INCA-PACITATED
Banks Can't Stop Iran. Blockchains Just Did.
COMPLIANCE JOE
Imagine Joe. Joe works for a US bank in the risk and compliance group. Joe is familiar with the controls, rules, and procedures that help keep the bank from facilitating bad activity. Joe is probably the kind of person who does the 31 different mandatory training segments on time, who believes wearing a color other than white, gray, or the navy blue of a bank is “aggressive”, and who ends emails with “I appreciate you following rules and procedures” and doesn’t mean it ironically.
Joe is a rule-follower. And what rules is Joe following here? Those of transaction monitoring. Every day, a raft of reports of “suspicious” transactions shows up in the system, and Joe has to review them. If they are not a problem, they can proceed. If they need more info, Joe requests it. If they require a Suspicious Activity Report (SAR), Joe files the SAR. Banks are better at this and worse at this, but on average, at least some of them attempt to take it seriously some of the time, usually because of people like Joe.
And on this day, Joe doesn’t even see the transaction that is actually the problem. There is a small fortress of paperwork that has been constructed across our system, with the parapets staffed with a small army of Joes and Janes in compliance, all of whom are checking everything, and I am here to tell you that the transaction that proves to be the biggest problem will not even be flagged by the system and will instead happily march right out of the gates.
How does this happen? Why is Joe and his navy suit jacket powerless?
The system itself simply does not work, and as designed, cannot work.
CASTLES OF PAPERWORK
How can we be so confident that the vast paperwork edifice fails in this case? Well, let’s talk about a transaction that really happened. Let’s take an American, we can call her Dawn, and follow the path of travel that leads to Dawn funding the Iran Revolutionary Guard Corps (IRGC), which is an actual pattern of transaction we have seen countless times in the current financial system.
Dawn has family, some of them are overseas. In this case, let us say one of them is in the UK, to pick another jurisdiction that is not an immediate clown show of crime. Dawn wants to send money to her family, so she sends a payment to the bank of her relative, which is received. Joe is the one who sees the report and waves it through. Why? Dawn is not a criminal, and as far as Joe knows, Dawn’s relative is at a bank in good standing, with a functioning paper castle of special magical paperwork that keeps the bad people out, just like at Joe’s bank. Everything is working as intended.
Dawn’s relative gets the money. The relative spends money at a business, paying with a card. That means money moves from her bank to the bank of the merchant where the card was used. Again, everything is on the up and up, as far as anyone can tell.
That business, like all businesses, has an owner. That owner receives a dividend from the business, which brings us to a fourth bank where that is received. The owner then takes the money, and sends it either through a bank in a jurisdiction where the paper castle does not respect the sanctions regime of Joe’s bank, or through an informal hawala network type arrangement to a sanctioned person in Iran who is a member of the IRGC. Those funds are then used to make payroll for IRGC members.
So, as you can see, Joe pushed through a payment that funded the IRGC.
This is the record scratch moment, where we have to pause and ask how this happened. The answer is in the design of the system itself. At each checkpoint up until the final step, you can see that procedures were followed faithfully, and the army of Joes and Janes in compliance at each bank did their respective jobs. Joe’s bank had no reason to suspect Dawn’s transaction. Dawn’s relatives’ bank had no reason to suspect the payment. The merchant’s bank might not have even had a reason to suspect the owner. But the owner is where the problem happened, and so what this means is we have an entire system where the following are all true: it is only as weak as the weakest link in the entire chain that anyone can find, and once the money moves, there is virtually no way for any of the other entities involved to get it back.
After all, if by some miracle, Joe’s bank became aware of this chain of events, could they get the money back? No, of course not, that’s ridiculous.
This type of transaction pattern, where we can’t be sure at each step who knew how much, is why there is so much crime in our traditional system. Did Dawn know, or at least have partial knowledge, that something bad was happening somewhere down the line, like in many organized scams or crime rings?
Did Dawn’s relative know that the business might be crooked and involved in this, even if Dawn did not? Did the business itself know about the activities of the owner, and was it a front, or were they truly in the dark? The owner, obviously, knows. But what we don’t know is how deep the chain is beyond that.
TERRORISM AND LAWFARE
Leaving the world of banking, we now turn our eye to geopolitics, which, to paraphrase Clausewitz, is the continuation of policy by other means.
In particular, we turn our eyes to the United States, where, under the terrorism exemption to the Foreign Sovereign Immunities Act (FSIA), and primarily on behalf of US service members and their families, Willkie Farr & Gallagher has been involved in a series of victories against the Iranian regime.
They have, in fact, run up over $20B worth of wins, on behalf of families of dead soldiers killed in Iraq and civilians harmed by the regime. In short, it has been a crushing series of legal victories against one of the most virulent regimes on the planet, one that is a long-term and well-known sponsor of terrorist groups across the Middle East, from Hamas to Hezbollah to the Houthis.
There is, however, one problem. It is the problem that we addressed above, the problem with the fortresses of paperwork that exist across the financial system: how do you find, and how do you get the money? There are $20B of judgments. And yet, the Iranian system continues to function, payments move in and out of Iran as countries buy sanctioned oil, do business with sanctioned firms, and send funds to sanctioned persons. All of the paperwork stops somewhere between none and approximately one percent of that activity, so while Willkie sits on $20B of judgments, an army of bank compliance people return precisely zero dollars, and the system operates that way as though it were designed to create that outcome.
There has to be a better way, right?
CYBERPUNK ANTI-CRIME
Thanks to the internet and modern technology, there is. In fact, it is specifically thanks to three different forms of technology that have all met in the middle that a better solution is now here: public blockchains, social media and the internet, and AI.
