← All Posts

Sanctions Evasion Patterns: Chinese Shell Company Playbook

December 4, 2025 |

The day after a Chinese company hits the Entity List, a new company is registered in Hong Kong. Different name. Same address. Same directors. Same procurement targets.

This isn't sophisticated. It's predictable.

And if you know the patterns, you can track these cutouts — sometimes before the original designation even happens.

Why shell companies work

Western export controls assume companies are what they say they are. The compliance process checks a name against a list. Name not on the list? Shipment approved. PLA-linked entities exploit this with a simple playbook: create intermediary companies with no obvious connection to the sanctioned parent, and route procurement through them. By the time regulators catch up — if they catch up — the technology has already moved. The shell company doesn't need to be invisible. It just needs to not match a list.

The patterns that give them away

These cutouts aren't random. They're created under pressure, often quickly, by people who reuse what works. That leaves patterns — an OSINT playbook for analysts.

The name game

Sanctioned entities rarely create shells with completely unrelated names. There's usually a thread — a shared character, a phonetic similarity, an English translation variant. Look at the Huawei–Skycom case. Skycom Tech Co. Ltd. was a Hong Kong company that primarily operated in Iran; as of February 2007 it was wholly owned by a Huawei subsidiary called Hua Ying Management. The "Hua" (华) character — the same one in Huawei (华为) — appears in the subsidiary name. When scrutiny increased, Huawei transferred Skycom shares from Hua Ying to another controlled entity, Canicula. Different shell, same control. A company called "Hua X Technology" or "HW Components" appearing in the same supply chain as a sanctioned Hua-prefixed entity is worth a deeper look.

The "isolation company" strategy

ZTE's internal documents literally used this term. In September 2011, four senior managers signed an executive memo proposing that the company establish new "isolation companies" to supply the U.S. component parts needed for projects in embargoed countries. The isolation companies would conceal ZTE's role in the transshipment scheme and insulate ZTE from export-control risk. Their first attempt was Beijing 8 Star (8S), intended to purchase the embargoed equipment so ZTE wouldn't have to. When ZTE decided 8S was insufficient to hide its connection, it identified a new isolation company and kept going.

The Hong Kong staging ground

Hong Kong remains the preferred jurisdiction for these structures. Why? Easy company formation (same-day is possible), no restrictions on mainland Chinese ownership, access to international banking, and a perceived separation from PRC entities. Skycom was a Hong Kong shell the U.S. maintains was controlled by Huawei — Skycom employees wore Huawei ID badges and used Huawei email addresses while on-site in Iran. The separation was legal fiction; the employees knew who they worked for.

Director recycling

People are harder to disguise than company names. The Huawei–Skycom case illustrates this perfectly. In February 2008, after Huawei transferred ownership of Skycom to Canicula, Meng Wanzhou joined Skycom's board of directors — a board comprised of Huawei employees. The CFO of Huawei sitting on the board of an "independent partner" is a pattern investigators can trace.

The secret fab network

Huawei has evolved the playbook. Rather than just trading companies, it's now building entire manufacturing networks under different names. The leading association of global chip companies has warned that Huawei is building a collection of secret semiconductor-fabrication facilities across China — a shadow manufacturing network that would let the blacklisted company skirt US sanctions by acquiring and building facilities under other companies' names without disclosing its direct involvement. To build the network, Huawei acquired fabs from JHICC and Qingdao Si'En and is assisting construction of fabs belonging to Pengxinwei IC Manufacturing (PXW) and Shenzhen Pensun Technology (PST). Looking at the corporate family tree, there's a clear gap: many fabs and upstream entities are not Entity-listed despite being controlled by Huawei — free to import advanced equipment while claiming not to share it with their restricted peers.

The intermediary partner

Sometimes the shell isn't a shell at all — it's a legitimate company used as a cutout. Before the events in the Micron indictment, the PRC lacked DRAM technology, and the central government had publicly identified DRAM and microelectronics as a national economic priority. State-owned Fujian Jinhua had the physical resources but lacked the expertise, so it turned to United Microelectronics Corporation (UMC) in Taiwan. UMC made Chen a senior vice president and assigned him to lead the agreement with Fujian Jinhua; Chen hired Ho and Wang, who brought Micron's confidential information to UMC from Micron's Taiwan subsidiary. The Taiwanese company became the vehicle for technology transfer to a Chinese state enterprise. UMC ultimately pled guilty and paid a $60 million fine.

The layering problem

Sophisticated entities don't use one shell. They use layers: sanctioned entity → Shell 1 (HK) → Shell 2 (Singapore) → Shell 3 (UAE) → Western supplier. Each layer adds distance. By the time an inquiry reaches the supplier, there are three "legitimate" companies between them and the end user. This is why single-entity due diligence fails. You're not looking for a bad company — you're looking for a bad network.

The OSINT approach

Tracking these structures requires:

  • Corporate registry access — not just current records, but historical filings showing when entities were formed, who the original directors were, and what ownership looked like before restructuring.
  • Cross-jurisdictional mapping — connecting a mainland parent to its HK intermediary to its Singapore trading arm means searching multiple registries that don't talk to each other.
  • Network visualization — the patterns become visible when you map directors, addresses, and shareholders across entities; they're invisible in sequential searches.
  • Timing analysis — correlating formation dates with regulatory actions, designation announcements, and procurement-contract timelines.

The shell company is designed to pass a high-level "wrapper" check. It's almost never designed to survive network analysis. So once you recognize the template, you start seeing it everywhere.

We teach the full methodology for mapping these networks in Advanced OSINT on China — which also covers OSINT, IMINT, SOCMINT, GEOINT, and the cyber domain.

GOT A QUESTION ABOUT OUR TRAININGS?

Not sure which program fits, or whether we cover what you need? Just ask.

We're happy to tell you whether a specific platform, or focus area is included in a given course — and if it's not, whether we can build it in.

Reach out to sales@epcyber.com about:

  • Whether we cover a specific platform (Weibo, Xiaohongshu, Douyin, CSDN, or anything not listed)
  • A particular focus area you need
  • Group rates, team enrollment, and custom corporate bundles
  • Eligibility — if you're unsure whether your organization qualifies
  • Payment options — wire transfer and other methods for organizations
  • Custom or tailored training built around your team's mission
  • Whatever you're trying to accomplish, tell us where you're headed and we'll point you to the right program.
All contact routes

WHY EPCYBER FOR CHINA OSINT?

Read Post