Sanctions Evasion and Crypto: The Policy Response to North Korea, Russia, and Iran

The United States sanctions system — the most powerful unilateral economic coercion tool in history — depends on a simple structural reality: the dollar is the world’s reserve currency, dollar-clearing goes through US-supervised correspondent banks, and therefore any entity that the US designates as a sanctions target loses access to the global financial system. Entities that cannot access dollar clearing cannot import, export, pay employees internationally, or participate meaningfully in global trade.

Crypto assets that can be transferred without going through US-supervised banking infrastructure create, in principle, a mechanism for maintaining economic activity outside the sanctions perimeter. This is not a theoretical concern: North Korea, Russia, and Iran have each developed systematic capabilities to use crypto for sanctions evasion, and the scale and sophistication of those capabilities have directly shaped the regulatory responses that now define the security dimension of crypto policy.

How Sanctions Regimes Work and Why Crypto Challenges Them

OFAC — the Office of Foreign Assets Control within the US Treasury Department — maintains a list of Specially Designated Nationals (SDNs): individuals, entities, and jurisdictions that US persons are prohibited from transacting with. US banks, as a condition of their access to the Federal Reserve’s payment system and correspondent banking relationships, must screen transactions against the SDN list and refuse to process transactions involving designated parties.

The architecture works because it is comprehensive at chokepoints. Even if a sanctioned entity wants to receive payment from an entity in a third country with no direct US connection, if that payment clears through a dollar-denominated correspondent banking system — which most large international transactions do — it passes through US-supervised infrastructure. The ability to enforce the SDN list at the correspondent banking chokepoint gives OFAC leverage over transactions that otherwise have no connection to the United States.

Crypto assets transferred on public blockchains do not go through dollar-correspondent-banking infrastructure. A North Korean intelligence operative with a Bitcoin wallet can receive Bitcoin from anywhere in the world without that transaction going through any US-supervised bank. The funds are not “visible” to OFAC in the sense that no bank is required to screen the transaction. Converting crypto to dollars eventually requires touching the regulated banking system — but with sufficient anonymisation techniques, that touchpoint can be obscured well enough to create practical evasion capability.

North Korea’s Lazarus Group: The World’s Most Sophisticated State Crypto Hacker

The Lazarus Group — a North Korean state-sponsored hacking operation that operates under the Reconnaissance General Bureau — has been the most consequential state actor in crypto theft and sanctions evasion since at least 2017. The group’s documented total crypto theft exceeds $3 billion since that year, making it the single largest source of systematic crypto crime by volume.

The operational model is sophisticated and has evolved significantly. The early Lazarus operations targeted crypto exchange hot wallets through spear-phishing attacks and social engineering. Later operations exploited technical vulnerabilities in blockchain bridges (systems that allow users to move crypto assets between different blockchain networks), which proved to be extraordinarily lucrative targets because bridge smart contracts held large concentrated positions that could be drained in a single exploit.

The February 2025 Bybit hack — in which Lazarus operatives exploited a vulnerability in Bybit’s multi-signature wallet system to drain approximately $1.5B in Ethereum — was the largest single crypto theft in history. The attack was sophisticated: it involved compromising the interface that Bybit’s operators used to manage the cold wallet, displaying false information to the signatories while executing transactions to attacker-controlled addresses. The $1.5B taken in a single operation exceeded North Korea’s entire legitimate export revenue for multiple years.

The money is not simply held: Lazarus has developed sophisticated laundering operations to convert stolen crypto into usable currency. Techniques include using mixing services to obscure transaction history, moving funds through chains of intermediate wallets across multiple blockchains, converting to privacy coins like Monero that are harder to trace, and ultimately cashing out through peer-to-peer exchanges and exchanges in jurisdictions with weak AML enforcement.

Russia’s Post-2022 Crypto Use

Russia’s systematic use of crypto following the 2022 invasion of Ukraine and the subsequent comprehensive Western sanctions represents a different form of sanctions evasion: not sophisticated hacking but pragmatic use of existing crypto infrastructure to maintain economic activity that the sanctions were designed to block.

Russian entities have used crypto for procurement of sanctioned goods — electronics, semiconductors, and military-relevant supplies from third-country vendors who prefer crypto payment to bank wire transfers that might attract sanctions scrutiny. Oligarchs subject to individual OFAC designations have moved wealth into crypto assets that are harder to freeze than the $300B in Russian central bank reserves that were frozen in the days following the invasion.

Russia has also developed relationships with crypto exchanges in friendly jurisdictions — countries that have not imposed sanctions and that maintain functioning financial relationships with Russia. Exchanges in the UAE, Turkey, and Central Asian countries have processed significant Russian crypto volumes, providing a conversion layer between crypto assets and local currencies that Russian entities can use.

The scale of Russian crypto sanctions evasion is significant but has limits. Crypto markets are liquid enough for large transactions to be traceable; sophisticated blockchain analytics by Chainalysis, Elliptic, and TRM Labs has allowed OFAC and its international partners to track Russian sanctions evasion through crypto and to designate the exchanges and wallets involved. The US and EU have sanctioned multiple crypto exchanges specifically for facilitating Russian sanctions evasion, and some major exchanges have implemented Russian-resident user restrictions.

The cat-and-mouse dynamic between Russian evasion and Western tracking has been ongoing since 2022, with both sides improving their capabilities. The honest assessment is that crypto has provided meaningful marginal sanctions evasion capacity for Russia — not enough to undo the sanctions’ economic impact, but enough to finance specific procurement and capital flight that would otherwise have been prevented.

