Cybersecurity & Tech Foreign Relations & International Law

Sounding the Alarm on Digitally Enabled Sanctions Evasion

Alex O'Neill, Amanda Wick
Wednesday, October 16, 2024, 9:44 AM
Innovative sanctions evasion practices should prompt a reassessment of the national security risks posed by digital financial technologies.
An illustration of a man and a woman's silhouettes escaping a vortex of binary code (Photo: Pixabay, https://tinyurl.com/yhnwr3w5, Free Use)

Published by The Lawfare Institute
in Cooperation With
Brookings

The geopolitical tumult of the past several years has brought renewed attention to the national security threats illicit finance and sanctions evasion represent. Russia has sustained the brutal invasion of Ukraine despite an unprecedented campaign to choke off its war machine, in significant part because of the Kremlin’s ability to erect alternative trade channels and procure banned goods. Washington has wielded novel export controls in a bid to restrict China’s access to advanced chips, but a complex network of illicit traders has blunted their impact. From Venezuela to the Iran-backed “Axis of Resistance” to North Korea, rogue actors have survived punishing international sanctions, and many continue to pose unacceptable threats to U.S. security. Those who find themselves in the crosshairs of U.S. economic statecraft have sought workarounds to continue buying and selling arms, oil, dual-use electronics, and other illicit goods with national security implications. Increasingly, sanctions evaders have been drawn to virtual payment technologies that operate outside the traditional U.S.-dominated financial system.

Even as malign actors have toyed with using cryptocurrency to circumvent sanctions—sometimes quite publicly—many experts and U.S. officials still treat digital illicit finance primarily as a crime issue, often dismissing the possibility that it could one day meaningfully facilitate national security threats. The2024 National Proliferation Financing Risk Assessment acknowledges “the potential risks from new and alternative payment systems, as some countries seek to develop strategies to avoid U.S. jurisdiction and evade U.S. sanctions specifically,” but it concludes that “U.S. adversaries would find it difficult to translate those alternative payment systems into an at-scale replacement.” Overall, the prevailing wisdom seems to hold that while virtual assets are susceptible to theft and fraud—the sorts of practices ransomware gangs and state-sponsored North Korean cybercriminals engage in—the technology is ill-suited to facilitate sanctions evasion and illicit trade at serious levels.

In reality, the prevailing wisdom may be underestimating the illicit finance risks virtual assets pose. For one, common appraisals of the virtual asset ecosystem are probably undercounting the illicit activity that takes place, which creates a discounted impression of exploitation risks. Moreover, while cryptocurrency-based sanctions evasion still represents only a drop in the bucket compared to traditional illicit financial pathways, U.S. adversaries have established an operational proof of concept, and emerging financial technologies will likely further solidify it. Meanwhile, sanctioned entities are doggedly pursuing further advances, pouring resources into developing payment channels beyond the reach of Western authorities. As policymakers consider strategies to curtail the illicit financial practices that fuel the most dire U.S. national security threats, they must anticipate the coming evolutions of sanctions evasion, rather than fighting it only in its current form.

Underestimating Digital Asset Risks

The virtual asset industry tends to assert that the digital payments ecosystem is less susceptible to illicit exploitation than the traditional financial system, pointing to lower estimated rates of illegal activity and the enhanced visibility blockchain transactions provide. During a February congressional hearing, a former Department of Justice prosecutor who now works at Coinbase estimated that only 1 percent of crypto transactions involve illicit activity. Multiple blockchain analytics companies claim the rate is even lower. By comparison, the rate for traditional fiat transactions is believed to be 2-5 percent. Of course, both figures reflect speculation about enormous, complex global ecosystems. It may well be true that there is less illicit activity in crypto than in traditional finance, but a closer look reveals that these calculations may be imprecise or, worse, misleading.

The most common methodologies for estimating the illicit portion of crypto transactions have significant flaws. In simple terms, blockchain analytics companies typically calculate it as the sum of activity identified as illicit divided by the total amount of crypto activity. The latter figure is relatively straightforward to determine, though activities such as wash trading may artificially inflate it. The denominator, then, is a ceiling estimate, the real figure being equal or lower. Calculating the illicit-activity numerator is a much more challenging task. Even with perfect information, definitions of illicit activity are nebulous—should all transactions with addresses registered to sanctioned countries be classified as such?—and they vary by jurisdiction. Just within the United States, the same transaction that would be an ordinary recreational marijuana sale in Colorado is, in Texas, an illegal narcotics operation. Of course, available transaction information is far from perfect. Accepting blockchain analytics firms’ claims to have mapped 99 percent of historical crypto trades, the unidentified remainder could still potentially account for billions of dollars in illicit transactions.

