DEV Community

benzsevern
benzsevern

Posted on • Originally published at bensevern.dev

Wagner Was on OFAC in 2018: What 10 Years of Sanctions Data Reveals

#python #datascience #opensource #security

If you asked most people when the Wagner Group was first sanctioned by the United States, they'd say 2022 or 2023. That's the period the current narrative covers — the post-invasion wave of Russia-related designations, the Treasury press releases, the coordinated EU/UK/CA/AU announcements. It's also wrong by four years.

The first OFAC designation of "Private Military Company 'Wagner'" was on April 5, 2018, under the CAR (Central African Republic) and TCO (Transnational Criminal Organizations) programs, plus one called UKRAINE-EO13660 — a 2014-era authority that pre-dates the 2022 invasion by nearly a decade. I didn't know that going in; the dominant story about Russia sanctions skips over it. The pipeline I built to analyse sanctions data found it in about three seconds, because the pipeline doesn't read press releases — it reads dated XML snapshots of the SDN list itself.

This post is about what falls out when you point one entity-resolution pipeline at (a) every public sanctions list in the world, (b) a decade of historical OFAC snapshots from the Wayback Machine, and (c) a 13-million-wallet blockchain attribution graph, and ask it all the questions that compliance vendors don't want to answer. Six findings surface, four of which change how I'd think about screening coverage. This is a follow-up to last week's OSS vulnerability reconciliation post; same pipeline shape, completely different domain.

The three datasets

Three public data sources, stitched together on OpenSanctions' canonical entity IDs:

  1. OpenSanctions sanctions collection — 278,647 FtM entities spanning 85 distinct public sanctions lists across 50+ jurisdictions. After filtering to real sanctionable entity schemas (Person, Organization, Company, LegalEntity, Vessel, Airplane, CryptoWallet), the universe is 72,326 canonical sanctioned entities. OpenSanctions has already resolved cross-list duplicates, so os_id is ground truth.
  2. OpenSanctions peps collection — 708,385 politically-exposed persons across Wikidata, national legislature sources, and curated PEP datasets. Joins cleanly to the sanctions set by os_id.
  3. Wayback Machine OFAC SDN snapshots — 38 usable distinct-digest captures of treasury.gov/ofac/downloads/sdn.xml between 2014 and 2023. 15,438 distinct UIDs ever seen across a decade.
  4. Wallet-attribution graph — ~12.6 million Ethereum / Tron / Bitcoin addresses with public labels (Etherscan tags, Forta threat intelligence, DeFiLlama protocol IDs, Scamsniffer blacklists, FBI Lazarus disclosures) from my prior post.

Everything is free, permissively licensed, and bulk-downloadable. No paid API, no commercial compliance vendor, no proprietary chain analytics.

Finding 1: Wagner was on OFAC four years before the current narrative admits

The 38 Wayback snapshots of the SDN list let me compute a first-listing date for every UID. A substring search for "Wagner" returns exactly one hit:

2018-04-05  PRIVATE MILITARY COMPANY 'WAGNER'     progs=CAR,TCO,UKRAINE-EO13660
Enter fullscreen mode Exit fullscreen mode

UID assigned in the April 2018 snapshot, under three separate authorities. UKRAINE-EO13660 dates to 2014 and was built for Crimea-annexation response — Wagner was pulled in under it because the unit was active in eastern Ukraine even then. CAR covered their operations in Central African Republic. TCO was the "this is a crime ring in all but name" framing.

For comparison, Vladimir Putin's personal OFAC entry dates to February 26, 2022 — two days after the invasion. That's also visible in the snapshot timeline. He wasn't on OFAC SDN before that; Wagner was on OFAC for four years before he was.

What this changes: a lot of the Russia-sanctions coverage treats "unprecedented" and "since 2022" as nearly interchangeable. The data says the authorities were already in place, parts of the Russian state-military-crime apparatus were already designated, and the post-2022 wave expanded an existing framework rather than built it from scratch. This is a more boring story but a more accurate one, and it's visible in public data if you parse the XML instead of the press releases.

