Cryptocurrencies and U.S. Sanctions Evasion: Implications for Russia

A current risk in today’s trade ecosystem is that countries leverage cryptocurrencies to circumvent U.S. sanctions. Cryptocurrencies are digital currencies that are not backed by central banks and are also traded outside the international banking system. In crypto transactions, individuals’ accounts, or wallets, are encrypted through alphanumeric aliases and are validated by a decentralized network of users, rather than financial intermediaries. Due to their deregulated and decentralized nature, cryptocurrencies can be a useful tool to circumvent the global domain of the dollar.

Q1: What features of cryptocurrencies make them suitable for sanctions evasion?

A1: Cryptocurrencies are a powerful tool for sanctions evasion for two main reasons: transactions are (1) not processed by commercial banks and (2) vulnerable to cyberattacks.

Absence of Commercial Banks

Commercial banks are often key to sanctions enforcement because they track the source of money and check whether individuals or companies appear on entity lists. In contrast, cryptocurrencies are exchanged through encrypted transfers between wallets. Wallet ownership is encrypted by a two-key mechanism: transfers require a public key, which is the address of the wallet, and a private key, which works as a password. Both keys are alphanumerical codes.

Moreover, wallets can be either custodial (managed by crypto-asset service providers, or CASPs) or noncustodial. There are two key differences. First, owners of custodial wallets outsource their private keys to CASPs, whereas both private and public keys of noncustodial wallets remain in the hands of individuals, who transfer money via peer-to-peer (P2P) transactions. By working as an intermediary platform, CASPs also require users to disclose their bank’s information for identification; in contrast, noncustodial wallets do not require the outsourcing of trust to any institutions. Second, transactions between custodial wallets are not stored on the blockchain until the funds are withdrawn from CASPs, whereas P2P transactions are immediately registered on the blockchain.

However, CASPs’ enforcement mechanisms are not as advanced as those of commercial banks. In theory, CASPs are bound by the same identification rules as banks, but their less orthodox control methods remain a blind spot when it comes to payers’ identification. Regarding non-custodial wallets, sanction controls become even more difficult because P2P transfers register only some details of the transaction on the blockchain (e.g., number of coins, time, and encrypted aliases). After lengthy reviews, regulators could potentially trace ownership of noncustodial wallets by connecting the details of those transactions to payers’ IP addresses. However, this option can be preempted through cyberattacks.

Vulnerability to Cyberattacks

Blockchain and CASPs’ vulnerability to cyberattacks facilitate illegal transfers of money. Blockchains include a series of “blocs,” each of them enclosing a series of transactions that are added to the chain upon validation. A decentralized network of validators, or miners, approve cryptocurrency transfers in lieu of commercial banks by solving complex mathematical problems (proof-of-work method) or locking up their own coins in the respective blockchain (proof-of-stake). Miners receive a reward in cryptocurrencies after validating transactions, which is also how new coins are created. The amount of money, time, and knowledge required to validate transactions and “mine” new coins is designed to bar hackers from faking or duplicating coins.

Nevertheless, blockchains are vulnerable to hacking attacks due to secondary vulnerabilities. If hackers take control of 51 percent of blockchain computational power, also known as hash rate, they can modify or alter the details of transactions that have not been validated yet. Second, hackers can exploit so-called cross-chain bridges. When users transfer coins across two blockchains, hackers steal the funds before they land on the new chain by creating fake deposits that are then validated in lieu of the real ones. This technique was recently used to hack Binance, the world’s largest CASP, resulting in the loss of $570 million.

Most importantly, cyberattacks are essential to gain full anonymity in P2P transactions. Under normal conditions, P2P cryptocurrencies transfers are encrypted, but not fully anonymous. As mentioned above, authorities can identify payers thanks to the details and encrypted aliases stored on the blockchain by connecting transactions to personal computers via IP addresses. However, by masking or altering that information from the blockchain before validation, cyberattacks allow for illegal money transfers without the risk of detection.

With respect to CASPs, fraud is even easier. Since CASPs hold custody over users’ private keys, hackers can easily access multiple wallets (and the coins therein) by simply hacking the underlying CASP system linked to users’ wallets.

Q2: How have countries used cryptocurrencies to evade sanctions?

A2: Iran and North Korea have used cryptocurrencies to circumvent U.S. sanctions in direct and indirect ways: paying for imports and making up for their revenues lost due to sanctions.