More importantly, measures of illicit activity typically account only for “on-chain data”—that is, transaction information captured directly on the blockchain. That slice of information represents just the tip of the iceberg. Factoring in “off-chain data” like personally identifiable information (PII), internal data on exchange account holders, communications between counterparties, traditional financial transactions, and records from government databases like the Internet Crime Complaint Center (IC3), the Data Analysis and Research for Trade Transparency System (DARTTS), or the Financial Crimes Enforcement Network (FinCEN) Query reveals a fuller and more worrisome picture. Accordingly, the illicit-activity numerator should be seen as a floor; the actual amount is at least what blockchain analytics companies have calculated. Consider that in January’s 2024 Crypto Crime Report, Chainalysis revised its estimate of 2022 illicit activity from $20.6 billion to $39.6 billion, which the firm attributed to its “identification of previously unknown, highly active addresses hosted by sanctioned services” and the “addition of transaction volume associated with services in sanctioned jurisdictions.” In other words, the estimated numerator doubled after a year of further analyzing documented transactions—not the discovery of any new activity. To its credit, Chainalysis acknowledges that its illicit-activity figures are “lower bound estimates based on inflows to the illicit addresses we’ve identified today” and that current snapshots will “almost certainly” be revised upward “as we identify more illicit addresses and incorporate their historic [sic] activity.”

However the digital and traditional financial spaces exactly stack up, “winning” the comparison misses the point of the exercise. Aside from the unreliability of real-time estimates, focusing on the overall illicit activity rate and its fluctuations obscures other critical trends. The same Chainalysis report shows that the total value illicit addresses received rose from $4.6 billion in 2018 to the revised $39.6 billion figure in 2022, growth that amounts to doubling year-over-year if the 2020 outlier is removed. Previous reporting from the same firm indicates that money laundering in the increasingly popular decentralized finance (DeFi) space grew 1,964 percent from 2020 to 2021, outpacing the 912 percent increase in DeFi transaction volume and the 567 percent increase in total crypto transaction volume over the same period. In addition, while plenty of crypto-enabled crime reasonably would still have taken place in the fiat world, if perhaps more slowly or expensively, some illicit transactions—ransomware and many pig-butchering scams, for example—would not have been possible, at least at large scale, without digital payment channels. In other words, even if the virtual asset ecosystem truly is more resilient against illicit exploitation, virtual asset platforms have had their own additive effect, enabling certain illegal schemes and transactions that would otherwise have been infeasible.

A Growing Operational Norm

The characteristics that make digital assets potentially transformative also appeal to illicit actors. Among them are the near-instantaneity of transactions, institutional disintermediation, borderlessness, and often lower transfer fees, not to mention the energetic user base that has poured money into the virtual asset ecosystem and is constantly developing more capable platforms. To be sure, unlike previous crime-enabling innovations such as prepaid debit cards, digital payment channels also offer substantial crime-fighting benefits, namely, enhanced visibility into the transactions they facilitate. Yet these features do not wholly counteract the new illicit financing risks virtual assets present. As Carole House noted in an Atlantic Council piece this May, ransomware “economies would not work at the same level of scale and success without cryptocurrency, at least in its current state of compliance and exploitable features. Massively scaled ransomware campaigns targeting thousands of devices could not work by asking victims to pay using wire transfers and gift cards,” payment methods that are slower, stickier, and more time intensive.

The same characteristics have enticed Russian sanctions evaders to begin experimenting with digital payment channels. They have been drawn in particular to stablecoins, virtual assets whose value is pegged to sovereign currencies like the U.S. dollar, which minimize volatility and offer far greater liquidity than quixotic state-sponsored tokens with no chance of achieving global traction. The most widely used stablecoin, Tether, is the world’s most-traded cryptocurrency, with more than $50 billion in daily volume. In one case reported by the Wall Street Journal, an agent for the famed arms producer Kalashnikov paid $20 million in Tether for Chinese electrical parts required to manufacture attack drones to be used in Ukraine, marking just one of many such transactions blockchain analytics firms have monitored for months. The broader Russian economy has quickly embraced Tether as it reorients to support the invasion, the sanctioned Moscow-based cryptocurrency exchange Garantex having reportedly facilitated more than $20 billion in Tether transfers since early 2022. “For Vladimir Putin’s war machine,” the Wall Street Journal asserted, “Tether has become indispensable.”