Finding 2: 1 in 5 OFAC designations gets reversed

The decade of snapshots shows a shape most people don't associate with sanctions: sanctions regimes are not monotonic. Entities get added, but they also get delisted.

Snapshot UIDs on SDN
2014-03-29 5,819
2016-04-02 5,266 (Iran JCPOA delistings)
2018-04-05 6,256
2019-08-05 7,737
2022-03-02 9,226
2022-08-06 10,489 (post-invasion wave)
2023-06-23 12,635

Distinct UIDs ever seen across the decade: 15,438. Current count: ~12,635. Delisted: 2,803 — 18.2%.

Almost one in five entities that was ever on the SDN has been removed. That happens for three main reasons: JCPOA-style diplomatic deals (the 2016 drop of ~600 Iran-related entries is visible as a cliff in the timeline), administrative restructuring (Tornado Cash's UID was retired and re-issued after a program-basis revision in 2022–2023), and sanctions-lift decisions where the underlying conduct stopped or was judged to be addressed.

What this changes: "being on the SDN" is not a life sentence in the data. The compliance industry does a lot of false-positive-weary work based on the assumption that OFAC designations are permanent records — and they are, in the sense that historical presence creates a lasting paper trail. But presence on the current list is a 1-in-5-you'll-be-removed-eventually proposition at the decade scale. That's not what most compliance training material implies.

The other shape in the delisting data worth noting: the 2022 Ukraine wave was the single largest multi-month expansion in the decade of snapshots. +1,263 UIDs between January and August 2022. The program code RUSSIA-EO14024 alone accounts for 2,588 designations since 2020 — more than any other OFAC program in recent memory. The scale of the 2022 expansion is unambiguous; the claim that it was built from scratch is the part that Finding 1 pushes back on.

Finding 3: Sanctioned crypto wallets are almost entirely new public intelligence

I joined the 2,461 publicly-sanctioned crypto-wallet entities from the sanctions universe against the 13M-address wallet-attribution graph. After excluding sanctions-derived labels (the OFAC list appears inside the attribution graph, so including it would be a tautology — every OFAC-sanctioned address would trivially match "attributed by OFAC"), the comparison is simple: of the 1,454 distinct sanctioned wallet addresses, how many carried a non-sanctions public label in Etherscan, Forta, DeFiLlama, exchange-attribution datasets, or the community-curated blacklists?

50 addresses. 3.4%.

Per-list breakdown after filtering out the tautological labels:

Sanctioning authority Sanctioned wallets Had prior external attribution
US OFAC SDN 772 50 (6.5%)
Israel MoD Crypto 685 0 (0.0%)
Japan MOF 26 9 (34.6%)
France Trésor 6 0

The OFAC overlap is mostly what you'd guess — Hydra Market, Blender.io, Chatex, Suex OTC all had prior Etherscan tags because these were darknet / mixer operations that blockchain observers had been tracking for years before formal designation. Those are the 50. The other ~720 OFAC-designated addresses had zero non-sanctions public labelling before OFAC added them.

Israel MoD's 685 wallets — almost all Tron-based, tied to Hamas financial infrastructure — had zero prior entries in any of the 10 wallet-attribution sources. Forta didn't flag them. Etherscan didn't tag them. Scamsniffer didn't blacklist them. The Israeli designation is 100% novel public intelligence for these addresses; every one of them was invisible to open-source chain analytics before the MoD published the list.

Japan MOF's 34.6% hit rate is a different phenomenon — most of the Japanese designations are mirrors of OFAC, so the prior-attribution there is shared OFAC lineage filtered through one additional authority.

What this changes: "blockchain is public, so chain analytics knows everything anyway" is a popular framing among people who think sanctions screening is an obsolete layer in crypto. The data says the opposite. Formal sanctions designations are adding new information to the public attribution graph in 97% of cases — information that the chain-analytics firms may have had internally but that no open-source database carried. If you run a crypto on-ramp or custody product, your sanctions screen is importing public intelligence you could not have derived from any other free source.

