March 04, 2020

Busting North Korea’s Sanctions Evasion

North Korea is the most sophisticated, creative, and dangerous actor when it comes to stealthy and skillful methods of financing illicit nuclear and missile proliferation. While North Korea’s Supreme Leader has outwardly professed a desire for reduced tensions on the Korean peninsula and a new relationship with the United States, he has overseen a vast criminal enterprise unrivaled in its efforts to evade financial controls, primarily financial sanctions, meant to limit North Korea’s access to funds for bomb building. The United Nations Panel of Experts, a group of independent analysts charged with cataloging violations of the sanctions, has documented the sophisticated emerging technologies and global network of agents that North Korea uses to outpace all other global organized criminal groups, authoritarian kleptocrats, and sophisticated transnational money launders.

The Problem is Growing

North Korea raises money to support its nuclear and ballistic missile programs in various ways. Some methods are relatively new, even for seasoned North Korea watchers, and exploit countries and economic areas where there is very little, or absolutely no, awareness about their exposure to North Korean illicit activity.

  • The Kim regime maintains a sophisticated offensive cyber capability, which it uses to steal financial resources and move money around the global banking system. In the past, hacking groups credibly linked to North Korea have successfully penetrated central banks, cryptocurrency exchanges, and some of the largest corporate banks in the world. The United Nations North Korea Panel of Experts has accused North Korea of stealing up to $81 million from Bangladesh’s Central Bank and laundering the money through casinos in the Philippines. These North Korean criminals have also hacked ATMs in more than 11 countries, stealing hundreds of millions of dollars. Other North Korean–linked entities have sold information technology services, including website and application development services, to firms around the world as a strategy to covertly raise funds for Pyongyang’s illicit aims. Financial institutions are often reluctant to admit that they have been hacked, which makes it difficult for the financial community to absorb lessons learned and harden institutions from future intrusions. Conversely, governments, including the United States, suffer from poor interagency coordination and a lack of institutional knowledge and awareness of North Korea’s malicious cyber activities. Most high-level U.S. policymakers and members of Congress lack basic familiarity with the underlying technology and North Korea’s cyber heist and hacking activities, which makes developing policy and regulatory proposals to counter it difficult. This ignorance is coupled with a government aversion to share useful information with the private sector.
  • North Korea conducts illicit ship-to-ship transfers of energy resources in violation of United Nations sanctions. The transfers include the import of refined petroleum products, which serves as essential inputs for North Korea’s domestic economy. North Korea also exports coal, including to United Nations Security Council members China and Russia, in violation of the sanctions. An international network of shipbrokers, trading companies, and maritime operators aids North Korea in these efforts. Much of this activity takes place in international waters, making it difficult for the United States and its partners to shut down completely such activity.
  • North Korean laborers have long operated worldwide, in violation of United Nations Security Council Resolutions enacted in 2017 to curtail such activities. At the peak of North Korean laborers working abroad, 100,000 workers generated about $2 billion a year for the regime. The majority of workers had been concentrated in Russia and China, which the United States has frequently accused of lax enforcement. A deadline for repatriating all North Korean laborers came and went in December 2019, with reports suggesting that these workers continued to be employed in these countries. Future United Nations Panel of Experts reports will likely highlight continuing violations of the rules against employing North Korean overseas laborers.

All told, these strategies potentially deliver hundreds of millions to billions of dollars to North Korea. (United Nations estimates of cyberactivity alone state the total proceeds could be “up to 2 billion,” although the methods North Korea uses makes it difficult for analysts to say with certainty that North Korea’s hackers have been able to move all of that money back to Pyongyang). Through organized and persistent sanctions evasion, this rogue nation has shown the world that it is possible to sustain and continue to develop its nuclear weapons capability in the midst of severe economic constraints. Indeed, the broad nature of the sanctions regime is moving Pyongyang to successfully invest significantly more resources to improve and diversify its revenue generating and financial movement strategies. North Korea is gaining major ground in its use of cyber technologies to finance and conduct illicit operations because the international community is so weak at developing countermeasures in the cyber sector.

