North Korean Crypto Heist Traced to Iran’s Central Bank

A massive $1.5 billion cryptocurrency heist originally targeting the Bybit exchange has revealed a complex global money laundering web involving North Korean hackers and the Central Bank of Iran. This investigation exposes how digital assets are being used to bypass international sanctions and move through unregulated financial corridors.

The $1.5 Billion Trail: From Bybit to Tehran

The investigation into the $1.5 billion theft from Bybit has uncovered a sophisticated series of transactions that moved stolen funds across the global crypto ecosystem. Blockchain investigators successfully traced the movement of these assets through two specific wallets controlled by the Central Bank of Iran.

Rather than disappearing into the dark web, the stolen capital was routed through several intermediary platforms to obscure its origin. This discovery highlights a growing geopolitical risk: the intersection of state-sponsored cybercrime from North Korea and the financial infrastructure of sanctioned nations like Iran.

CoinEx: The Gateway for Iranian Crypto Flows

A central figure in this web is CoinEx, a Seychelles-based exchange launched in 2017 by Chinese engineer Haipo Yang. According to data from blockchain intelligence firm TRM Labs, CoinEx has emerged as a critical gateway for Iranian users, with wallets linked to Iran moving more than $3.84 billion through the platform since 2019.

The investigation found that CoinEx-hosted wallets not only received hacked crypto linked to Iran’s central bank but also interacted with accounts attributed to the Islamic Revolutionary Guard Corps (IRGC). While Yang has denied any official connection to the Iranian government, the exchange has historically maintained a significant presence in the country, even hiring local staff to expand its user base.

Sanctions Evasion and the Rise of Iran's Crypto Market

The surge in cryptocurrency adoption in Iran is driven by both investment demand and a desperate need for citizens to protect their savings against the weakening rial. Researchers estimate that roughly 13% of Iranians now own cryptocurrency, with the national market projected to be valued between $8 billion and $10 billion by 2025.

This massive market presents significant challenges for US-led sanctions enforcement. As traditional banking channels are restricted, crypto-networks like the relationship between Iran's domestic exchange, Nobitex, and foreign entities like CoinEx, provide a lifeline for moving capital. The Trump administration recently sanctioned Nobitex, alleging it supports the Iranian government, further highlighting the tension between digital finance and international law.

The probe also identified direct links between CoinEx wallets and individuals involved in sanctioned oil sales. Between 2022 and 2025, the exchange processed activity linked to Alireza Derakhshan, an individual tied to an oil sales network sanctioned by the US Treasury.

Furthermore, transactions were traced to Zedcex, a London-registered exchange linked to businessman Babak Zanjani, who is associated with IRGC-linked sanctions evasion. These connections illustrate how cryptocurrency is being utilized to facilitate high-level economic activities that bypass the traditional global financial system.

Key Takeaways

  • Global Laundering Web: Stolen funds from a $1.5 billion North Korean heist on Bybit were traced through wallets belonging to the Central Bank of Iran.
  • Exchange Scrutiny: CoinEx has become a major corridor for Iranian capital, facilitating over $3.84 billion in transfers and interacting with sanctioned entities.
  • Sanctions Challenge: The growing $8–$10 billion Iranian crypto market serves as a critical tool for sanctions evasion, complicating US efforts to regulate illicit financial flows.