gap, or the A7A5 271 gap. They reduce the gap rate from 99.67 percent to perhaps 95-96 percent. The structural feature persists: the bulk of attributed adversary infrastructure remains outside the official designation pipeline.

For an OTC desk receiving a TRON USDT deposit in 2026, the screening question is: is this counterparty in our flagged universe? If the desk's pipeline runs only OFAC SDN, the answer for nearly all DPRK-attributed wallets will be "no." The deposit may be from a Lazarus operator wallet that has been on Monahan's list for years and is not on any official sanctions feed.

For an EU CASP preparing for May 24, the question is: are we screening A7A5 transactions? If the pipeline waits for OFAC or OpenSanctions to designate specific A7A5 wallets, the screening will not catch them at scale. The 271 cluster wallets exist in our database. They are not in any of the four major sanctions feeds.

For a US-regulated exchange processing Bitcoin deposits, the LockBit cluster is a 59,975-wallet known threat-intel dataset that is invisible to OFAC-only screening. The exchange's risk posture toward Bitcoin deposits is, in practice, determined by whether the screening pipeline ingests the leak data — directly, via a vendor, or not at all.

In each case, the structural answer is the same: official sanctions are the floor, not the ceiling. Compliance pipelines that treat OFAC SDN as exhaustive are operationally inadequate for the 2026 threat environment. The supplemental data exists; the cost of ingesting it is small; the cost of not ingesting it is the next deposit that lands in the venue's accounts and then gets traced back to an unscreened adversary cluster by a journalist or regulator who had access to the same supplemental data.

99.67 percent of Lazarus-attributed wallets are not on the OFAC SDN list. 100 percent of LockBit-leaked wallets are not. The A7A5 cluster has zero overlap with the four major sanctions feeds. The official sanctions universe is dwarfed by the threat-intelligence universe.

For compliance officers in 2026, the implication is structural. The OFAC list is necessary. It is not sufficient. The gap between attribution and designation is wide, persistent, and quantifiable. The compliance frameworks that recognize the gap, supplement against it, and tier their confidence by cross-source verification produce materially better risk decisions than the frameworks that do not.

The data exists. The cross-section is the difference.

Sanctuary publishes this analysis as our exclusive forensic contribution to the 2026 crypto-AML literature. The underlying numbers are auditable against the public-source counts we cite (Tayvano's list, OFAC's SDN Advanced extension, OpenSanctions' coverage, Tether's freeze announcements, Israel NBCTF's published list). The cross-section — the precise intersection of these sources, the gap quantification, the chain distribution of the gap — is, to our knowledge, not previously published. The methodology is reproducible by anyone with access to the same source feeds. The conclusion is structural.

The gap is real. The gap is quantifiable. The gap is what compliance pipelines need to be designed against in 2026 and beyond.