As for the tradecraft North Korea uses to stay miles ahead of global banks, companies, and regulators, the regime relies on technological tools of the trade as well as networks of trusted agents that constantly update aliases, shell companies, and front men. The Office of Foreign Assets Control (OFAC), the agency that leads sanctions implementation and enforcement for the U.S. government, works hard to keep up. It regularly discloses new aliases for North Korean proliferation agents, as well as new individuals engaged in this activity. The Financial Crimes Enforcement Network (FinCEN), the Financial Intelligence Unit of the United States, has also distributed advisories on North Korean typologies for illicit fundraising. But it is impossible for federal offices to collect, declassify, and publicly disclose the full array of North Korean sanctions evaders and proliferation fundraisers. Also, by the time that the U.S. government names them in formal sanctions actions, the North Korean agents have changed aliases, locations, and front companies.

Nevertheless, this information disclosure is important, not least because it makes painfully clear that North Korea never paused aggressively fundraising for its nuclear and missile programs when Chairman Kim and President Trump met in Singapore in June 2018. Though they may have committed to a diplomatic process, which included pledges to temporary freezes in bomb and missile testing, North Korea’s track record over the last few years demonstrates that it never intended to halt its race for a bigger and more lethal nuclear arsenal. A significant problem in the current environment is the inadequate international control regime to spot and stop North Korea’s money trail, particularly its blind spot on North Korea’s malicious, highly active, and unfortunately very successful cyber and information technology activities.

Given all of these challenges, is it even possible to halt the financing of proliferation by this dangerous nuclear state?

As a theoretical legal and regulatory matter, the answer is yes. However, such an effort would require two exceedingly difficult-to-achieve goals for every country. It must be every country because universal enforcement is essential to avoid circumvention and dodging by North Korea. The requirements are:

  1. real, high-level political will, and
  2. greater technical capacity to implement and enforce U.N. sanctions and other financial controls on North Korea and North Korean-linked entities.

The international community cannot allow the daunting challenge of making true progress to impede North Korea’s illicit money trail be an excuse for inaction. A small cadre of innovative thinkers from the financial industry and law enforcement community are figuring out targeted strategies for better catching North Korean financing of proliferation, notwithstanding today’s deficit of political will and technical capacity. Scaled up, these strategies could have an outsized impact in catching North Korean criminals and proliferators. Moreover, a handful of well-placed policy shifts in leading economies, starting in Washington, D.C., can also have a big effect.

What’s the Plan?

We know that the challenges are large. So, what’s the plan?

First, the international community must more accurately diagnose the problem. How is North Korea raising and moving money right now? Some bank compliance officials describe the effort to answer this question as looking for a needle in a stack of needles. Essentially, they suggest that scanning hundreds of millions of financial transaction records and pieces of client data against sanctions blacklists, and the known aliases for the blacklisted North Koreans, is a fool’s errand.

But other compliance officials in banking, global shipping, manufacturing, and insurance think the way to spot North Korean footprints lies in getting away from list-checking. They are pioneering approaches to create big lakes of data and sophisticated algorithmic methods, improved by machine learning and overseen by expert humans, to hunt down, and ultimately spot in real time, North Korean patterns of activity. Policymakers can augment these with declassified intelligence and produce shareable reports to inform other governments and companies also tracking proliferation finance. Analysts describe these efforts as exercises in behavioral analytics, trained on tracking North Korean financial footprints. And this work can create a feedback loop for national governments and the private sector to respond to the threats.

A few pathbreaking global firms are putting into practice these behavioral analytic models for tracking North Korean proliferation. They run into significant problems coping with data privacy rules that make it difficult to share data across borders and between institutions. Also, they cope with the skepticism of financial regulators and supervisors who are slow to get comfortable with these new analytics and require a lengthy process to validate computer models. This slow and skeptical approach can be a drag on innovation and creative strategies to catch North Korean proliferators.

Regulators are right to be cautious and to demand that companies to rigorously protect themselves and their customers from North Korean abuse. No global company should let up on sanctions pressure on North Korea for as long as the rogue regime presents a proliferation and regional destabilizing threat. But tough regulation and compliance should be compatible with innovative approaches to catching and halting North Korean proliferators.

Along with better understanding the problem, a second element to undercut North Korean financing of proliferation is for policymakers to embrace innovative approaches to tracking illicit finance as a top and public priority. Only through an evident sense of urgency can policymakers make it a top priority for companies. Companies will take their cue from clear, unambiguous law and regulation. Furthermore, if done right, policymakers will create the space for safe information sharing and a culture of collaboration to identify and halt the money trail for the nuclear threats emanating from North Korea. Dialing up the ingenuity through new policy approaches for identifying and sharing information on financing of proliferation is essential to stop North Korea’s money trail. In fact, it might be the only real path for progress when the diplomatic process between the United States and North Korea has stalled out and against the backdrop of Kim’s threats of renewed provocations.