Finding 4: 63.9% of sanctioned entities are on exactly one list

This is the headline coverage number. The universe is 72,326 canonical entities; 46,219 of them (63.9%) appear on exactly one public sanctions list. The Big-3 Western stack (OFAC SDN + UK FCDO + EU Financial Sanctions) collectively covers 33.2% of the universe. Adding Canada, Australia, Japan, and Switzerland brings coverage to 35.5% — a 2.3-point improvement for four additional integrations.

Lists an entity appears on Entities Share
1 46,219 63.9%
2 10,483 14.5%
3 5,608 7.8%
4–7 5,112 7.1%
8+ 4,683 6.5%

One-way coverage gaps are sharper than the averages suggest: OFAC-SDN-only screening misses 46.7% of EU Financial Sanctions designations and 46.1% of UK FCDO designations. That goes the other direction too — EU-only misses 84.2% of OFAC SDN, and UN Security Council coverage alone misses 95.8% of OFAC SDN, because OFAC designates hugely more unilaterally than the UN authorises.

This is the least structural of the findings and the most directly actionable. A compliance team buying "comprehensive sanctions screening" should ask which of the 85 public lists the vendor consumes — and should expect the honest answer to cover somewhere between 5 and 12, not 85.

Finding 5: PEP screening is a much weaker leading indicator than vendors suggest

One common compliance-industry claim is that aggressive PEP screening catches sanctions risk early — the theory being that politically-exposed persons are the pool from which future sanctioned individuals are drawn. I joined OpenSanctions' 708k-entity PEPs dataset against the 40,076 sanctioned persons in the sanctions universe.

Only 8.5% of sanctioned persons were in the PEPs dataset first. 3,419 of 40,076.

But the variance across individual sanctions lists is enormous and tells a more interesting story:

Sanctions list Sanctioned persons Also PEPs PEP coverage
New Zealand Russia 1,352 870 64.3%
Australia DFAT 2,497 1,038 41.6%
Canada SEMA 3,457 1,330 38.5%
Japan MOF 1,970 668 33.9%
Switzerland SECO 3,721 1,253 33.7%
EU Travel Bans 3,829 1,267 33.1%
UK FCDO 3,853 1,221 31.7%
EU Financial Sanctions 4,319 1,315 30.4%
US OFAC SDN 7,384 1,394 18.9%
Ukraine NSDC 13,187 2,155 16.3%
Iraq AML 6,201 0 0.0%
Pakistan Proscribed 4,277 1 0.0%

What the table is actually showing: each sanctions regime has a characteristic target type, and PEP-overlap is a clean signature of it.

  • EU-cluster + Canada + Japan + Australia + NZ: 30–64%. These regimes disproportionately sanction current or former political figures — Russian officials, Belarusian ministers, Syrian regime members, Venezuelan ministers. PEP screening catches most of these in advance because "politician" and "politician's deputy" are exactly who PEP datasets track.
  • US OFAC SDN: 18.9%. OFAC sanctions a much broader spectrum — narcotics, transnational crime, cyber, proliferation, Cuban parastatals — most of whom are not politicians.
  • Iraq AML and Pakistan Proscribed Persons: 0%. Terror-focused lists. Terrorists don't hold public office.

What this changes: the "PEP screening is a leading indicator of sanctions risk" framing is true for some regimes and false for others, and the variance is a four-order-of-magnitude spread. If your compliance program's PEP screen is tuned for EU-style political designations (which most vendors default to), it will look strong against Canadian or Swiss sanctions and collapse to near-zero leading-indicator value against OFAC's transnational-crime designations or Pakistan's terror list. A flat "X% of sanctioned individuals were PEPs first" average hides this entirely.

