Countering the Countermeasures: How Sanctioned States Exploit Compliance Architecture

When the United Nations Security Council first imposed comprehensive sanctions against North Korea in 2006, the expectation was straightforward. Financial isolation would constrain a rogue state’s capacity to fund weapons proliferation. Two decades on, the US Treasury, the European Union and the UK have built an extensive sanctions architecture spanning asset freezes, trade restrictions, sectoral prohibitions and secondary designation powers.

Yet the very sophistication of this architecture has created a paradox. The states and actors it targets have not simply adapted. They have learned to exploit the compliance systems designed to detect them, turning the machinery of financial crime prevention into a vector for evasion.

A new phase of evasion

This is not a new problem, but it has entered a new phase. Reports from the UN Panel of Experts, the Financial Action Task Force (FATF) and the Royal United Services Institute (RUSI) have documented a marked evolution in evasion techniques over the past five years. The actors involved are no longer relying on crude circumvention. Crucially, the most sophisticated evasion is not opportunistic. It is state-directed. North Korea’s cyber units, Iran’s network of front companies and Russia’s intelligence-linked financial infrastructure represent coordinated programmes of sanctions circumvention, resourced and sustained at a national level.

They are deploying layered corporate structures. They are exploiting correspondent banking relationships. They are engineering mirror trades across jurisdictions and routing value through decentralised crypto bridges. The challenge for compliance teams has shifted. It is no longer simply whether they can detect a sanctioned name on a screening list. It is whether they can identify a coordinated evasion strategy that has been engineered to pass every individual checkpoint unchallenged.

Shell layering has industrialised

The use of shell companies to obscure beneficial ownership is as old as sanctions themselves. What has changed is the scale and systematisation of the practice.

Research published by Global Witness and Transparency International has shown that sanctioned Russian entities rapidly established networks of shell companies following the measures imposed after the 2022 invasion of Ukraine. The structures are not improvised. They follow recognisable patterns: nominee directors drawn from a common pool, registered agents operating across multiple jurisdictions, and corporate layers calibrated to sit just below the threshold that would trigger enhanced due diligence.

The critical vulnerability lies not in screening technology but in the data that feeds it. Beneficial ownership registers, where they exist, remain plagued by integrity failures. The UK’s own experience with Companies House illustrates the point. The Economic Crime and Corporate Transparency Act 2023 (ECCTA) has begun to address verification gaps, but the reforms are still in their early stages.

This time lag between legislative intent and operational capability is precisely what evasion networks are designed to exploit. Shell structures move faster than registers update. Ownership chains are routed across jurisdictions where no register exists at all. The Organisation for Economic Co-operation and Development’s (OECD) work on beneficial ownership transparency has repeatedly highlighted that a register is only as credible as its verification mechanism. Without cross-border interoperability and real-time validation, shell layering will continue to outpace the systems designed to expose it.

Mirror trades and correspondent banking remain underexamined

Mirror trading, the practice of executing offsetting transactions in different jurisdictions to move value without a direct cross-border transfer, was thrust into public view by the Deutsche Bank scandal. That case resulted in fines exceeding 600 million US dollars in 2017. The technique remains a potent evasion tool.

The Office of Financial Sanctions Implementation (OFSI) has emphasised in its guidance that firms must look beyond the immediate counterparty to assess economic substance. In practice, this remains extraordinarily difficult. Mirror trades are designed to appear legitimate on both sides. Each leg passes standard compliance checks. It is only when the two legs are viewed together, often across different institutions and jurisdictions, that the evasion becomes visible.

Correspondent banking compounds the problem. The Wolfsberg Group’s guidance on correspondent banking risk acknowledges the inherent opacity of layered relationships. A payment routed through three or four correspondent banks can lose critical originator information at each hop.

The FATF’s Recommendation 16 on wire transfers was designed to address precisely this vulnerability. It requires the transmission of originator and beneficiary information throughout the payment chain. Yet compliance remains uneven, particularly among respondent banks in higher-risk jurisdictions. The result is a structural gap that sanctioned actors have learned to navigate with precision.

Crypto bridges have opened a new frontier

Decentralised finance has introduced an additional dimension to sanctions evasion. Blockchain analytics firms such as Chainalysis and Elliptic have documented the use of cross-chain bridges, mixing services and privacy-enhancing protocols by sanctioned actors. Entities linked to North Korea’s Lazarus Group feature prominently in these findings.

The US Treasury’s Office of Foreign Assets Control (OFAC) designated the Tornado Cash mixing service in August 2022, citing its use by the Lazarus Group. Although the designation was subsequently reversed in March 2025 following a Fifth Circuit ruling that immutable smart contracts cannot be classified as sanctionable property, the action was significant. It signalled the willingness of regulators to target the infrastructure of evasion, not merely the actors themselves. The legal setback has, if anything, sharpened the question of how regulators can keep pace with decentralised technologies that resist traditional enforcement tools.

