Chat KGB
How OpenAI Found Itself (Unknowingly) Supporting Russia in Evading Sanctions
I’ve been thinking a lot about AI companies recently, and the role they’ve quietly assumed in our modern economy. OpenAI, for example, has publicly discussed the possibility of an eventual IPO.1 If that happens, one of the most important companies in the world will also become one of the most valuable.
Eighteen months ago, I had a hypothesis about how Russia was maintaining access to SWIFT. That theory found very little support for quite some time. Anyways, I’m pleased to finally build on that theory with this piece. My conclusion is, was, and forever will be that A7 is less of a cryptocurrency network and more of a banking network. If that argument is unfamiliar to you, the newly launched A7 report is available here that covers that in more detail than I ever could alone.2
A7 is a Russian sanctions-evasion network that was built to move money through SWIFT, that isn’t really supposed to happen.3 4 Above is a prompt in their code that makes this possible.
Take a minute just looking at the above snippet from the prompt.ts file. This is the prompt written by A7 and handled by OpenAI processing, at least, 4,000 times (but likely many many more).5 This is a handling and routing prompt for incoming SWIFT transactions from foreign financial institutions.
Society for Worldwide Interbank Financial Telecommunication (SWIFT) is how banks talk to one another. Messages follow standard formats, with specific fields for specific pieces of information so everyone knows they are talking about the same things. There are a bunch of different message types. For this story, we only care about one: the MT103, which is basically just a wire transfer.
Field 59, is one of the SWIFT fields I just mentioned. It is normally used to identify the beneficiary of an MT103 payment. . When :59: is missing, the prompt falls back to :50:, then :57:, then :72:. That is exactly the sequence a banker or compliance analyst would follow when trying to identify the recipient manually. The rest of the prompt shows a similar level of familiarity with the underlying process. Currency symbols are stripped and amounts standardized to two decimal places. Dates are converted to ISO 8601 format.6 Assessments are assigned confidence scores and returned as structured JSON for ingestion into the database. If the text extraction quality falls below a predefined threshold, the system retries using OpenAI’s vision capabilities. Taken together, this is not a rough hacky system built by someone trying to save themselves a few minutes. Whoever designed it had a working understanding of how compliance systems process SWIFT data.
Initially, & honestly, this is a very benign and frankly boring implementation of AI, probably the type of thing that AI does super-well, mundane repetitive tasks at scale.7 Though, it is also sitting in the production backend of an active Russian sanctions-evasion network that claims to have processed over $100,000,000,000 in transactions.
Through inadvertent publication, I have spent the past several months (and many all-nighters) reading and re-creating, line-by-line, the underlying infrastructure of A7 across their operational production databases, over 70,000 source files, complete backend repositories of core applications, and 3,543 SWIFT transactions that total just over a billion dollars, routed through 1,091 financial institutions in Kyrgyzstan, the UAE, Hong Kong, Hungary, Mongolia, Türkiye, the United States, …, everywhere!
The network is jointly controlled by Moldovan fugitive Ilan Shor and Russia’s de-facto military bank, Promsvyazbank, previously a failing commercial bank,8 now supporting a purpose-built system to convert Russian rubles into useful currency outside of Russia, through the SWIFT system. This is necessary because Rubles aren’t super useful for paying your suppliers outside of Russia.9 My previous work on A7, as a senior associate fellow with the Open Source Centre, established the network’s structure and scale. The source code further confirms how it actually functions.
Inside those code repositories, on production systems, I found multiple implementations of GPT-4o. It is integrated in at least two key parts of the operation. Both of which are hugely important.
