Binance, the world’s largest cryptocurrency exchange, has agreed to pay over $4.3 billion in combined penalties to resolve criminal and civil investigations by the Department of Justice, the Financial Crimes Enforcement Network, the Office of Foreign Assets Control, and the Commodity Futures Trading Commission. CEO Changpeng Zhao, known universally in crypto as “CZ,” has personally pleaded guilty to violating the Bank Secrecy Act and will step down.
It is the largest settlement in U.S. Treasury history. The FinCEN component alone — $3.4 billion — dwarfs any previous BSA action against a financial institution of any kind. The OFAC component adds another $968 million. The DOJ criminal resolution totals $1.8 billion, running concurrently with the Treasury numbers for an aggregate of $4.316 billion.
The facts outlined in the plea documents are damning and detailed. Binance operated as a money services business serving U.S. customers from 2017 onward without registering with FinCEN, without implementing an anti-money laundering programme, and without filing suspicious activity reports. This was not an oversight. Internal communications show Binance’s chief compliance officer describing the platform’s approach as designed to attract illicit flows, and senior staff discussing whether their lax controls would eventually result in criminal exposure.
On sanctions, OFAC identified 1.67 million apparent violations spanning Iran, Cuba, Syria, North Korea, and occupied Crimea. Binance matched users against sanctions lists only in a limited fashion and actively helped certain users circumvent its own geographic restrictions. The platform processed transactions involving wallets linked to Hamas’s al-Qassam Brigades, al-Qaeda, and ISIS-affiliated entities.
FinCEN’s order catalogues over 100,000 suspicious transactions that Binance failed to report. These included transactions involving darknet markets, ransomware operations, and sanctioned-jurisdiction flows. The exchange also processed $898 million in transactions between U.S. users and users in Iran alone.
CZ’s personal plea is significant. He admitted that he was aware Binance was required to register with FinCEN, implement an AML programme, and file SARs — and that he chose not to. His sentencing is scheduled for February 2024; guidelines suggest 12 to 18 months of imprisonment, though the judge has discretion.
As part of the resolution, Binance will retain an independent compliance monitor for five years, exit the U.S. market entirely, and implement a comprehensive AML and sanctions compliance programme. Richard Teng, the former head of regional markets, has been named as the new CEO.
What this tells us about the crypto AML gap
Having worked on some of the largest AML remediation programmes in traditional banking, I find the Binance case both unsurprising and deeply instructive.
The core issue is not that Binance’s AML programme was inadequate. It is that Binance deliberately chose not to build one. This is a critical distinction. When a bank fails an AML examination, it is usually because transaction monitoring thresholds were miscalibrated, or SAR narratives were too thin, or beneficial ownership records were incomplete. These are failures of execution. What Binance did was different: it made a strategic business decision that compliance was a cost to be avoided because it would drive away the very customers who generated the most revenue.
The internal communications are the most telling part of the record. When your own compliance staff are warning in writing that the platform is being used for terrorist financing and the institutional response is to continue operating without controls, you have crossed from negligence into wilful blindness — and from there into conspiracy.
The sanctions dimension is particularly significant. OFAC’s finding of 1.67 million apparent violations is an extraordinary number, and it reflects the scale of what a global, unregulated exchange can facilitate. Traditional banks spend hundreds of millions annually on sanctions screening infrastructure. Binance — processing more volume than most banks — spent a fraction of that.
I also want to flag the terrorist financing element, because it tends to get lost in the headline numbers. The plea documents explicitly reference transactions linked to Hamas, al-Qaeda, and ISIS. These are not abstract compliance failures. They represent real money flowing to designated terrorist organisations through a platform that chose profit over controls. In my experience, when terrorist financing touches a financial institution, regulators and prosecutors move from remediation to criminal liability — and rightly so.
The $4.3 billion number is enormous, but Binance can afford it. The exchange reportedly generates billions in annual revenue and holds substantial reserves. The real penalty is the five-year monitorship and the U.S. market exit. Whether the monitor has genuine authority to force change — or becomes another box-ticking exercise, as we have seen with some bank monitorships — will determine whether this resolution actually changes anything.
For the broader crypto industry, the message is clear: the era of regulatory arbitrage through jurisdictional shopping is ending. If you serve U.S. customers, you are subject to U.S. law — regardless of where you incorporate or where your servers are located.