Rogue governments and armed groups beyond Russia have also adopted stablecoins as a preferred method of conducting business, if not quite their primary payment mechanism. The reimposition of U.S. energy sanctions this spring has prompted Venezuela’s state-owned oil company, PDVSA, to introduce new contract terms requiring counterparties to make deposits or partial prepayments in Tether. Hamas and affiliates such as Palestinian Islamic Jihad, reportedly the first designated terrorist groups to fundraise via cryptocurrency, cumulatively took in well over $100 million that way in the years leading up to the Oct. 7 attacks. More than 99 percent of the $41 million in virtual assets Israeli authorities seized from those groups between 2020 and 2023 was held in Tether. The Islamic State continues to rely mainly on physical and informal transfer methods but has likewise initiated forays into virtual asset payment systems, “in particular the stablecoin Tether,” according to a fact sheet the Counter ISIS Finance Group published in February 2024. These machinations are unlikely to render sanctions obsolete any time soon, but they provide alternative revenue streams as well as opportunities to refine sanctions evasion tactics.

Some would dismiss these cases as small-dollar anecdotes, citing presumed limitations on further expansion of crypto-facilitated illicit trade. One problem for would-be sanctions evaders is that many virtual asset exchanges employ robust compliance measures, performing tasks such as “know your customer” (KYC) and geolocation to prevent abuse of their platforms. Despite their checkered history of enforcement—just last year, Binance and its CEO pleaded guilty to criminal charges after its nonfeasance “gave sanctioned customers unfettered access to American capital and financial services,” per the Justice Department—most of the biggest virtual asset platforms now profess to embrace proactive measures, having realized that security and compliance are near-prerequisites for doing business in the West. Another impediment is liquidity: How many counterparties would accept payment in virtual assets, let alone a rogue state’s digital token, knowing it may be highly volatile or otherwise untrustworthy and won’t be widely accepted elsewhere? A third challenge is the simple fact that many sanctioned entities are rife with corruption and unlikely to engineer a financial transformation. Consider the illustrative case of the Venezuelan “petro,” an ostensibly oil-backed coin President Nicolas Maduro touted in 2018 as “a cryptocurrency … that can take on Superman.” Far from vanquishing the U.S. economic statecraft machine, the petro served primarily to line the pockets of the officials involved and quickly fizzled.

Despite these obstacles, prudent policymakers should view the growing popularity of stablecoins and other digital currencies for sanctions evasion as proof of a concept malign actors hope to make widely operational. Concerningly, long-standing obstacles to conducting illicit finance via the digital payments ecosystem are eroding. The rise of under-regulated stablecoins represents the arrival of a trusted, widely exchangeable currency without the volatility of Bitcoin or other tokens. On platforms like Telegram and Alibaba, increasing numbers of Chinese and Russian intermediaries now not only accept payment in cryptocurrency but sometimes prefer it, offering more favorable rates for stablecoins like Tether than for funds routed through traditional correspondent financial institutions. These shifts also make illicit transactions far quicker and more user-friendly. According to a 2022 Justice Department indictment, Russian smugglers involved in a venture to sell 500,000 barrels of sanctioned oil reassured their Venezuelan partners that a Tether transfer would involve “no worries, no stress” and would be processed in a manner “quick like SMS” text messages. “It’s quicker than telegraphic transfer, USDT,” one actor wrote, referring to Tether’s ticker symbol. “That’s why everyone does it now.” For sanctions evaders, eroding barriers related to trust, volatility, and liquidity have made transacting in virtual assets far more appealing.

While in theory responsible platforms can freeze or seize assets they identify as tainted by illegal activity, many global exchanges still underinvest in compliance or, like Garantex, reject it outright. What’s more, until now at least, Tether has rarely acted against users involved in illicit procurement. Stablecoin operators have tended to pay closer attention to issues like terrorist financing than sanctions evasion, even in cases involving weapons or dual-use technologies. Moreover, complex laundering processes that often involve near-instantaneous onward transfers to third parties make it difficult to detect sophisticated illicit activity. According to a recent Wall Street Journal article, between 2018 and mid-2024 Tether froze less than 1 percent of the $153 billion that flowed through the 2,713 wallets it blacklisted. Well-intentioned operators may lack sufficient off-chain data to know when to intervene, particularly when transfers involve noncompliant jurisdictions or intermediaries.

Troubling Future Developments

Innovative new technologies may further compound the challenge of preventing malign actors from exploiting digital finance. Even as platforms like Tether launch partnerships with respected blockchain analytics firms such as Chainalysis and TRM Labs, new stablecoin models are emerging that reduce operators’ power to police users and transactions. So-called decentralized stablecoins, such as MakerDAO’s DAI token, rely on smart contracts to process transactions independent of direct monitoring or oversight. Whereas Tether may revise its compliance policy as desired, for a decentralized platform to establish policies banning identified illicit users or blocking access in countries under sanctions would presumably require authorization from the many participants in its governance collective, known as a decentralized autonomous organization (DAO). Taking swift action against specific users or jurisdictions would likely be even more cumbersome—assuming the platform’s backers would be willing in the first place, which is far from a given. The vexing case of the cryptocurrency mixer Tornado Cash, a favorite laundering tool of North Korean cybercriminals whose decentralized structure has enabled it to withstand a barrage of sanctions and takedown attempts, should serve as a cautionary tale. Despite the increased transaction visibility certain DeFi platforms offer, in many ways, the space’s development has proved a boon to illicit actors.