The first is forging documents
A7 relies on falsified invoices to justify the movement of money around the globe, something Russia has been doing for ages. Because these contracts can’t openly state their payment origin as Russia, each fake invoice that A7 generates needs a company stamp. For recipients in China, the UAE, Turkey, or Thailand, a stamp with Latin-script text could arouse suspicion. A bad stamp could cause a bank to question why this transaction is taking place or request confirmation of business activity, which would risk the shaky house of cards A7 has built. A7’s solution is to call GPT-4o once per stamp, feed it the shell company name and ask for a translation into the local script. Chinese for Hong Kong recipients. Arabic for UAE. Turkish for Turkey. Thai for Thailand. The translated text goes onto a document, gets an artificial blur and saturation-shift to simulate the look of a worn physical ink stamp, and winds up as part of the forged document package.
The prompt is six simple words: “Translate [name] to [language]. Answer only translated text.”
Without GPT-4o, every forged document for a Chinese recipient would require someone who could type Chinese characters accurately and plausibly or actually get ahold of the stamp. A7 eliminated that need entirely. Multi-jurisdiction stamp forgery, automated, at the cost of a few API calls. With stamp applied, OpenAI helps determine the routing with the “substitute” invoice itself drawn from a hard-coded and pre-defined set of entities, goods, and payers. All details deterministically applied to the new invoice with an “old” stamp.
The second monitors for SWIFT messages
After the forged documents go out and payments clear, the real MT103 confirmations come back in. Those confirmations need to be matched back to the correct transaction, invoice, and customer record. Again, here is that prompt A7 wrote to process them:
You are an assistant trained to extract key details from bank payment documents, which may vary in format and language. Extract: Amount, Currency, Beneficiary, Swift date, Content of field 59, Language of the Document.
Beneficiary: Locate field :59: (Beneficiary Customer). If field :59: exists, extract the company name from it. If field :59: is missing, analyze the entire document, prioritizing structured fields such as :50:, :57:, and :72:. Return only the company name.
Amount: return as numeric with exactly two decimals. Remove $, € symbols. Date: convert to YYYY-MM-DD. Return ONLY raw JSON.
The system handles every format a bank might send: text PDFs, scanned PDFs, JPEG photos of payment documents. Text extractions that come back below a confidence threshold of 0.8 automatically retry in vision mode. GPT-4o extracts the beneficiary name and amount, returns structured JSON, and A7’s Customer Relationship Manager matches the real incoming payment to the pre-built fake document package for that transaction.
The entire chain — forged stamp>outbound fake documents>inbound real SWIFT confirmation>reconciliation — runs without human involvement.
// OpenAI references in A7 codebase.
| File | Function | Mode | Purpose |
| ---------------------- | ----------------------- | ------------------ | ------------------------------------------------ |
| `stamp.service.ts` | `translateText()` | Text | Translate shell company name for stamp rendering |
| `swift.service.ts` | `extractDataFromText()` | Text | Parse SWIFT MT103: amount, beneficiary, date |
| `swift.service.ts` | `sendToGPT4o()` | Vision | Scanned documents or text confidence below 0.8 |
| `openai.controller.ts` | `request()` | Text or multimodal | General-purpose pass-through for operators |Every field GPT-4o extracts returns with a reason in two languages: English and Russian. The production error messages are in Russian. Reviewing the code, there is zero ambiguity who this system was built for.
When reconciliation completes, the code flips a single status flag — PaymentStatus.SwiftReceived — and routes the confirmed document outward to a hardcoded IP: 83.222.25.212:8014. No domain names and SSL certificate verification disabled. A closed system that probably was not intended to be found.
On Fair Use
A7 did not operate outside the permitted uses of GPT-4o. There were no prompt injections, no exploits, no ToS-bending structure baked into the code. Like the rest of us, they signed up, paid for tokens, and used GPT-4o for two things it is excellent at: translation and document parsing.
Without context, these prompts are completely benign. “Translate this company name to Chinese” and “extract the beneficiary from this payment document”. These would pass any content filter ever built, because there is nothing in either request that signals intent. This likely went undetected because you can only identify the violation when viewing the prompts through the lens of the broader A7 system, not the individual requests. Plainly, this is a problem that content moderation was never really designed to solve.