Finding 6: Russia and the West sanction disjoint populations

One small finding worth flagging as-is: the ru_mfa_sanctions dataset — Russia's own Foreign Ministry counter-sanctions list — carries 2,163 entities, mostly Western politicians, journalists, officials. Zero of them appear on any Western sanctions list.

This is structurally the cleanest data point in the post. The West sanctions Russian entities; Russia sanctions Western ones; neither side sanctions its own nationals. The intersection is empty. Which sounds obvious in hindsight but is also a concrete illustration of the way sanctions regimes target completely disjoint populations — and a reminder that if your firm has exposure to Russian markets, screening only against Western lists misses an entire parallel regime.

Honest limitations

As with the prior two posts in this series, what I can't support matters as much as what I can:

  • Wayback snapshots are uneven. 67 distinct-digest captures between 2014 and 2023, but 29 of them were truncated or partially-archived and had to be discarded. The 38 usable snapshots span a decade but the intervals are irregular. A UID "first seen in 2018" may have actually been designated in 2017 if there's no 2017 snapshot; this systematically biases first-listing dates later.
  • Wagner's 2018 program codes don't equal Wagner's 2018 operational scope. OFAC can designate under historical authorities years after relevant conduct started. The April 2018 listing doesn't mean Wagner was first noticed in 2018 — it means the formal SDN designation happened then.
  • "OpenSanctions is ground truth." The canonical os_id is theirs, not mine. Their ER is audit-traced but not zero-error; a false merge or false split propagates through all the overlap stats.
  • PEP datasets are Wikidata-heavy. Of the 3,419 sanctioned-PEP overlaps, 95.6% come from wd_categories and 71.4% from wd_peps. Wikidata PEP coverage is uneven by country — Western European politicians are over-represented relative to Central Asian or African ones, which is one reason the NZ Russia list hits 64% overlap while Iraq AML hits 0%.
  • Crypto "prior attribution" is Ethereum-biased. 9 of 10 label sources in the 13M-wallet graph are Ethereum-specific. Bitcoin-addressed OFAC designations (Hydra, Blender, DPRK-related wallets) are undercounted relative to their real prior public coverage; the 3.4% number is a lower bound, not an upper one.
  • The 18.2% delisting rate is across the decade, not per year. Annual turnover is smaller — somewhere in the 2–4% range. The decade-scale figure is the right one to cite for "how often do designations get reversed?", but it's not "one in five designations is reversed each year."
  • No commercial database comparison. Dow Jones, World-Check, LexisNexis, and several chain-analytics firms maintain richer sanctions and PEP datasets. None are bulk-downloadable without a paid plan. This is a free-public-data analysis.

Takeaways

  • Wagner was first OFAC-listed in April 2018 under CAR / TCO / UKRAINE-EO13660 programs — four years before the current Russia-sanctions narrative starts. The post-2022 wave expanded an existing framework rather than built it.
  • 18.2% of OFAC SDN's decade-history designations have been reversed. 2,803 of 15,438 ever-listed UIDs are not on the current list. Sanctions aren't permanent at the decade scale.
  • Sanctioned crypto wallets are 97% novel public intelligence. Only 3.4% had prior external attribution in a 13M-address graph. Israel MoD Crypto: 0% prior attribution; every one of the 685 addresses was invisible before the MoD published the list.
  • 63.9% of sanctioned entities are on exactly one of 85 public lists. The Big-3 Western stack covers 33.2% of the universe. Adding four more Western regimes (CA/AU/JP/CH) adds only 2.3 points.
  • PEP screening is a 0-to-64% leading indicator depending on the sanctions regime. Clustered by target type: political-figure-focused regimes (EU, Canada, NZ) overlap with PEPs 30–64%; OFAC overlaps at 18.9%; terror-focused lists (Iraq AML, Pakistan Proscribed) overlap at zero.
  • Russia's counter-sanctions list (2,163 entities) has zero overlap with any Western sanctions list. Mirror-image regimes targeting disjoint populations.

