The Royal United Services Institute has published a stark warning: rogue states are using artificial intelligence to automate sanctions evasion and proliferation financing at a speed and scale that overwhelms existing enforcement.
The report, "Algorithms of Evasion," cites North Korea and Iran as the primary actors. The Lazarus Group, North Korea's primary cyber unit, has deployed AI to generate high-quality forged passports, corporate documents and shell company paperwork. Iran has used similar tools to obscure financial flows and layer transactions through cryptocurrency.
The scale of the threat is concrete. North Korea stole $1.5 billion from the cryptocurrency exchange Bybit in 2025 using AI-generated documents to defeat biometric checks and manual compliance reviews. The operation succeeded because AI could produce documents faster than compliance teams could verify them.
The mechanics are straightforward. Generative AI can create convincing identity documents, corporate registrations and bank statements. Autonomous agents can then run portions of an operation—opening accounts, moving money, registering shell companies—without direct human control. By the time compliance staff identify one fraudulent transaction, the AI has already initiated dozens more.
RUSI argues that AI is not inventing new evasion tactics. Instead, it is automating and scaling existing ones. Forged documents, shell companies and cryptocurrency mixing have long been tools of sanctions evasion. What is new is the speed and volume. Manual forgery takes time. AI forgery takes seconds and can generate infinite variations.
The enforcement gap is widening. Static biometric checks fail against deepfakes. Manual Know Your Customer (KYC) reviews cannot process the volume of accounts created by automated agents. Banks lack tools to detect synthetically generated identities.
RUSI proposes three measures: clearer regulatory rules allowing banks to deploy AI counter-proliferation tools, updated KYC procedures trained to spot deepfakes and synthetic identities, and a "compute-KYC" requirement for cloud providers to monitor large-scale GPU rentals that could indicate AI training for fraud.
Related reading
- Trump administration prepares AI security order to require 90-day pre-release model sharing
- Anthropic opens the door on Mythos cybersecurity findings
- OpenAI is outmanoeuvring Anthropic on cyber diplomacy, and Europe is the prize
The underlying tension is unavoidable. Rogue states now have the ability to scale evasion faster than regulators can build detection systems. The only solution is regulatory speed. Banks need permission to use AI defensively. Regulators need updated tools and real-time visibility into cloud computing activity that enables the threat.
RUSI's core argument is that delay is surrender. Every month regulators wait to implement new standards, adversaries gain more capability to outpace enforcement.