A note on OpenAI
I have copies of this source code and am happy to ensure it makes it to responsible and relevant parties. Strictly speaking, OpenAI’s terms of service prohibit use of the API for activities that violate applicable law, and what is documented here is a pretty straightforward violation of quite a few international laws.
But really, if we are honest, the terms-of-service question is almost beside the point. OpenAI did not build GPT-4o as a forgery tool. They built a model, made it available to anyone with a credit card and an API key, and trusted that content moderation would catch the uses that violate its policies — probably a reasonable assumption for most of the bad uses it was designed to catch.
The problem, in this context, is that the most egregious violations tend to look like nothing. A7 did not need to ask GPT-4o to help it evade sanctions. Instead, A7’s staff asked GPT-4o to translate some text and read some documents. Super legitimate requests, issued in an entirely criminal context.
Personally, I don’t think this is really a problem you can solve with better content filters or nerfing of models. I think it is a problem that the largest AI companies have not yet seriously considered. Through abstraction, any reasonably sophisticated criminal can decompose their workflow into a sequence of innocent-looking API calls. The entire industry knows this because analytic de-comps are pretty routine interview questions. The responsibility question shouldn’t be “did OpenAI know?” Instead, it is “what does OpenAI do now that they know, given that this is not the first time, and almost certainly will not be the last?”
That question does not have a comfortable answer. I am not sure the people building these systems want to sit with it, and it is not something that I have an answer for. But the existence of A7’s source code makes this a question the biggest companies in the world can no longer avoid. The entire US economy is running on the hope of OpenAI, and seemingly, at least 20% of the Russian economy is running on OpenAI’s capability.
In 2025, Ilan Shor stood at the St Petersburg International Economic Forum and described A7 as “pretty much invulnerable.”10 He doubled down on that claim when he returned to the forum in 2026.11 I have spent eighteen months, alongside colleagues, retracing their steps. From where I am standing 12, today, that claim looks considerably less certain.
Please reach out if you would like more information. A full technical report, including code citations, GPT-4o calls, and SWIFT transaction data, is available.
Beyond that, after well over a year spent inside this system, I am happy to brief anyone who needs the full picture. It began with a pretty out-there hypothesis. And I guess, for me, the funny thing is that I also made extensive use of ChatGPT while working through this material. Not to evade sanctions, obviously, but to help process many of the same SWIFT messages A7 was feeding into GPT-4o. Which is ironic, if nothing else.
Thanks for reading!
If this is useful to you, please do subscribe and reach out. Future investigations will come here first. A note on this investigation.13
About Evidence of Absence
Zachary Tvarozna is formerly of the US Intelligence Community and does his best to maintain Evidence of Absence alongside other engagements. He works with governments, the private sector, and investigative media partners on sanctions evasion and financial crime. His work has been cited in Bloomberg, The Kyiv Post, and The Hill. He is also an avid cyclist and fan of punk rock.
https://openai.com/index/openai-submits-confidential-s-1/
a massive thank you to this team for all the support
At time of leak
(Year-Month-Day Hour:Minute:Second)
Like me asking for basic conversions
& neither are sanctioned cryptocurrencies
err, sitting
This piece draws on an inadvertently published codebase that has not been independently authenticated. All statements of fact, opinion, and analysis are strictly the author’s own and do not constitute a legal or regulatory finding. References to official sanctions designations reflect publicly available government records; all other characterizations reflect the author’s analysis of available evidence. All effort has been made to ensure accuracy. Named entities are welcome to get in touch if I’ve gotten it wrong.
"Through abstraction, any reasonably sophisticated criminal can decompose their workflow into a sequence of innocent-looking API calls."
agreed, whenever I've ran into guardrails (unintentionally) can always find a way to circumvent. Nice piece Zach -- Have you or anyone at OpenAI commented on this directly?