UK investigating first suspected breach of cyber sanctions

British authorities have opened their first investigation into a suspected breach of the country’s cyber sanctions regime since the measures took effect more than five years ago, according to information obtained by Recorded Future News under freedom of information laws.

HM Treasury said the Office of Financial Sanctions Implementation (OFSI) has recorded up to five potential breaches of cyber sanctions, all involving firms in the financial services sector. The department declined to provide precise figures or case details, saying disclosure could prejudice ongoing or future investigations.

The incidents marks the first known suspected breaches of cyber sanctions, which ministers have previously described as a key tool for imposing costs on hostile cyber actors.

As previously reported by Recorded Future News, OFSI did not detect any cyber sanctions breaches in the first several years after the regime was introduced, raising questions over whether the sanctions were actually preventing breaches or if monitoring efforts were simply failing to catch them.

In response to the freedom of information request, the Treasury said it could only confirm the number of suspected cases as a range because OFSI policy treats figures of five or fewer as operationally sensitive and only discloses them within an aggregated category within its annual report.

According to that report for last year, OFSI’s broader workload has been dominated by sanctions linked to Russia’s invasion of Ukraine. In the last financial year, the agency recorded 394 suspected breaches across all sanctions regimes, with 329 of them — roughly 83.5% — related to Russia.

By sector, financial services firms accounted for 142 of those cases, or about 36%. OFSI notes that cases attributed to financial services firms are attributed to the primary suspected breaching party and that a single incident can involve multiple entities.

Improved monitoring

The detection of suspected sanctions breaches follows an expansion of OFSI’s monitoring capabilities for cyber issues. The agency has recently announced increasing its headcount and investing in advanced data analytics, specialist datasets and cryptocurrency investigation tools to ensure funds and economic services are not provided to sanctioned persons.

There are currently 82 individuals and 13 entities designated under the UK’s cyber sanctions regime. These range from state-backed cyber operatives, ransomware criminals and some of the hacking ecosystem’s enablers. The sanctions target these persons with asset freezes and prohibitions on them receiving funds or other economic resources.

Unlike traditional sanctions cases, cyber-related violations often involve complex payment chains, cryptocurrency transactions and cross-border intermediaries, making it difficult to identify sanctioned recipients and establish intent.

Investigations can be further slowed when they overlap with criminal probes or rely on sensitive intelligence, contributing to long timelines and limited public enforcement outcomes, although OFSI states it regularly collaborates with other agencies to disrupt sanctions evasion even when enforcement isn’t possible.

Financial services firms that breach sanctions can face civil penalties of up to £1 million ($1.25 million), or 50% of the value of the breach, whichever is higher. Criminal cases can result in unlimited fines, while senior managers or directors may also face prosecution and prison sentences of up to seven years.

Sanctions enforcement can involve multiple regulators. The Financial Conduct Authority has separate powers to impose fines, require remediation programs and, in extreme cases, revoke authorizations.

OFSI said it has not completed any enforcement action related to the suspected cyber sanctions cases and has not yet issued warning letters, imposed monetary penalties or made criminal referrals.

The Treasury said all recorded cases relate to the financial services sector, but did not identify the firms involved or say whether the suspected breaches involved completed payments. It is not clear if the scrutiny has focused on payment intermediaries, rather than ransomware victims themselves, nor whether the breaches were self-reported or discovered by OFSI’s own efforts.

The information was released following an internal review that overturned an earlier decision to withhold the data on law enforcement grounds. It comes as the government pursues broader reforms aimed at speeding up sanctions investigations and improving transparency.

A Treasury spokesperson said: “OFSI is committed to robustly enforcing UK financial sanctions, including the cyber sanctions regime. OFSI uses a full range of enforcement tools, including non-public actions such as warning letters and referrals, as part of a proactive, intelligence-led approach to sanctions enforcement.

“OFSI does not comment on individual cases beyond publicly disclosed enforcement action,” the spokesperson added. “All UK businesses, including non-financial organisations, are required to comply with UK sanctions regulations, and non-compliance may result in civil or criminal penalties.”

The cyber sanctions regime was introduced to disrupt state-backed hacking groups and financially motivated cybercriminals, but the effectiveness of the sanctions alongside other efforts have been questioned as cyberattacks on the UK have increased. The country recorded a record number of nationally significant cyber incidents in the 12 months before August 2025.

Ministers were warned during a parliamentary hearing last week that Britain risks leaving itself exposed to cyber and hybrid threats if it cannot credibly impose costs on hostile states with tools more robust than sanctions.