Iran’s State-Backed Bitcoin Mining

Iran’s approach to crypto sanctions evasion has been different from both North Korea’s hacking and Russia’s use of existing markets: Iran has engaged in state-sponsored and state-licensed Bitcoin mining as a mechanism for generating dollar-equivalent purchasing power without requiring access to the dollar financial system.

Iran’s cheap energy — heavily subsidised and partially derived from oil fields that generate associated gas that would otherwise be flared — makes Bitcoin mining economically attractive. The Iranian government has licensed mining operations that generate Bitcoin which can then be sold to international buyers, effectively converting Iranian energy reserves into internationally liquid assets that do not require dollar-clearing to sell.

The scale of Iranian crypto mining has been estimated by researchers at a meaningful percentage of global Bitcoin hashrate, though exact figures are uncertain because miners have incentives to conceal their location. The resulting Bitcoin — sold through exchanges in friendly jurisdictions or through peer-to-peer markets — provides Iran with access to international purchasing power that its banking isolation would otherwise prevent.

OFAC has responded by designating specific Iranian mining operations and the wallets associated with them, and by sanctioning exchanges that knowingly process Iranian-origin crypto. But the distributed nature of mining — which can occur in any location with electricity and hardware — makes comprehensive enforcement difficult.

The US/OFAC Response: Tornado Cash Sanctions and Their Contest

The August 2022 OFAC designation of Tornado Cash — the most significant crypto sanctions action since OFAC began designating crypto wallets — was a direct response to North Korea’s systematic use of the protocol to launder stolen funds. Tornado Cash is a smart contract protocol that allows users to deposit and withdraw crypto assets with the transaction history broken — the withdrawing wallet has no observable on-chain connection to the depositing wallet, defeating standard blockchain analytics.

OFAC’s designation made it illegal for US persons to interact with Tornado Cash’s smart contracts — effectively prohibiting use of the protocol regardless of the user’s purpose. The sanction was unprecedented because it designated software — the smart contract code itself — rather than a specific human actor. OFAC argued that Tornado Cash constituted a “virtual currency mixer” within its sanctioning authority; critics argued that sanctioning code rather than people exceeded OFAC’s statutory authority.

Coin Center, among other organisations, challenged the sanctions on First Amendment grounds: if the smart contract code is protected speech, then OFAC’s prohibition on interacting with it is a content-based restriction that requires First Amendment justification. This argument produced significant appellate court attention — with courts in different circuits reaching different conclusions about whether smart contract interactions constitute protected speech and whether OFAC’s sanctioning authority extends to software.

The Tornado Cash case crystallised the central policy tension in crypto sanctions enforcement: how should governments reach criminal-use infrastructure that also has legitimate-use cases? Tornado Cash was used by North Korea and was also used by legitimate privacy-seeking users. The OFAC designation prohibited all interaction, including legitimate use. A more targeted approach — designating specific wallets rather than the protocol itself — might have better preserved legitimate use while still imposing costs on illicit users, but OFAC’s existing tools are better designed for person-level than software-level designations.

FATF’s June 2025 Update

The Financial Action Task Force’s sixth update to its virtual asset guidance, published in June 2025, was directly shaped by the evidence accumulated from North Korea, Russia, and Iran. The update strengthened the Travel Rule requirements for virtual asset service providers — requiring the sharing of originator and beneficiary information across crypto transactions — and tightened the treatment of peer-to-peer transactions and unhosted wallets that do not go through regulated intermediaries.

The Travel Rule’s application to crypto had been a consistent FATF priority since its 2019 introduction, and the June 2025 update addressed specific implementation gaps that had been exploited for sanctions evasion: the treatment of transactions to unhosted wallets, the threshold at which transaction information sharing is required, and the obligations of VASPs when they cannot identify the counterparty of a transaction.

The FATF update does not solve the fundamental enforcement challenge: sanctions evaders who do not use regulated intermediaries are not reached by Travel Rule requirements. But it tightens the perimeter at the regulated intermediary layer, making it harder for large-scale sanctions evasion to interface with the regulated financial system.

The Policy Tension: Privacy vs. Enforcement

The most consequential unresolved policy question in crypto sanctions enforcement is the tension between financial privacy for legitimate users and surveillance capability for enforcement purposes. Every technique that makes crypto transactions more traceable — Travel Rule compliance, exchange KYC, wallet analytics — imposes costs on legitimate privacy-seeking users while raising but not eliminating the bar for sophisticated state-level sanctions evaders.

North Korea’s Lazarus Group will continue to exploit technical vulnerabilities regardless of Travel Rule compliance. Russia will continue to find crypto exchanges in jurisdictions that do not enforce US sanctions. Iran will continue to mine Bitcoin. The enforcement tools available to OFAC and FATF impose friction on sophisticated state actors without stopping them, while imposing more significant costs on ordinary users who would prefer privacy without any evasion intent.

The honest assessment of the policy trade-off is that stronger surveillance of crypto transactions provides marginal incremental benefit against sophisticated state-level sanctions evasion while imposing greater costs on private citizens’ financial privacy. Whether those marginal benefits justify those costs is a genuinely difficult policy question — one that the crypto privacy advocates at Coin Center and the national security community at Treasury and OFAC answer very differently, reflecting genuinely different values about the proper scope of government financial surveillance in a free society.