Perhaps most troubling, governments under sanctions are putting their weight behind efforts to construct digital payment channels that could bypass U.S. restrictions. Russia has led the charge, seeking to work around secondary sanctions that have jammed up the traditional cross-border payments infrastructure and caused its imports to decline since midyear. Arguing for investing in alternative payment mechanisms, the head of Russia’s money laundering watchdog asserted in July that there exists “a need for businesses, especially in cases involving sanction mechanisms, when they need to enter the international market, and it can’t always be resolved through standard methods.” In July, Russian lawmakers passed a bill to legalize cryptocurrency mining and conducting international trade using digital payments. Reports indicate the Kremlin intends to launch trials of sponsored digital exchanges this fall, with an eye toward eventually allowing national currency exchanges to deal in cryptocurrency. These measures represent a sharp pivot from Russia’s long-held official views on allowing digital assets to facilitate transactions, which the Central Bank proposed banning in January 2022.

The emergence of an “Axis of Evasion” united by shared interests and complementary economies has made these digital pathways more viable. For at least a year and a half, Moscow and Tehran have experimented jointly with a gold-backed stablecoin designed to facilitate bilateral trade settlement. While experts have expressed skepticism that the proposed system will ever surmount the liquidity and management challenges described above, the two countries appear to be moving steadily forward as their weapons trade continues to expand. In parallel, Russia and China have collaborated on building systems for settling payments digitally and via barter exchange that appear closer to becoming operational. The degree of North Korean involvement in these kinds of efforts, if there has been any, remains unclear, but the Kim regime would surely prefer to make direct purchases with the billions in cryptocurrency its cybercriminals have stolen over the past half-decade, rather than having to navigate the expensive and perilous cash-out process to obtain the fiat currency illicit partners have traditionally required. That many of these countries share direct land- or sea-based trade routes means there are few opportunities for external forces to erect obstacles beyond payment infrastructure. Thus, effective workarounds could seriously undermine the bite of the existing sanctions regime. Having built a robust global shadow economy, Axis of Evasion members clearly see digital payments as a core element of its ongoing evolution.

***

The combination of these circumstances—underestimated levels of digital illicit financial activity, operational shifts prefiguring wider use of cryptocurrency for sanctions evasion, and sanctioned governments’ deliberate experimentation with digital payments workarounds —should alarm Western policymakers. Whether or not virtual assets ultimately surpass traditional finance as illicit actors’ transaction method of choice, digital payments will play an increasingly central role in facilitating sanctions evasion, not just by simplifying traditional illicit activity but by enabling new illicit practices that otherwise would not exist. The first step is to recognize the seriousness of these threats, which many practitioners continue to dismiss. Combating them will require governments to fund more expert capacity, anticipate the unintended consequences of imposing sanctions, and prioritize counter-illicit finance in international diplomacy. Engaging with industry earlier in the development process would help policymakers foster responsible innovation and compliant design. Above all, government investment in cultivating a stronger understanding of digital illicit finance practices—and authorities’ tools for countering them—is vital. Otherwise, by the time the new digitally enabled sanctions evasion paradigm arrives in full, it may already be too late.


Alex O’Neill is a national security researcher who studies emerging technology, cyber threats, and illicit finance. He previously worked at the Harvard Kennedy School’s Belfer Center for Science and International Affairs, where he co-founded and led for three years the North Korea Cyber Working Group. Alex is the author of “Upholding North Korea Sanctions in the Age of Decentralised Finance” (Royal United Services Institute) and “Cybercriminal Statecraft: North Korean Hackers’ Ties to the Global Underground” (Belfer Center for Science and International Affairs). He regularly presents his research to academic, industry, and government audiences and has delivered briefings on North Korean cyber activities to the State Department, the Treasury Department, and intelligence agencies. Alex received an MSc in Russian and East European Studies from the University of Oxford and a BA with distinction in History from Yale University.
Amanda Wick was a federal prosecutor for nearly a decade. Afterward, she was the Chief of Legal Affairs at Chainalysis. She returned to government briefly before launching the Association for Women In Cryptocurrency, which advocates for the equal inclusion of women in the future of digital finance. Through Incite Consulting, she provides expert witness, litigation, and strategic advisory services related to crypto companies.

Subscribe to Lawfare