The cat-and-mouse game between regulators demanding greater corporate transparency and companies resisting new regulations is nothing new. Indeed, US corporate anonymity laws have long been exploited by criminals, terrorists, and kleptocrats to obfuscate their illicit financial activities and evade detection via shell companies. However, the modern era of strategic competition among great powers has witnessed an alarming novel variety of this game: state-backed adversaries exploiting US corporate anonymity laws to operate within US territory strategically. Such operations pose a distinct and irregular threat to US national security by affording state-sponsored malign actors a means of obtaining legal status in the United States, which enables them to hide in plain sight through anonymous shell companies while covertly conducting malicious activities.
In a refreshing episode of legislative effectiveness, Congress passed the Corporate Transparency Act (CTA) as part of the 2021 National Defense Authorization Act, addressing this threat head-on. The act empowers the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) to collect ownership information about businesses operating anomalously in the United States. Although FinCEN originally set a deadline of January 1, 2025, for companies to file the requisite ownership information, the Treasury Department, after a whirlwind of litigation in December, delayed the filing deadline until January 13, 2025. Just three days after that extension was granted, however, the Fifth Circuit rendered the CTA unenforceable until it determines its constitutionality. Employment of this crucial new authority thus remains stalled, leaving national security at risk. As the CTA’s fate remains unknown, policymakers must ensure that government departments and agencies are otherwise properly equipped with the tools and authorities needed to prevent foreign adversaries from leveraging anonymity laws to threaten US national security.
The CTA: The basics and the stakes
Under the CTA, businesses must submit a Beneficial Ownership Information (BOI) Report to FinCEN, providing unique identifying information—including legal names and addresses—of the individuals associated with the reporting company. These new requirements were specifically designed to enable law enforcement officials to disrupt financial crimes affecting communities and US national security. With the initial filing deadline of January 1, 2025 looming, courts heard numerous legal challenges to the CTA’s constitutionality in 2024, coming to differing conclusions. For example, while federal district courts in Virginia and Oregon upheld its constitutionality, an Alabama district court disagreed.
More recently and consequently, on December 3, 2024, a district court in Texas issued a nationwide preliminary injunction prohibiting the CTA’s enforcement, finding it unconstitutional. In so doing, the court explicitly rejected the government’s argument that the act implicated foreign affairs. The government promptly appealed to the Fifth Circuit, which lifted the injunction on December 23. The appellate court, however, reversed course on December 26, reinstating the injunction. In explaining its reversal, the court said such action was needed to preserve the constitutional status quo while it considers the parties’ arguments in an expedited appeal. The government has since issued a statement making BOI filings voluntary and filed an application for a stay of the district court’s injunction to the Supreme Court.
With CTA enforcement stalled, the United States enters 2025 with an incomplete and inadequate toolkit to address the heightened national security risks that unregulated corporate anonymity poses in the context of great power competition.
Identifying the Vulnerability
To properly appreciate what is at stake with the CTA and the threat it was aptly drafted to address, take the benign example of Flannery Associates LLC. Flannery attracted national attention in 2023 after the Wall Street Journal revealed it had quietly purchased land worth nearly $1 billion surrounding Travis Air Force Base in California, as well as land around California’s interstate electrical grid system. The company, which was incorporated anonymously in January 2018 in Delaware—a state notorious for allowing individuals and entities to register anonymous limited liability companies (LLCs)—went to great lengths to hide its beneficial ownership information for years despite persistent and prolonged government investigations, aggravating concerns among US federal and state officials about a potential national security threat.
Fortunately, Flannery’s beneficial owners—a group of Silicon Valley elites—diffused the national security concerns in August 2023 by voluntarily revealing their identities and intentions: building a utopian city on the land they purchased.
Unfortunately, the rigmarole surrounding the company exposed a significant vulnerability beyond the government’s current reach that adversaries can—and do—leverage to gain a strategic advantage inside the United States. And China has been one of the most active and eager malign actors in this space.
Spacious skies, fruited plains, and Chinese shell companies
On May 13, 2024, President Biden issued an order prohibiting the Chinese-backed company MineOne Partners Limited from buying and continuing to invest in a cryptocurrency mining facility near Warren Air Force Base, which is responsible for nuclear-armed intercontinental ballistic missiles. The order, which cites national security risks as its primary motivation, was based on a referral from the Committee on Foreign Investment in the United States (CFIUS), the government body responsible for ensuring foreign investment does not undermine US national security. Such orders, however, while necessary and effective against the specific companies they target, only apply to foreign investments. This creates a loophole that foreign adversaries can exploit using American shell companies.
Take, for example, US private equity firm YZY Capital Holdings LLC, incorporated in Wyoming in July 2021. Its American status allows it to operate “below the radar” without triggering regulatory flags, including when it purchased two plots of land in Wyoming, one near Warren Air Force Base and the other by critical energy infrastructure. A New York Times report describes YZY as a “sprawling” conglomerate that, in addition to operating a crypto-mining business, owns car dealerships, a biotechnology company, and financial firms. However, according to the LinkedIn profile of one of its employees (which has since been removed), the company is in fact the American investment wing of the Chinese company Youzhiyou Group.
YZY’s corporate documents originally listed its principal address in New York and its “organizer” as Qian Yuan, a Chinese businessman and member of the Chinese Communist Party (CCP) who has previously served as a government advisor in Wuhan, China. However, in September 2022, Yuan’s name was removed from the official corporate documents. At the same time, the company changed its registered agent and provided the agent’s address in Wyoming as the firm’s principal address—an apparent attempt to retroactively anonymize the beneficial ownership of the company. Like Delaware, Wyoming allows individuals and entities, including foreign entities, to register anonymous LLCs.