The right policy should:

  • Encourage private sector innovation, including with new technology tools, to track North Korean money patterns;
  • Create more mechanisms and legal guidance for companies and governments to share information around North Korean and proliferation finance threats; and
  • Encourage an environment where companies know they can come forward to disclose information and be held harmless if they act in good faith and undertake serious efforts to block, tackle, and guard against any North Korean money flows.

Cultivating this kind of creative and innovative approach by the private sector to lead on new counterproliferation financing strategies may be the only way for policymakers to spur a real shift in this work. It could have a very helpful demonstration effect with other financial institutions and companies and, ultimately, make financial restrictions on North Korea more effective. U.S. policy leaders should conceive of policy incentives and guidance to nudge global banks and companies to look through financial records for North Korean behavior rather than just for names. They should also create secure facilities to share tips and data, building a global financial net that North Korea will struggle much harder to pass through.

These efforts would go a long way to strangling North Korea’s proliferation cash flow. Significantly, this would deliver a positive demonstration effect even beyond North Korea. Other countries and proliferators are watching North Korea outrun sanctions and see the United States’ and others’ inadequate policy leadership to combat the financing of proliferation. Making it easier for regulators, intelligence officers, and law enforcement agents to more effectively combat the financing of proliferation will give them the tools and policy incentives to also more effectively combat other forms of illicit financing as well.

Policy Recommendations

The United States can work with the private sector, allies, and partners to combat North Korea’s financing of proliferation. The United States should:

Align incentives for more creative network analysis. Congress, through its legislative oversight of the financial services industry, as well as its support and guidance for federal and state prudential regulators, needs to incentivize banks and companies to build behavioral analytics into their compliance work to see and stop North Korean proliferation finance. This effort needs to be multilayered: it should change examination requirements so that financial institutions score well on exams when they embrace cutting-edge technologies; provide tax incentives to invest in the next generation of compliance technology; and craft legal mechanisms that allow law enforcement to show a real commitment to hold harmless financial institutions if they make good-faith efforts to uncover their own customers’ illicit activity. This incentivizing posture is important because even banks who are aware of their specific legal obligations regarding North Korea often find it difficult to invest significant resources in new technologies and new techniques without government pressure to do so. So long as regulators emphasize (and grade financial institutions on) a rules- and sanctions list–based approach to screening North Korean–related transactions, the financial institutions will not find it worth it to bring in the next generation of investigative techniques.

Establish an OFAC Exchange. The Financial Crimes Enforcement Network (FinCEN) Exchange facilitates voluntary information sharing among financial institutions under the auspices of the 314(b) provision of the USA Patriot Act. Under the program, FinCEN convenes regularly scheduled briefings on a variety of illicit finance threats. FinCEN identifies the topics and invites financial institutions that have volunteered in the program to participate if FinCEN thinks they may have information to contribute.

The Treasury’s Office of Foreign Assets Control (OFAC) should borrow this model for priority sanctions threats, including around North Korea’s sanctions evasion and proliferation financing activity. Financial institutions and other commercial actors could use the opportunity of OFAC Exchange meetings to share red flags and typologies, as well as, if the proper legal framework is in place, customers who appear suspicious but are not themselves on the Specially Designated Nationals list (the sanctions list).

Strengthen information security for central banks and financial institutions. Given the sophisticated nature of North Korean cyberactivity, the United States should lead an international effort to improve the cybersecurity protocols supporting the global financial system. North Korea has set a strong example for other potential proliferation-focused illicit actors to acquire resources for WMD or ballistic missile programs through outright theft of money from a variety of financial institutions. North Korea’s investment in these capabilities are significant, but they have not been matched by many national authorities around the world. The United States should begin by augmenting its own abilities to deal with this wide breadth of cyber activity. The National Security Council should convene a task force with high-level representation from the Departments of State, Treasury, and Homeland Security, as well as the intelligence community. This task force should compile and declassify typologies of North Korean cyber activity so that it can be given directly to vulnerable financial institutions in the United States and abroad. This information should also be disseminated in public advisories. The United States then can extend this body of work to international partners, including through forums such as the G20 or OECD, or a different purpose-built multilateral setting. Such a mechanism could share the fact patterns of cyber-intrusions that investigators have found, identify new security protocols and software, encourage countries which have been found to host cyber infrastructure on behalf of Pyongyang to shut it down and provide technical assistance to under-resourced jurisdictions.