Countries can use cryptocurrencies to pay for imports as transfers are not processed through the conventional payment systems. Iran, the most sanctioned country before Russia’s invasion of Ukraine, legalized cryptocurrency payments for its imports to circumvent sanctions. Iran has been under a U.S. sanctions regime for nearly 40 years, and today, a foreign company conducting trade with Iran will likely face penalties if the transfers involve dollars or if a U.S. citizen works in that company. Against this backdrop, Iranian mines and trade minister Reza Fatemi Amin permitted the use of cryptocurrencies and smart contracts to pay for imported goods to avoid using the dollar and circumvent sanctions. In early August 2022, the country made its first official cryptocurrency imports order worth $10 million, although information about the currency and type of goods involved in the order remains vague.

Cryptocurrencies can be used to make up for countries’ lost revenues through cyberattacks. Since 2006, U.S. and UN sanctions have targeted specific North Korean exports such as luxury goods, chemicals, and coal, primarily used by Pyongyang to finance the Kim regime’s nuclear activities. North Korea has recovered some of its revenues by hacking cryptocurrency wallets and eventually laundering the stolen funds through crypto platforms. For instance, the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group, utilized Tornado Cash, a platform that mixes coins to mask their origins, to launder the proceeds of its cybercrimes. Since 2015, North Korea's cyberattacks have generated over $1 billion for the regime. A simpler method, recently used by two Iranian hackers, would be hacking companies’ computer networks or systems and extorting payments in cryptocurrencies to unlock them.

Another way to make up for revenues lost due to sanctions is bitcoin mining. As U.S. sanctions have hampered Iran’s oil exports, Tehran now utilizes its oil surplus to supply electricity for bitcoin mining hubs and gain revenues from it. In 2020, Iran hosted around 4.5 percent of global bitcoin mining, amounting to annualized revenues worth $1 billion. The electricity required for bitcoin mining equates to 10 million barrels, namely 4 percent of total Iranian exports in 2020.

Q3: What does this mean for Russia?

A3: Although Moscow may not be able to use cryptocurrency to fulfill its imports demand, newly developed hacking techniques and Russia’s leadership in mining would allow the Kremlin to use cryptocurrencies to make up for its lost revenues.

Russia would not be able to emulate Iran’s strategy because global cryptocurrency liquidity would not suffice, given the volume of Russia’s imports. In March 2022, CSIS experts explained how Russia could not use cryptocurrencies to meet its imports demand due to limited ruble-to-bitcoin convertibility. Similarly, many crypto stakeholders told the Washington Post that the $2 trillion crypto market is too small to meet Russia’s financial needs. Moreover, Russia’s import demand is almost 10 times greater than that of Iran ($602.7 million compared to $69.3 million a day in 2020), meaning that cryptocurrencies would have to become the medium of exchange for a much larger basket of goods for Russia to cover its sanctioned imports. Russia’s trading partners, however, would be reluctant to accept that, as bitcoin remains disproportionally underutilized: globally, daily bitcoin transactions represent only 0.625 percent of daily SWIFT transactions. On top of this, after the November 2022 crash of the cryptocurrency market, cryptocurrencies’ high volatility remains a deterrent for macro-scale operations.

Russia may use cryptocurrencies to make up for its lost revenues and finance the war in Ukraine. In March 2022, CSIS argued that cryptocurrencies would account for a marginal role in Russia’s mitigation strategy because payers’ pseudonyms can be debunked by connecting transfer details to IP addresses. Nevertheless, in September 2022, Russian hackers developed new ransomware techniques that could hide transfer information from the blockchain, undermining traceability. Should aliases and transfer logs disappear from the blockchain, authorities would no longer be able to trace Russian companies trading with the regime and flows of cryptocurrencies to Russia.

These techniques apply especially to noncustodial wallets. Whereas CASPs require users’ ex ante identification, noncustodial wallets only communicate via payers’ encrypted aliases. For example, after Russia’s invasion of Ukraine, CASPs like Coinbase and Binance blocked the wallets of Russian individuals under U.S. sanctions. However, noncustodial wallets remained “beyond the reach of the authorities.”

On a final note, Russia is the third-largest country for mining of bitcoin, and it surely has no shortage of natural resources. As a matter of fact, gas-powered mining hubs are gaining momentum in Russia; after the invasion of Ukraine, Russian gas giant Gazprom entered a partnership with Bitriver, the largest bitcoin mining service supplier, to supply flare gas to Bitriver for its mining activities.

