From North Korean Heists to Iran: The $1.5 Billion Crypto Trail
A massive $1.5 billion cryptocurrency heist originally linked to North Korean hackers has revealed a complex web of transactions involving the Central Bank of Iran. This investigation exposes how digital assets are being used to bypass international sanctions and move through global exchanges.
The North Korean Connection and Iranian Wallets
The investigation began when blockchain analysts traced the movement of $1.5 billion stolen from the cryptocurrency exchange Bybit. While the heist was attributed to North Korean hackers, the money trail took an unexpected turn when investigators identified two specific wallets controlled by the Central Bank of Iran.
According to reports from the Wall Street Journal and blockchain intelligence firm TRM Labs, the stolen funds moved through these Iranian wallets before being routed through a series of platforms to obscure their origin. This movement highlights the growing challenge for global authorities in monitoring cross-border digital assets that operate outside traditional, regulated banking systems.
CoinEx: A Major Gateway for Iranian Transactions
A critical link in this multi-billion dollar trail is CoinEx, a Seychelles-based exchange founded in 2017 by Chinese engineer Haipo Yang. Data suggests that CoinEx has become a primary gateway for Iranian crypto users, with TRM Labs reporting that wallets linked to Iran have moved over $3.84 billion through the platform since 2019.
The investigation found that CoinEx-hosted wallets not only received hacked crypto linked to Iran’s central bank but also interacted with accounts attributed to the Islamic Revolutionary Guard Corps (IRGC). While CoinEx has denied any official connection to the Iranian government and stated it is now limiting access from Iranian IP addresses, the exchange's history of hiring staff within Iran to expand its user base has come under intense scrutiny.
Sanctions Evasion and the Role of Nobitex
The surge in cryptocurrency adoption in Iran—estimated at 13% of the population with a market value between $8 billion and $10 billion by 2025—is largely driven by citizens seeking to protect their savings from the weakening rial. However, this demand has also created loopholes for sanctions evasion.
The relationship between international exchanges and Iran's domestic exchange, Nobitex, is a key point of interest. While Binance previously served as a major partner for Nobitex, it tightened compliance in 2022. By 2024, CoinEx had emerged as Nobitex’s largest foreign counterparty. This connection became a focal point for the Trump administration, which recently sanctioned Nobitex for allegedly supporting the Iranian government.
Links to Sanctioned Entities and Oil Networks
Beyond state institutions, the investigation identified transactions involving CoinEx wallets and individuals tied to sanctioned oil sales networks. Specifically, activity was linked to Alireza Derakhshan, an individual involved in an oil sales network sanctioned by the US Treasury.
Furthermore, CoinEx wallets interacted with Zedcex, a London-registered exchange linked to businessman Babak Zanjani, who has been associated with sanctions evasion operations for the IRGC. These findings underscore the sophisticated methods used to integrate illicitly obtained or sanctioned funds into the broader cryptocurrency ecosystem.
Key Takeaways
- Complex Money Laundering: Funds from a $1.5 billion North Korean heist were traced through Iranian central bank wallets and major exchanges like CoinEx.
- Sanctions Challenges: The rise of a $10 billion crypto market in Iran provides a significant tool for bypassing US-led international sanctions.
- Exchange Scrutiny: Platforms like CoinEx and Nobitex are under heavy observation due to their role as primary gateways for Iranian capital and sanctioned entities.
