Cyber risk management: Sanctions evasion in the cyberspace

With the advancement of technology, government agencies and law enforcement have adapted their operations to align with the increasingly digital environment. Criminals have also evolved their tactics using ransomware, virtual currencies, and exploiting vulnerabilities in digital networks. A 2023 U.S. Federal Bureau of Investigation (FBI) Report highlighted a 22% increase in losses from cybercrime in 2023 compared to 2022, amounting to a staggering $12.5 billion USD in losses.

The rise and accessibility of AI (artificial intelligence) has lowered the barrier for entry in cybercrime and provided cybercriminals with a new weapon to facilitate illicit activity. In May 2024, the FBI issued a warning about the escalating threat of illicit actors using AI to “conduct sophisticated phishing/social engineering attacks and voice/video cloning scams”. The enhanced capabilities of AI has, for instance, enabled criminals to create lifelike deep fakes and realistic voice messages to defraud victims.

However, cybercriminals are not limiting themselves to fraud scams; they may also be using cyberspace to evade sanctions. Moody’s screening solution highlights the rise of cybercrime (CYB) and watchlist (WLT) related events from 2019 to 2024. Although watchlist events decreased in 2024 compared to 2023, they remain elevated compared to the number of events before the advent of the Russia/Ukraine war in 2022.

Given the economic isolation created by current international sanctions, cybercrime has become an effective and lucrative revenue option for bad actors, allowing them to continue committing financial crimes in a clandestine manner. In February 2025, the FBI alleges North Korean hackers, thought to be working on behalf of their government, stole $1.5 billion USD in cryptocurrency from Bybit, the world’s second largest cryptocurrency exchange, making it the largest crypto hack on record, according to the Cable News Network (CNN).

North Korea’s intensified attempts to circumvent international sanctions via cyber technology are indicative of larger, global trends around cybercrime and sanctions evasion. Sanctioned jurisdictions resort to a broad range of elaborate cyber activities to access the global financial system.

In December 2023, the U.S. Government Accountability Office released the Agency Efforts Help Mitigate Some of the Risks Posed by Digital Assets report, highlighting the threat digital assets can pose in relation to sanctions evasion. Digital assets may offer criminals a level of anonymity when conducting transactions by using privacy coins. Virtual currencies can also be the payment of choice for bad actors on darknet marketplaces.

Marketplaces on the darknet regularly accept virtual currency as payment for a variety of illegal services and goods, providing criminals an avenue to exchange their ill-gotten gains and potentially aid sanctions evasion. Darknet marketplaces like Hydra, which was sanctioned by the US in April 2022, offer criminals access to hacking services and software, stolen personal information, counterfeit currency, stolen virtual currency, and illicit drugs according to the US Department of the Treasury.

According to blockchain analytics company Chainalysis, approximately 61% of illicit crypto transactions originated from sanctioned or terrorist-linked entities in 2023. Other commonly used sanctions evasions techniques in the cyber realm include:

• Exploiting virtual assets via ransomware or other cybercrimes.
• Using cryptocurrency tumblers to obfuscate funds by mixing transactions with others to make tracing more difficult.
• Using VPNs (Virtual Private Networks) to conceal an entity's location in a sanctioned country when making transactions.
• Using ransomware to coerce and demand cryptocurrency payments that may be used to support the activity of sanctioned parties.
• Falsifying identities to achieve otherwise legal employment under global freelance IT contracts, either working remotely or abroad.

Enforcement actions by the Office of Foreign Assets Control (OFAC) can provide insights into their priorities. Businesses can learn valuable lessons from the OFAC’s settlement agreements while developing their own sanctions compliance capacities and readiness. Sanctions compliance, according to Moody's, typically involves sanctions screening during rigorous customer or supplier due diligence, transaction monitoring, and ongoing risk assessments to ensure clients, suppliers, and general stakeholders are not involved in any prohibited activities—a crucial component of broader Know Your Customer (KYC) and anti-money laundering (AML) efforts.

Since 2021, the U.S. Treasury has remained focused on the virtual currency space. There have been at least five OFAC settlements with companies involved in virtual currency services, demonstrating their commitment to virtual currency financial crime compliance. This includes a record $968 million USD settlement with a company responsible for approximately 60% of all global virtual currency spot trading.

In 2022, another virtual currency exchange settled with OFAC for $362,000. The firm was subject of an OFAC enforcement for its violations of Iranian sanctions programs. Their geolocation controls failed to block users in Iran–a comprehensively sanctioned jurisdiction. To rectify this problem, it employed an automated IP address blocking for sanctioned jurisdictions, in addition to blockchain analytics tools to assist with its sanctions monitoring. This case demonstrates the necessity of robust sanctions compliance program and showcases the need for advanced IP screening protocols.