Or take the Chinese military company Hesai Group, which the Department of Defense (DoD) added to its list of entities identified as Chinese military companies operating in the United States in January 2024. Hesai controls 47 percent of the global market share for LiDAR technology, which is tied to China’s military through the China Electronics Technology Group Corporation, a state-owned dual-use electronics manufacturer that produces technology for the People’s Liberation Army and is critical to China’s military civil fusion program. Before its listing, Hesai registered in Michigan as a US company called America Lider—without ever disclosing its true beneficial owner or ties to the Chinese government. While irritating and concerning for policymakers and regulators, such evasion is completely legal. And without the CTA or new legislation in its stead, it will remain so.
Anonymous Companies in the Cyber Domain
The threat presented by corporate anonymity isn’t confined to the material world: it expands into the cyber domain. Indeed, foreign malign cyber actors often lease US infrastructure as a service (IaaS) products via command-and-control providers to carry out malicious cyber activities against US targets while obfuscating their foreign connections. Combined with US corporate anonymity protections, such tactics make it extremely difficult for US officials to track and obtain information about these adversaries through legal processes. A study by the cybersecurity firm Halcyon found that Cloudzy, an obscure US cloud service company, provided web hosting and internet services to more than a dozen different state-sponsored hacking and ransomware groups. According to the study, Cloudzy was leasing server space from IaaS providers and reselling it to no fewer than seventeen different state-sponsored hacking groups from China, Russia, Iran, North Korea, India, Pakistan, and Vietnam, thereby enabling adversaries to conduct attacks against US entities directly from US servers.
Cloudzy, formerly known as RouterHosting LLC, was registered in Wyoming in March 2023. While corporate documents do not reveal Cloudzy’s beneficial ownership information, by mapping out the company’s digital footprint, Halcyon found that the company is “almost certainly” a cut-out for a group operating out of Tehran. In December 2023, Reuters reported that Cloudzy’s chief executive, who was based in Dubai, denied turning a blind eye to malicious activity and claimed to have dissolved the Wyoming company. Nonetheless, Reuters found that the Cloudzy case was just one of at least three instances in late 2023 in which cybersecurity experts implicated Wyoming LLCs in high-profile hacking activity.
Pulling off the Cloak—Or Not
Over the past few years, US policymakers have enacted several measures to address strategic threats by foreign adversaries inside the United States. Unfortunately, they have fallen short of comprehensively addressing systemic vulnerabilities and loopholes that permit adversaries to operate as legal US entities.
For example, upwards of 24 states have adopted or expanded restrictions on investments from adversarial countries. In June 2023, the National Agricultural Law Center reported that several states have prohibited the sale of agricultural land to foreign entities outright with no exceptions. In October 2023, Arkansas became the first state to require Chinese companies to divest from all agricultural land ownership in the state.
While such legislation has helped defend against adversarial use of US farmland, no currently enforced state or federal law addresses the possibility that foreign adversaries can use anonymous US companies to mask their identities. The current legislative landscape also doesn’t address the possibility that foreign entities from non-adversarial countries could secretly act as cut-outs or proxies to purchase or develop land on behalf of a foreign adversary.
Similarly, CFIUS has issued several new rules and regulations to counter foreign investments in the United States. For example, under its real-estate instructions, property transactions near an expanded list of military installations trigger the committee’s review authorities. However, none of CFIUS’s current powers can apply to foreign adversaries hiding behind anonymous US shell companies without the ability to first verify the beneficial ownership information.
Recognizing these lapses, CFIUS should forego its list-based approach for monitoring real-estate transactions and establish a designated authority to determine whether a military installation qualifies as sensitive based on a set of established criteria. Additionally, the types of sensitive sites within CFIUS’s purview should be expanded to include US critical infrastructure and sensitive non-military government facilities. Both of these changes would ensure that CFIUS’s ability to address potential national security threats is not overly restricted without revealing the nation’s most sensitive sites to adversaries.
Additionally, while the federal government continues to fight for the CTA in the courts, Congress should pass new legislation authorizing key US departments and agencies—such as the Federal Bureau of Investigation, Department of Defense, and Department of Agriculture—to conduct security reviews of any entity—foreign or domestic—seeking to purchase land near any US military installation, sensitive non-military government facility, or critical infrastructure. This would obstruct foreign adversaries’ ability to use anonymous US companies or American cut-outs to gain proximity to sensitive sites. Congress should also prepare to go back to the drawing board on addressing corporate transparency, should the courts nix the CTA entirely.
Conclusion
While the CTA remains in legal purgatory, policymakers must prepare their next steps to ensure that US departments and agencies have the insight and tools needed to counter the rise of irregular threats veiled as US entities. The importance of beneficial ownership transparency cannot be overstated. If the appropriate US authorities are not able to gain insight into such information, or if the information is not comprehensive, timely, or executed properly, adversaries will continue to exploit US government shortfalls and be poised to gain a significant and enduring strategic advantage inside the homeland.
Aurora Ortega is a Ph.D. candidate at George Mason University, affiliated with the Terrorism, Transnational Crime, and Corruption Center (TraCCC). Ms. Ortega is also a U.S. Government professional, who has served in various positions within the US Departments of Defense and the Treasury.
Standardized Disclosure. The views expressed are those of the author(s) and do not reflect the official position of the Irregular Warfare Initiative, Princeton University’s Empirical Studies of Conflict Project, the Modern War Institute at West Point, or the United States Government.
Main Image: Photo by David Jones on Unsplash
If you value reading the Irregular Warfare Initiative, please consider supporting our work. And for the best gear, check out the IWI store for mugs, coasters, apparel, and other items.
Leave a Reply