The challenge posed by crypto bridges is distinct from traditional evasion. Value can be moved across blockchain protocols in ways that sever the transactional chain of custody. Compliance systems built around account-based monitoring struggle to maintain visibility. The Financial Conduct Authority’s (FCA) approach to cryptoasset supervision in the UK, and the European Union’s Markets in Crypto-Assets Regulation (MiCA), represent significant steps toward closing this gap. But the pace of technological development in decentralised finance continues to outstrip the pace of regulatory implementation. Sanctioned actors operate in the space between innovation and oversight.

The intelligence failure at the heart of sanctions compliance

It is tempting to frame the persistence of sanctions evasion as a regulatory failure. That framing misses the point. The evasion techniques described here do not succeed because the rules are weak. They succeed because they are designed to operate within the rules, passing each individual compliance checkpoint while evading the system as a whole. The failure is not regulatory. It is one of intelligence.

More troubling still, the compliance process itself generates a false sense of legitimacy. When a transaction clears sanctions screening, it produces a record of apparent due diligence. That record does not merely allow the transaction to proceed. It provides documentary evidence that the activity was assessed and found to be clean. The compliance system is not just being bypassed. It is being co-opted as an instrument of legitimisation.

Traditional sanctions screening operates on a name-matching paradigm. It asks whether a given entity appears on a designated list. This approach, while necessary, is structurally insufficient against adversaries who build their strategies around avoiding list-based detection entirely.

What is required is a shift from static screening to behavioural analysis. Firms need the capacity to identify patterns of activity consistent with sanctions evasion even when no designated name is present. This means examining transactional velocity, geographic routing anomalies, corporate structure complexity, and the correspondence between stated business purpose and actual financial flows.

Cross-domain data fusion is the missing capability. Compliance teams typically operate in silos. Sanctions screening, anti-money laundering monitoring and anti-bribery controls function as separate disciplines with separate data sets. These silos are not incidental weaknesses. They are the precise seams that evasion architectures are built to exploit.

A layered corporate structure may pass sanctions screening because the beneficial owner is not designated. The same structure may not trigger anti-money laundering alerts because individual transactions fall below reporting thresholds. It is only when sanctions intelligence, corporate registry data, transaction monitoring output and adverse media screening are fused into a single analytical picture that the evasion architecture becomes visible.

RUSI’s research on illicit finance has consistently argued that the UK’s response requires a shift toward a whole-system intelligence model. Financial crime data must be treated not as the property of individual compliance functions but as a shared analytical resource. Without this integration, the compliance architecture will continue to offer sanctioned actors precisely what they seek: a system that validates each component of their deception in isolation.

Implications for firms

The consequences for regulated firms are significant. The analytical shift described above cannot remain theoretical. It demands investment in technology that supports network analysis and anomaly detection, and in specialist expertise: analysts who understand how sanctioned actors structure evasion, and frameworks that enable cross-functional intelligence sharing across compliance disciplines.

No single firm can solve this alone. The evasion networks described in this article span jurisdictions, institutions and asset classes. Effective countermeasures require public-private collaboration of the kind piloted by the UK’s Joint Money Laundering Intelligence Taskforce (JMLIT) and echoed in similar initiatives across the EU and the US. Cross-domain data fusion, the integration of sanctions intelligence with transaction monitoring, corporate registry data and open-source analysis, must become an operational reality rather than a conference talking point.

The regulatory direction is clear. OFSI has signalled, through both its enforcement actions and its updated guidance, that it expects firms to demonstrate control effectiveness, not merely control existence. The FCA’s thematic reviews of sanctions controls have emphasised the importance of comprehensive risk assessment that accounts for indirect exposure.

Firms that continue to treat sanctions compliance as a screening exercise expose themselves to enforcement risk and reputational damage. More critically, they risk facilitating the very activity the sanctions regime was designed to prevent.

The architecture must become intelligent

Sanctions evasion cannot be solved by building higher walls. The actors who evade sanctions do not go over the wall. They walk through the gate, presenting credentials that the system has been taught to accept.

Countering the countermeasures requires a fundamental reorientation: from detection by name to detection by behaviour, from compartmentalised controls to unified intelligence, and from procedural adequacy to genuine operational vigilance.

The architecture of compliance was built to serve the architecture of trust. When that architecture is turned against itself, the response must be not to abandon it but to make it intelligent enough to recognise the deception.

Is your sanctions compliance architecture equipped to detect the evasion strategies that screening alone will miss?

At OpusDatum, we work with firms to move beyond static screening toward intelligence-led sanctions compliance. Our advisory services support the development of behavioural detection frameworks, cross-domain data integration strategies and control effectiveness assessments that reflect the realities of modern sanctions evasion.

Contact us to discuss how we can support your firm’s approach to sanctions intelligence.

For further insight into how payment chain transparency and the Wire Transfer Regulation intersect with sanctions risk, visit the OpusDatum WTR Knowledge Hub.