CoinEx is facing fresh scrutiny after the Wall Street Journal reported that Iran-linked entities moved more than $3.84 billion through the exchange since 2019, based on TRM Labs analysis and public blockchain data. The reporting adds another uncomfortable reminder that crypto’s open rails are useful for legitimate users, and just as useful for sanctioned actors, hackers, and the people helping them wash the mess.
- $3.84 billion in reported Iran-linked flows through CoinEx since 2019
- Two Central Bank of Iran wallets allegedly tied into a wider tracing trail
- Bybit’s $1.5 billion theft sits in the background of the tracing claim
- U.S. sanctions pressure on Iranian crypto infrastructure is already tightening
According to the WSJ, investigators used TRM Labs analysis and public on-chain data to trace activity tied to Iran through CoinEx, while a separate thread reportedly led back to funds connected with the Bybit hack. The FBI has said North Korea was responsible for the Bybit theft, which involved approximately $1.5 billion in virtual assets stolen on or about February 21, 2025.
That distinction matters. There is a difference between traced fund movement and courtroom-grade proof of who controlled every wallet, who gave the orders, or who knowingly enabled the transfers. Blockchain analysis is powerful, but it does not read minds. It shows patterns, clusters, hops, and flow, not intent.
Still, the picture is not hard to read. U.S. authorities have been squeezing Iranian crypto infrastructure more aggressively, and CoinEx now sits in the line of sight because centralized exchanges are the easiest place for regulators to apply pressure. They hold customer funds, run KYC checks, and can screen transactions. When those controls fail, or are too weak, the platform becomes a convenient on-ramp for bad money. Compliance theater is not compliance.
That broader pressure campaign is already visible. The U.S. Treasury sanctioned four Iranian crypto exchanges, including Nobitex, in its economic fury campaign and said Nobitex handled more than 50% of all Iranian digital asset inflows in 2025. Treasury also said it had frozen nearly half a billion dollars in regime-linked cryptocurrency and linked a $344 million USDT freeze to two Tron wallets associated with the Islamic Revolutionary Guard Corps.
One detail that should not be glossed over: not everyone using crypto in Iran is a sanctions evader or regime operator. Many ordinary people use digital assets because the local currency is weak, capital controls are real, and access to global finance is restricted. That does not excuse illicit flows. It does mean the reality is messier than the lazy “all Iranian crypto is dirty” take that gets recycled whenever enforcement headlines pop.
The Bybit angle is where the whole thing gets uglier. The FBI said the theft from Bybit was carried out by North Korea, and the WSJ report says investigators traced activity from two wallets controlled by the Central Bank of Iran back to funds tied to that theft. If that tracing holds up, it shows how quickly stolen assets can be fragmented, rerouted, and blended into other transaction streams across chains and services.
That is the dark side of crypto’s flexibility. The same rails that let ordinary users move value across borders without begging a bank for permission also let sanctioned actors and criminal crews move fast, cheap, and at scale. Freedom of transfer is the point. It is also why governments keep trying to jam a boot into the gears.
Cheap, dollar-linked stablecoins make that easier. USDT on Tron is popular because it is fast and low-cost, which is exactly what makes it attractive for laundering and sanctions evasion too. Low friction is great until the wrong people start using it for the wrong reasons.
Decentralized protocols complicate enforcement even further. THORChain, for example, is not a centralized company with a neat freeze button. That makes it harder to police in the traditional sense, but not invisible. Public blockchains still leave breadcrumbs, and sometimes they leave a lot of them, just spread across a larger, uglier trail.
The important takeaway is not simply that CoinEx is under scrutiny. It is that the whole stack is under scrutiny: centralized exchanges, decentralized rails, stablecoins, cross-chain swaps, and the compliance gaps in between. Regulators will keep targeting the easiest chokepoints first, because that is where they can actually force change. Crypto was never going to be free from geopolitical abuse just because some people thought code would magically solve human behavior. Cute theory. Bad assumption.
Key takeaways
-
Did CoinEx knowingly help Iran evade sanctions?
Not on the record here. The strongest claim is that CoinEx was reportedly used in Iran-linked flows traced by analysts; intent or complicity has not been proven in the materials cited. -
Is the Bybit hack attribution solid?
Yes. The FBI attributed the roughly $1.5 billion Bybit theft to North Korea. The separate wallet tracing back to those proceeds is reported through blockchain analysis. -
Why is the U.S. Treasury targeting Iranian exchanges?
Because Treasury says Iran has used crypto to evade sanctions, move wealth, and support regime-linked activity. Nobitex was singled out as a major conduit. -
Can blockchain tracing prove criminal control?
It can prove movement patterns and likely links, but not always ownership, knowledge, or intent. That’s the limit, and it matters. -
Why do centralized exchanges remain the main enforcement target?
Because they can freeze funds, screen users, and run compliance checks. If they become blind spots, regulators notice, and they do not send flowers.
The bigger lesson is simple: crypto still does what it was built to do, move value without asking permission, but that same power is exactly why states, hackers, and sanctions dodgers keep using it. The real test is not whether the technology works. It does. The test is whether exchanges and protocols can stay useful without becoming a laundering service for the worst people on the internet and the governments that enable them.
Further reading
A few related reports and background pieces that help frame the sanctions, hack attribution, and exchange-risk angle.