Reproduce it

Everything in this post is in a public repo: benzsevern/goldenmatch-sanctions-reconciliation. Five commands from a fresh clone:

python fetch_public_data.py      # OpenSanctions sanctions + peps + default (~3.5 GB, ~5 min)
python extract_records.py        # filter sanctions → parquet
python analyze.py                # cross-list coverage + pairwise overlap + famous cases
python analyze_peps.py           # sanctioned persons ∩ PEPs
python fetch_wayback_ofac.py     # ~70 Wayback SDN snapshots (~3 min with rate-limit courtesy)
python analyze_history.py        # first-listing dates + growth + delisting
python analyze_crypto.py         # cross-reference against wallet-attribution graph
Enter fullscreen mode Exit fullscreen mode

The raw OpenSanctions data is CC-BY 4.0; Wayback snapshots are web.archive.org captures of treasury.gov/ofac/downloads/sdn.xml (U.S. government public domain); wallet-attribution data is permissively licensed. No API keys, no auth. Outputs land in output/report.json for the headline coverage numbers, history_report.json for the decade-of-OFAC findings, peps_report.json for the PEP-overlap table, crypto_report.json for the wallet-attribution cross-reference.

Companion repos, same ER pipeline, completely different domains: goldenmatch-vuln-attribution (869k OSS vuln records, 608k canonical clusters) and goldenmatch-wallet-attribution (13.1M blockchain attribution records). Three posts, three domains, one conceptual pipeline.

Install GoldenMatch: pip install goldenmatch. Star the repo: benzsevern/goldenmatch. Try the playground: bensevern.dev/playground.

Reproducibility footer.

  • Source datasets: OpenSanctions sanctions bulk collection (FtM JSON, snapshot dated 2026-04-16, 318 MB), OpenSanctions peps bulk (832 MB), Wayback Machine captures of treasury.gov/ofac/downloads/sdn.xml (67 distinct-digest snapshots 2014-03-29 → 2024-03-29, 38 usable), wallet-attribution graph from goldenmatch-wallet-attribution (10 label sources, 12.6M unique addresses post-normalisation).
  • Canonical sanctioned entities post-schema-filter: 72,326 (Person 40,076; Organization 17,088; LegalEntity 7,633; Company 2,862; CryptoWallet 2,461; Vessel 1,864; Airplane 342).
  • Distinct public sanctions lists represented: 85.
  • Entities on exactly one list: 46,219 (63.9%).
  • OFAC SDN 2014–2023: 5,819 → 12,635 UIDs. 15,438 distinct UIDs ever seen; 2,803 delisted (18.2%).
  • Wagner Group first OFAC designation: 2018-04-05, programs CAR / TCO / UKRAINE-EO13660.
  • Putin first OFAC designation: 2022-02-26, program RUSSIA-EO14024.
  • Sanctioned persons: 40,076. ∩ PEPs: 3,419 (8.5%).
  • Sanctioned crypto wallets: 1,454 distinct addresses. With prior external (non-sanctions) attribution: 50 (3.4%). Israel MoD Crypto prior-attribution rate: 0.0%.
  • Russia MFA counter-sanctions: 2,163 entities, 0 overlap with Western Big-7.
  • Tools: polars 1.39, Python 3.12, standard-library xml.etree.ElementTree, urllib.request. goldenmatch 1.4.4 installed but not required — OpenSanctions handles cross-list ER.
  • Hardware: Windows laptop, 32 GB RAM. Full pipeline completes in under 5 minutes once data is local; the Wayback fetch takes longer due to rate-limit courtesy (~3 min with a 1.5 s delay between requests).
  • Code and raw outputs: benzsevern/goldenmatch-sanctions-reconciliation (MIT). Scripts: fetch_public_data.py, fetch_wayback_ofac.py, extract_records.py, analyze.py, analyze_peps.py, analyze_history.py, analyze_crypto.py. Headline JSONs in output/.
  • Data date: 2026-04-16.

Originally published at https://bensevern.dev

Top comments (0)