It does not involve the banks, though. They are useless here. They have not adapted. Nor have their regulators forced them to. In fact, such as with the FDIC and OCC’s excessively punitive Third Party Risk Management (TPRM) framework being applied to anti-financial crime vendors, the regulators are often part of the problem.
However, to paraphrase Ian Malcolm in Jurassic Park, life finds a way.
Despite the slings and arrows the traditional Luddite press and certain members of Congress have thrown at the crypto space, one thing remains true and cannot be changed by the participants nor the outside world: public blockchains are public. The data on them is visible to everyone. Instead of the previous system, where Joe has perfect knowledge only of the tiny fraction of details that his bank knows, here everyone knows some of the details of the entire system. You can see wallet addresses. You can see funds moving. You can see holdings. The wallets themselves are pseudonymous. In real time, there is a chain of transactions evolving before your eyes, but the wallet holders are hidden from you.
Until they are not.
You see, the other aspect of the modern data landscape, and one that the banks themselves have completely failed to adapt to, is the richness of open source intelligence data. Social media? Messaging apps? Dark web data breaches? Github repos? Marketing materials?
A huge amount of data about all of us bleeds across the web every day. If you have ever been online, even once, there’s probably some leak somewhere in which you are implicated. The vastness of this data landscape is what has made it difficult to work with, however. There is so much data that you are finding things everywhere, all at once, all the time, forever. That actually is the problem, or historically was: there is so much to find that you cannot possibly find it all. Much like the paperwork fortress of Joe, there is a huge amount of information, but what can you do with it?
The solution to that came with AI. Now, someone can read all of that, at least so long as your definition of someone is ChatGPT, Claude, or Gemini. AI can scrape huge numbers of documents, taxonomize data, and search through things to find connections. To find patterns. To take disparate unstructured data sources, so that if a sanctioned person was found with one wallet address, and a chain of onchain data leads you to another wallet address that came from a telegram chat with some crypto scammers, and then darkweb data ties the company that owns that address to a third address that is where hundreds of millions of funds seem to be accumulating from the actions of a transnational criminal organization, you can then do something about it.
Is this purely theoretical, though? One of those “great idea, but this will never happen in practice” things? Many people believed that was the case.
However, a thing happened about two weeks ago that is going to cause all of those people to revise their views.
TETHERED TO US LAW
Remember how I said a public blockchain is, well, public? That just turned out to be a real problem for the Islamic Republic of Iran. Why? USDT is the world’s most popular stablecoin, and arguably the most used, if we are talking about transaction volumes. It’s a business that did not exist in 2014 and now has become one of the dominant methods of paying for something, anything, on-chain.
It is also a US dollar stablecoin, which means that Tether has its reserves in US dollar assets like US treasuries, of which they are one of the biggest buyers. Tether is also, as a result, responsive to the US rule of law. Why? Because if they aren’t, the US can go grab the treasuries, and nobody is going to enjoy that.
This, by the way, is the practical cost of doing business in dollars. If you don’t like US law and legal norms being the point of reference for the token you are holding, some gentle advice would be that you should not be using a US dollar stablecoin. It is literally in the name: there is no escaping it.
The Iranians learned this the hard way, because all of the threads I raised above have come together.
Unlike a bank, a blockchain is public. If an address can be shown to belong to the Iranians, and you can trace where they are sending their funds, you can find everything. Unlike in the example of the traditional system, the entire chain that started with Dawn and ended with the IRGC is laid bare on a public blockchain once you can scrape enough data.
Unlike a bank, an open-source intelligence company is not just looking at internal data. You can use social media sources, the dark web, private financial data, and more. You map the entire ecosystem, so that you can find blockchain addresses, follow those, and then go back to off-chain data to find out where that endpoint leads you, so on and so forth, until you find $344 million of Iranian money in two wallets on the Tron blockchain.
Unlike a bank, you can also do something about it. Remember how those funds are in Tether? Well, Tether has freeze and seize capabilities. They can reach out and touch any wallet, anywhere, on any chain, that is holding USDT. Are they going to do that lightly? No. Do they do that just to screw with people? No. Are they going to do it if they get a valid US court order? Yes, because if they don’t, you go down the street with that court order to Tether’s custodian.
So how do you get that order? Well, funny enough, FSIA has the answer: there are a bunch of lawyers who have been fighting this battle for decades who have the orders, what they don’t have are the funds to grab. Now, the other side has the funds to grab, and they just need a valid reason to show up at Tether’s (or, to be fair, Circle, or Paxos, or OpenEden, or anyone with a USD stablecoin, really) doorstep. This is a match made in lawfare heaven: claim on funds meets source of funds.
What does it look like when this happens?
PRIVATEERING
This is simply not possible in the current system. The opacity plus data siloing in the current system means that banks facilitate huge amounts of crime without ever being aware of it, but also with no possibility of doing anything about it externally, because nobody can see what is going on.
Now, however, we have a much better option. The Iranians just learned that the hard way. But if you have the right data framework, you have the right legal arguments, and you have the right onchain tools, you can find the money that slipped through Joe’s fingers, and you can take it back and give it to the family of a young man who was blown up by an IED produced by the Iranians, while simultaneously denying Iran the ability to fund more weapons production. You can even do this from inside a nation that will support you, because they are the enemy of the one you just put the spear into. With apologies to my friend Chris Perkins, it turns out that privateering is already legal and someone is already doing it.
I find it ironic that everyone is fighting about SWIFT or useless, incremental reforms to the current bank KYC/AML system when, instead, we can do this.
So I will end with the following statement, to invert the very premise of the entire crypto vs. traditional financial debate, using what just happened to Iran on the Tron blockchain as evidence: if we want to actually stop financial crime, we should force every single bank to start using blockchains immediately.
