AI and Cyber-Enabled Tools Are Changing Sanctions Compliance Risks: Are You Prepared?

Artificial intelligence (AI) is reshaping the global economy and changing the way business is done, with dramatic implications for how companies manage compliance risk. Cybercriminals and other bad actors have new AI and cyber weapons to facilitate illicit activities at a time when U.S. regulators are increasingly focused on combating cybercrime, fraud, extortion and sanctions evasion.

According to the FBI, cyber-enabled crimes defrauded Americans of nearly $21 billion in 2025, with complaints related to cryptocurrency and AI among the costliest. Illicit actors are among the culprits: A regime based in the Democratic People's Republic of Korea (DPRK or North Korea) used AI and cyber tools in complex data extortion schemes, reportedly generating nearly $800 million in revenue in 2024 alone. Iran-affiliated threat groups have also conducted cyber operations – including spear phishing and social engineering campaigns – targeting government entities, critical infrastructure and private-sector organizations as part of large-scale cyber scam activity. According to a U.S. government estimate, Americans lost at least $10 billion to Southeast Asia-based scam operations in 2024, a 66 percent increase over the prior year.

On March 6, 2026, President Donald Trump issued Executive Order 14390, directing U.S. agencies to more aggressively combat transnational criminal organizations engaged in cybercrime targeting Americans. The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN), as well as the U.S. Department of Justice (DOJ) and other law enforcement agencies, are increasingly focused on these risks, and OFAC's cyber sanctions are a powerful tool to combat AI and cyber-enabled schemes by U.S. adversaries. These sanctions also increase the risks for U.S. companies caught in the crosshairs between sanctioned bad actors and increasingly aggressive U.S. regulators.

AI and Cyber-Enabled Sanctions Evasion Tools and Tactics

Illicit actors are increasingly reliant on AI and cyber-enabled tools – using them to generate synthetic documents and identities, create vast networks of synthetic entities complete with digital footprints and add layers of obfuscation that are significantly harder to detect and disrupt with traditional investigative tools. Generative AI allows operatives to generate or edit documents, as well as forge resumes, cover letters, and online personas at scale.

More advanced capabilities – such as deepfake image technology and voice synthesis – can be used to further these deceptions. AI-assisted language tools can be used to communicate more fluently across languages and time zones, obscuring indicators that would otherwise raise suspicion. As a result, these fraud operations have evolved into a highly automated system that can infiltrate multiple companies simultaneously, increasing the speed and impact of various schemes.

Though the financial sector has invested in AI tools to detect such activities – including machine learning screening tools that can identify anomalies that traditional systems miss – AI tools are now being weaponized by U.S. adversaries to increase the scale and reach of illicit activities. At the same time, U.S. regulators are aggressively using sanctions to combat scam operators, freeze stolen funds and pressure financial institutions to identify, prevent and report illicit activity. These increasing risks and scrutiny have raised the stakes for companies of every size and sector and present particularly complex challenges for the financial services sector, online platforms for facilitating services by digital nomads and other remote workers, and content creator platforms.

Recent Actions

Several recent actions point to the increasing use of sanctions to combat fraud related to AI, cyber and cryptocurrency while also highlighting the ways illicit actors use AI and cyber tools to evade sanctions and further fraudulent schemes:

• On March 12, 2026, OFAC designated six individuals and two entities for facilitating IT worker schemes orchestrated by the DPRK, targeting a multinational network of facilitators operating from North Korea, Vietnam, Laos and Spain. These designations follow last year's designations against individuals and entities facilitating North Korea's remote information technology (IT) worker schemes on July 8, July 24, and August 27, 2025. In these schemes, North Korean agents posed as candidates for remote IT positions at U.S. companies across multiple industries, leveraging AI-enabled tools, stolen identities, fraudulent online personas, and proxy infrastructure to deceive employers. Though the case involved a North Korean scheme to seed remote IT workers, parties controlled by the governments of other sanctioned jurisdictions, as well as individuals resident in sanctioned countries looking for ways to improve their lot, also present sanctions risks to employers using remote workers, online platforms that facilitate those services and platforms that facilitate monetization by content creators. Increasingly sophisticated tools for masking physical location and generating fraudulent identities require increasingly sophisticated compliance controls to identify and thwart abuse.

