Guest Post | A Very Insider Threat: How Identity Check Failures Let Two Iranian Operatives Infiltrate Canada's Financial Sector

One of a rapidly growing set of examples of such insider threats is the case of Amin and Arash Yousefijam, two Iranian nationals convicted in the United States for smuggling sensitive industrial technology to Iran in violation of U.S. sanctions. Who, after serving time in federal prison, both returned to Canada, changed their names, and re-entered the workforce.

One became a dentist. The other became something far more troubling: a bank compliance officer (and it wasn’t the first time).

Yes, an individual recently imprisoned for sanctions evasion was now employed to prevent that exact crime at a Canadian financial institution. Again.

The Yousefijam brothers didn’t break back in through the back door or conduct a complicated cyber intrusion. They used public systems and legal pathways for name changes, misleading resumes, and professional licenses—to reinsert themselves into high-trust professions.

How could this ever happen with modern hiring systems?

It happens through their calculated understanding of Western bureaucratic blind spots. The kind of understanding that results from training given by intelligence services and other state-sponsored entities.

Which is exactly where this portion of the story begins.

Isphahan, Iran

In 2016 Amin (a former Iranian government employee) changed his first name from Riki to Yousefijam and boarded a plane for Canada. When questioned by Canadian immigration officials about whether this was an attempt to obscure his past, he shrugged it off as a personal decision saying his new name “resonated more” with him.

Amin was then joined in Canada by his brother Arash where between 2016 and 2018 both gain employment in Anti-Money Laundering and Compliance at multiple Canadian financial institutions. Additionally, to their strategic placement in the financial sector, Arash obtained a key position at IBM in the United States where he became an investigator responsible for scrutinizing money laundering and OFAC (Office of Foreign Assets Control) compliance.

These positions proved ideal for facilitating the brothers’ true intention in North America: to smuggle restricted and sanctioned technology back to the government of Iran. The brothers began operating a complex network of shell companies, money laundering networks, and logistics pipelines obfuscated by repackaging points in the UAE.

The Canadian government would later claim, “Their knowledge of internal systems, controls, and enforcement procedures made them unusually well-positioned to identify and exploit weak points.”

The Arrest

After an initial arrest in 2020, in 2021 the Justice Department announced that:

“Three individuals have been charged in an indictment with conspiracy to export U.S. goods to Iran in violation of the International Emergency Economic Powers Act (IEEPA) and the Iranian Transactions and Sanctions Regulations (ITSR), as well as conspiracy to smuggle goods from the United States, and conspiracy to engage in international money laundering.”

“The defendants deceived U.S. companies, illegally obtained sensitive U.S. items, and transshipped those items through the UAE to Iran in violation of U.S. law,” said Assistant Attorney General for National Security John C. Demers. “Such actions dilute the effectiveness of sanctions against Iran. The Justice Department is committed to vigorously enforcing U.S. sanctions and to successfully countering the Iranian regime’s destabilizing activity.”

As a result, the two brothers pled guilty in U.S. federal court to sanctions evasion, smuggling, and money laundering.

The Replacement

After a shockingly short term of incarceration, both men were released, whereupon they returned to Canada and legally change their names again. This time they chose Aurash and Ameen Cohen.

This latest name change proved effective. Public records show that the now Ameen Cohen secured a role as an AML compliance officer at a Canadian financial institution. The other, while practicing dentistry, actively sought senior leadership roles in banks, stating a goal of becoming “a senior vice president in a Canadian bank.”

The Human Blind Spots in the Checks

So how did it happen? How did two convicted U.S. federal offenders reenter sensitive professional roles without setting off alarm bells?

The answer lies in more than a failure of cross-border identity intelligence. The reentry of the brothers into positions of trust highlights a broader systemic issue: corporate overreliance on automated systems, and a chronic underappreciation of the human factors involved in exploiting them.

Most commercial background screening tools used by North American employers are domestically scoped. In Canada, standard criminal record checks typically pull from national databases and will not flag foreign convictions unless specifically requested—and even then, the results are often inconsistent, incomplete, or delayed.

Name changes compound the issue. Legal name changes are not automatically cross-referenced with prior identities across jurisdictions unless explicitly flagged. Even then, data privacy laws, decentralized recordkeeping, and limited intelligence sharing between allied nations create enough friction to leave serious gaps.

Insider Threat as State Strategy

The Riki/Yousefijam/Cohen case is not simply about a failure of due diligence. It illustrates a growing and underappreciated threat vector: identity laundering combined with insider access.

This isn’t a hypothetical. It’s a tradecraft malicious actors are using to actively exploit North American corporations.

Nation-states and sanctioned regimes have long understood that regulatory and compliance roles inside Western institutions offer strategic value. An embedded asset in an AML role doesn’t just have access to client activity - they understand how alerts are generated, what gets escalated, how SARs are filed, and what red flags are ignored. That information is of significant intelligence value for any adversary.

In this context, the role of a compliance officer is not just a middle-management position - it’s a national security function.

Iran is not the first adversary to utilize this approach. Russian intelligence services have long seen benefit in sending officers of the infamous “Illegals Program” through Canada to operate or train before entering the United States. These officers operating under commercial or non-official cover (NOC) were extremely adept at identifying and exploiting cross-jurisdictional inefficiencies in these same identity systems.

Fixing the Front Door

The case of the Yousefijam brothers demands more than retrospective analysis. It calls for a strategic rethinking of how financial institutions and indeed any organization approach insider threats.

Too often, security investments prioritize external risks: cyberattacks, data breaches, and perimeter defenses. But as this case illustrates, the most effective breach may come not from outside the system, but from someone hired to protect it.

Modern adversaries understand this. They are increasingly shifting their focus toward roles that offer privileged access to sensitive systems, compliance workflows, and enforcement decision points. Regulatory and AML functions, far from being neutral back-office roles, are now operational chokepoints where knowledge of internal processes becomes intelligence.

This shift highlights a broader industry challenge: an overreliance on automated systems and a parallel underestimation of the human element. While algorithms and software can detect unusual patterns, they are not designed to recognize calculated normalcy performed by someone who knows what NOT to trigger.

Responding to this reality requires more than improved background checks. It means building human-centered risk programs that account for identity evolution, jurisdictional blind spots, and adversarial tradecraft. It means viewing hiring decisions, especially in compliance and control roles, as part of the organization’s broader risk surface.

Ultimately, institutions must begin treating identity verification and personnel vetting with the same rigor applied to their cybersecurity protocols. Not because everyone is a threat, but because the few who are understand exactly how to avoid looking like one.