Exposure to sanctions will vary by business; however, certain industries carry higher risk. According to the Financial Crimes Enforcement Network (FinCEN) riskier industries include shipping, financial services, pharmaceuticals, telecommunications, gaming, energy, and virtual currency. Companies with international supply chains, payment platform companies, and businesses that employ freelance developers should be aware of the following red flags that can indicate cyber-enabled sanctions evasion:

• Transactions are initiated from risky IP addresses or accounts
  These can include Belarus, Russia, jurisdictions identified by FATF with AML deficiencies such as North Korea, Iran (also subject to comprehensive geographic sanctions) and Myanmar, sanctioned jurisdictions, or IP addresses previously flagged as suspicious.
  
  
• Frequent money transfers or requests for payment in cryptocurrency
  Use of digital payment services could indicate a customer is attempting to disguise the ultimate destination of funds.
  
  
• A customer’s transactions are connected to virtual currency or exchange with an address listed on OFAC’s Specially Designated Nationals (SDN) list
  In 2021, OFAC designated a Russian virtual currency exchange. According to the U.S. Department of Treasury’s investigation, nearly 40% of the exchange’s transactions included illicit and sanctioned actors.
  
  
• Inconsistencies in a freelancer’s or a client’s personal information including name, nationality, work history, etc. and/or limited digital footprint
  Errors, limited details, inconsistencies, and/or frequent changes regarding name spelling, nationality, claimed work location, contact information, educational history, work history, and other details across a developer’s profiles, including social media, external portfolios, or on payment platforms, may suggest a sanctioned entity attempting to conceal their identity.

The advancement and evolution of technology and cybercrime, and its increasing interconnection to sanctions evasion has challenged governments to re-evaluate how they monitor illicit activity in the digital domain. Sanctioned entities have benefited from the relative anonymity, cross-border functionality, and ambiguity of cyberspace, allowing them to attempt to evade sanctions. Does this call for new security measures to change the way risks are managed? 

As sanctions continue to play a crucial role on the global stage, Moody’s sanctions and cyber risk solutions support clients to assess the risk of doing business with sanctioned entities and cyber criminals.

Sanctions collection

Moody's can help organizations develop insights into the connections between various entities and maintain a robust view of sanctions and watchlists from around the world with international coverage. Moody’s combines timely sanctions data with ownership and control information. Updates to sanctions lists are made available to clients within one business day following their release. Moreover, Moody's compliance and third-party risk management sanctions solutions extend beyond lists by mapping out networks of ownership, control, and association, in addition to providing ongoing monitoring and a complimentary exposure check.

Sanctions Connect

Moody’s screening solution offers Sanctions Connect, a premium dataset that shows relationships between corporate structures and individuals to support compliance with sanctions by extension rules such as OFAC’s 50 Percent Rule and the EU’s “control” rule. Sanctions data is updated frequently, and clients benefit from proactive monitoring that delivers alerts that flag when they may be exposed to sanctions modifications.

Sanctions Connect

• Promptly highlights relevant link(s) to a sanctioned entity
• Displays details of the nature of the relationship, including a narrative description, ownership percentage, and relevant links to other sanctioned profiles
• Lists affiliated entities such as board members, senior officials, and subsidiaries
• Lists personal relationships such as close affiliates and relatives

Cyber risk

An interconnected, complex digital landscape exposes organizations to cyber threats—which pose financial, technical, reputational, and operational risks. In collaboration with Bitsight, Moody’s has enhanced its integrated risk assessment capabilities by incorporating Bitsight’s advanced cyber risk analytics in Maxsight. 

Bitsight’s cybersecurity ratings offer an evidence-based measure of cyber risk performance to help organizations identify, quantify, and mitigate cyber-related vulnerabilities. Users can better understand the likelihood of a breach or ransomware attack, strengthen risk management strategies, reduce cyber risk exposure, and build greater resilience.

Business activity intelligence

Uncovering the culprits involved in nefarious acts is a critical challenge for cybercrime investigators. Thankfully, bad actors leave digital footprints, or signals, in public records, which investigators can use. Maxsight™ Investigations, powered by Moody's extensive business activity intelligence (BizINT) on individuals and entities, can help law enforcement and organizations detect, track, and understand bad actors’ activities. Leveraging advanced analytics to reveal hidden connections and patterns, users can use BizINT to respond more effectively to cyber incidents.  

Virtual currency

As virtual currencies have grown in popularity and acceptance, Moody’s screening risk code – VCY – captures information assembled from publicly available lists and open-source research of virtual currency-related entities such as crypto exchanges, crypto casinos, crypto custodians, and other categories. This risk code, rather than emphasizing adverse media, highlights the existence of these entities which could be inherently risky in nature.

Cybercrime

Moody’s screening risk code – CYB – captures a broad range of events related to crimes committed digitally or with a computer, including virtual currency-related crimes, cyberstalking, hacking, phishing, internet scams, and other cybercrimes.  

To find out more about how Moody’s compliance and third-party risk management solutions can help support your business, please contact the team any time – we would love to hear from you.