• On April 23, 2026, OFAC designated a network of scam operators in Southeast Asia responsible for defrauding vulnerable Americans into transferring their savings in the form of digital assets, often using the pretext of friendship, romantic relationships or investment opportunities. Alongside OFAC's sanctions, the U.S. Scam Center Strike Force announced 1) charges against two individuals running a scam compound in Burma and attempting to start a scam compound in Cambodia, 2) the seizure of a social media messaging app used to recruit human trafficking victims to a scam compound in Cambodia and 3) the seizure of 503 fraudulent web domains used to perpetuate cryptocurrency investment fraud. This action was taken in parallel with separate law enforcement efforts by the FBI's Boston Field Office and the U.S. Secret Service (USSS).
• Also on April 23, 2026, Tether announced that it froze $344 million in USDT (the company's cryptocurrency stablecoin) in coordination with OFAC, targeting addresses flagged for activity tied to sanctions evasion and criminal networks.
• The criminal risks are also significant. On April 15, 2026, DOJ announced the sentencings of two U.S. nationals originally indicted in June 2025 for facilitating a North Korean remote IT worker scheme that generated more than $5 million in illicit revenue for the DPRK. In announcing the sentence, the Assistant Attorney General for National Security stated that "NSD will hold accountable those who facilitate North Korea's illicit revenue generation efforts." The U.S. Attorney for the District of Massachusetts similarly stated that the sentences "reflect the seriousness of this conduct and [DOJ]'s commitment to holding accountable those who facilitate sanctions evasion and foreign threats from within our borders."
• On November 12, 2025, OFAC designated a Burmese armed group and seven other companies and individuals based in Thailand and Burma involved in scam centers, including the Tai Chang scam compound in Burma's Karen State.
• On October 14, 2025, OFAC, in coordination with the United Kingdom's Foreign Commonwealth and Development Office, designated the Prince Group – a Cambodian business conglomerate that operates scam centers housing cyber scam operations targeting U.S. and U.K. persons – as a transnational criminal organization and sanctioned 146 associated persons.
• On September 8, 2025, OFAC designated 12 companies and seven individuals based in Cambodia and Burma for their roles in facilitating human trafficking and cyber scams targeting U.S. persons and, on September 12, 2024, OFAC designated Cambodian tycoon Ly Yong Phat, his conglomerate L.Y.P. Group, and four of his hotels and resorts.
• In 2024, the USSS took action against a group of individuals based in the U.S. who laundered more than $73 million in victim funds generated through digital asset investment scams.

All property and interests in property of designated or blocked persons that are in the U.S. or in the possession or control of a U.S. person must be blocked and reported to OFAC. Unless authorized by OFAC or exempt, OFAC's regulations generally prohibit all transactions by U.S. persons or within (or transiting) the U.S. that involve any property or interests in property of blocked persons. They also generally prohibit U.S. persons engaging in or facilitating the provision of services to, or receipt of services from, parties who are ordinarily resident in embargoed jurisdictions. And they allow foreign persons to be held liable for causing U.S. persons to engage in prohibited activity. Violations of U.S. sanctions may result in the imposition of civil or even criminal penalties on U.S. and foreign persons.

Practical Considerations and Mitigation Steps

Although many companies have established risk-based compliance programs to address sanctions risks arising in their overseas operations, AI-enabled tools are bringing those risks closer to home and making illicit activity harder to detect with traditional compliance controls. The sanctions compliance risks of even inadvertent engagements with sanctioned actors are severe. Because OFAC can and does impose civil penalties on a strict liability basis, even persons who unwittingly transact with blocked persons or parties resident in sanctioned jurisdictions may face enforcement exposure. Furthermore, these risks are proliferating as U.S. regulators increase scrutiny on financial institutions, online platforms and other intermediary "gatekeepers" tied to sanctioned persons and conduct.

With these risks in mind, it is increasingly important to be aware of red flags for illicit activities, including:

• inconsistencies in identifying information
• the use of IP addresses or accounts from sanctioned jurisdictions or IP addresses flagged as suspicious, and suspicious patterns of VPN activity consistent with attempts to evade geoblocks and disguise presence in sanctioned jurisdictions
• requests to direct payment to third parties
• frequent money transfers or demands for payment in cryptocurrency
• transactions connected to a sanctioned virtual currency exchange or wallet address

Holland & Knight Can Help

Holland & Knight attorneys are available to assist clients in evaluating their current sanctions compliance frameworks, conducting targeted risk assessments of IT contractor populations, advising on voluntary self-disclosure considerations and responding to potential cybersecurity incidents linked to DPRK- and other sanctioned jurisdiction-affiliated actors. If you have questions about the implications of these designations for your operations, contact the authors.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.