$1.5 Billion Crypto Heist: How North Korean Hackers Linked to Iran

A massive $1.5 billion cryptocurrency heist, originally orchestrated by North Korean hackers against the exchange Bybit, has revealed a startling connection to the Central Bank of Iran. The complex web of transactions highlights the growing challenge of monitoring digital assets that bypass traditional global financial systems to evade international sanctions.

The Trail from Bybit to Tehran

Investigations into the movement of stolen funds from the Bybit exchange have uncovered a sophisticated laundering process that crossed multiple borders and jurisdictions. Blockchain data reveals that after the initial theft, the stolen assets were routed through several platforms, eventually passing through two digital wallets directly linked to the Central Bank of Iran.

This discovery underscores the ability of state-sponsored actors to utilize the decentralized nature of cryptocurrency to move massive amounts of capital. The movement of these funds through Iranian wallets suggests a high level of integration between illicitly obtained crypto and the financial infrastructure of sanctioned nations.

CoinEx: A Major Gateway for Iranian Crypto

A central figure in this transaction chain is CoinEx, a Seychelles-based exchange launched in 2017 by Chinese engineer Haipo Yang. According to blockchain intelligence firm TRM Labs, CoinEx has become a significant conduit for Iranian capital, with wallets linked to Iran moving over $3.84 billion through the platform since 2019.

The exchange has also been implicated in more controversial dealings:

  • Sanctioned Entities: TRM Labs found that CoinEx-hosted wallets interacted with accounts attributed to Iran’s Islamic Revolutionary Guard Corps (IRGC).
  • Sanctioned Individuals: Between 2022 and 2025, CoinEx processed activity linked to Alireza Derakhshan, a key figure in sanctioned Iranian oil sales networks.
  • Sanction Evasion: The platform interacted with Zedcex, a London-registered exchange linked to Babak Zanjani, an individual associated with IRGC-linked sanctions evasion.

While CoinEx has denied any direct connection to the Iranian government and claims to be implementing stricter IP blocking for Iranian users, the sheer volume of suspicious flow remains a point of international scrutiny.

The Explosive Growth of Iran's Crypto Economy

The heavy reliance on cryptocurrency in Iran is driven by both economic necessity and strategic maneuvering. As the Iranian rial continues to weaken, citizens have increasingly turned to digital assets to preserve their savings. Researchers estimate that approximately 13% of the Iranian population now owns cryptocurrency.

By 2025, Iran's domestic crypto market is projected to be valued between $8 billion and $10 billion. This massive market has created a symbiotic relationship between domestic exchanges and foreign platforms. For instance, after Binance tightened its compliance measures in 2022, CoinEx emerged as the largest foreign counterparty for Nobitex, Iran's domestic crypto exchange.

Challenges for Global Sanctions Enforcement

This heist and the subsequent trail demonstrate the immense difficulty the United States and other global regulators face in enforcing sanctions. When digital assets move through exchanges operating outside US jurisdiction—or those that have already exited the US market—the ability to freeze funds or intercept transfers diminishes significantly.

The recent sanctions imposed by the Trump administration on Nobitex further highlight the escalating "cat-and-mouse" game between global regulators and decentralized financial networks used by sanctioned states to bypass traditional economic barriers.

Key Takeaways

  • Complex Money Laundering: A $1.5 billion heist by North Korean hackers successfully moved through Iranian central bank wallets and multiple global exchanges.
  • Strategic Crypto Use: Iran's crypto market, valued at up to $10 billion, serves as both a hedge against inflation for citizens and a tool for state-sanctioned economic activities.
  • Regulatory Blindspots: The reliance on offshore exchanges like CoinEx makes it increasingly difficult for international authorities to monitor and block the flow of funds to sanctioned entities like the IRGC.