Provide more updates to guidance, taking into account private sector feedback. The U.S. government has prioritized the public guidance it has given to the private sector to describe sanctions evasion typologies. The Treasury Department, with the State Department and the U.S. Coast Guard, prioritized North Korean typologies and issued maritime guidance in March 2019. Financial institutions regularly offer positive feedback on these guidance efforts. The Treasury Department should issue new guidance documents for other high-priority sectors and update previously published guidance with new related red flags or entities of concern. In the case of North Korea, the Treasury Department should also provide machine readable list of entities identified in United Nations Panel of Experts reports.

Offer more regular feedback on SARs (particularly on ones that are not helpful). Suspicious activity reports (alternatively known as suspicious transaction reports) represent an important source of lead intelligence for financial intelligence units around the world. SARs are a cornerstone of anti-money-laundering programs and can point to potential sanctions violations and financing of proliferation activity. Private sector actors who take their compliance obligations seriously invest in procedures to ensure that they provide their respective governments with helpful SARs. However, banks frequently express concern about the lack of feedback they receive on SARs, which makes it hard for them to know if the information they provide facilitates practical action by national authorities. The Treasury Department should explore a feedback mechanism that could communicate the utility around SARs. Given the volume of SARs filed (2.3 million in 2019), it will not be practical for Treasury to respond to all of them, but even more frequent responses would help financial institutions analyze their own data.

Create OFAC evasion reporting database. OFAC should create a database for a new kind of illicit activity report, which would complement the SARs that financial institutions already file to FinCEN. These suspicious sanctions evasion reports (SSERs), would allow any corporate entity around the world to voluntarily report suspected sanctions evasion activity. OFAC could deploy a proof-of-concept model for particularly high-risk sectors, like shipping, that currently does not have a mechanism for formally and directly reporting sanctions evasion or related suspicious activity.

Conduct more dynamic updating of the SDN list. All financial institutions know to screen their customers and their customers’ transactions against the Specially Designated Nationals and Blocked Persons List—it is the basic foundation of any sanctions compliance program. A limitation with the current approach is that changes to the SDN List can be hard for some firms, particularly small ones, to track, when it comes to name changes or aliases for individuals and entities. While there are commercial solutions available to this challenge, the Treasury Department could provide a public service by updating the online version of the SDN list to be more easily readable, particularly as it relates to situation where there are individuals or entities for whom OFAC has identified additional aliases, other identifying information, or property controlled by an SDN.

Conduct global coordination on information-sharing. National governments need to work more closely together on aligning legislative and regulatory frameworks to allow seamless sharing of threat intelligence without worrying about violating data-privacy restrictions. These legal prohibitions vary widely and prevent banks from fully leveraging knowledge about their own customers to help their governments respond to this critical threat. This effort would help jurisdictions operating public-private partnerships that allow for information sharing to dramatically increase their impact. Examples of these include the United Kingdom’s Joint Anti-Money Laundering Task Force (JMLIT) and Hong Kong’s Fraud and Money Laundering Task Force (FMLIT).


Taking some of these actions will be very challenging as a political and technical matter. It will involve an overhaul of exiting legal and regulatory frameworks and, in many cases, require more money. However, the stark reality of the threat from North Korea dramatically underscores the need to consider substantial reform to safeguard global security. North Korea appears likely to be a formidable threat to the United States and many allies for the foreseeable future.

This effort would be particularly worthwhile to the extent it would deter other states of proliferation concern, like Iran and Syria, who use similar methodologies that exploit similar weaknesses. These recommendations would also insulate the global financial and commercial sectors from states that do not already have WMD programs but may wish to pursue them in the future. And the benefits will continue: spurring creativity and innovation by companies to spot and stop illicit financial activity, and more, safe information sharing platforms, will help push back on a broad array of criminal and security threats.

If the U.S. government takes a few brave steps to combat North Korea’s financing of proliferation, whether alongside or in the absence of a diplomatic denuclearization process, it could lead us to a much safer and more secure world.

The recommendations offered in this commentary come out of a half-day workshop the Center for a New American Security convened in partnership with public and private sector experts on North Korea, the financing of proliferation, global banking, shipping, and manufacturing sectors, and international law. CNAS would like to thank, in particular, Kharon, for its partnership in analyzing and convening conversation around the North Korean illicit finance threat.

View All Reports View All Articles & Multimedia