Q4: What have the United States and its allies done to monitor the illegal use of cryptocurrencies?

A4: The European Union and the United States have taken initiatives to combat the illegal use of cryptocurrencies. In March 2022, President Biden signed an executive order calling for measures to protect U.S. consumers and mitigate the risks of illegal finance. Following the executive order, the Biden administration released its first-ever regulatory framework for digital assets in September 2022. The salient items of the framework on illegal finance include (1) calling on Congress to extend the scope of the Bank Secrecy Act and anti-tip-off statues and laws against unlicensed digital asset exchanges and nonfungible tokens, and (2) requesting that the Department of the Treasury conduct an assessment on decentralized finance by the end of February 2023.

However, the regulatory approach to cryptocurrencies in the United States remains fragmented. The Department of the Treasury banned Tornado Cash in the United States in August 2022. President Biden is also considering instructing the Department of the Treasury to conduct an assessment on decentralized finance by the end of February 2023. On Capitol Hill, two bills have been introduced to address stable coins and digital commodities, but nothing tangible has been achieved so far. For instance, the Digital Consumer Protection Act, recently introduced in the Senate, seeks to empower the Commodity Futures Trading Commission (CFTC) with jurisdiction over cryptocurrencies. However, the Securities and Exchange Commission (SEC) is also seeking leadership in U.S. digital assets regulation. The dilemma is whether cryptocurrencies fall under the definition of securities, regulated by the SEC, or commodities, whose jurisdiction falls under the CFTC. In the meantime, cryptocurrency regulation remains in the air.

Because of Congress’s lack of action thus far on cryptocurrencies, reports from the Financial Stability Oversight Council constantly urge Congress to pass legislation regulating digital assets due to their inherent risks. Similarly, the Department of Treasury published in September 2022 an account of the chief implications of crypto assets for U.S. customers and companies.

The European Union is at a more advanced stage in cryptocurrency regulation, and its landmark legislation proposal guarantees a more unified and all-encompassing approach. On October 10, 2022, the European Parliament Committee on Economic and Monetary Affairs passed the Markets in Crypto-assets (MiCA) regulation. The bill is moving to the full European Parliament, which is unlikely to resist it after it was approved by the European Council on October 5, 2022.

The MiCA act pioneers new regulatory spheres for cryptocurrency exchange platforms, such as prevention of money laundering, consumer protection, CASP accountability, environmental concerns, and stable coins regulations (cryptocurrencies pegged to real currencies). The act will introduce new stringent policies, including

  1. the ban of any interaction between private wallets and wallets managed by CASPs,
  2. the ban of any interaction between EU CASPs and non-supervised CASPs, and
  3. identity verification anytime an EU CASP receives €1,000 ($975.16) from a private wallet.

Crypto companies will be granted 18 months to adjust to the new regulations and will be supervised by the European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA).

Q5: Are the European Union and United States working together to develop joint standards for combating illicit activity via cryptocurrencies?

A5: There seems to be little coordination across the Atlantic on cryptocurrency regulations. Mairead McGuinness, the European commissioner for financial services, has urged the U.S. Congress to increase efforts to pass cryptocurrencies regulations in the United States, even if they are not aligned with those of Brussels. Risks are high and demand immediate action. Congress’s stalemate may also become a source of frustration for the Department of the Treasury, which has plainly shown commitment to working with foreign countries to address financial threats.

Thus, the plethora of definitions and standards in the MiCA, compared to the piecemeal approach of the United States, may result in Brussels’ leadership in global cryptocurrencies regulation. However, this outcome would be anathema to Washington for two main reasons. First, much of the disenchantment in today’s transatlantic affairs derives from disagreement on digital regulatory approaches. For instance, the Digital Markets Act and Digital Services Act have been perceived as damaging U.S. digital companies in Europe. Second, disagreements over the EV tax credit in the Inflation Reduction Act have already jeopardized the entente across the Atlantic. Against this backdrop, ensuring EU-U.S. alignment on cryptocurrencies is important given the current frictions in transatlantic regulatory convergence.

Overall, as cryptocurrencies offer a viable solution to circumvent the force of sanctions, the United States and the European Union should cooperate on finding a unified and immediate approach to preempt the use of digital assets for sanctions avoidance, especially by Russia.

William A. Reinsch holds the Scholl Chair in International Business at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Andrea L. Palazzi is an intern with the Scholl Chair at CSIS.

Critical Questions is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2022 by the Center for Strategic and International Studies. All rights reserved.