TRM Labs says money tied to Iran moved through CoinEx after the Bybit hack, and the weak point is not the blockchain. It is the exchanges that let sanctioned money keep moving.
The Wall Street Journal reported on June 25 that investigators tracing funds after February 2025's $1.5 billion Bybit hack, which the FBI and blockchain firms have attributed to North Korea's Lazarus Group, ended up at wallet addresses linked to Iran's central bank. That is the part you should sit with. One of the largest crypto thefts ever did not stay inside a neat North Korea story. It ran into the same offshore exchange plumbing Iran has been using for years.
TRM Labs, whose blockchain analysis underpins the Journal's reporting, estimates that Iran-linked wallets have moved more than $3.84 billion through the Hong Kong-registered exchange CoinEx since 2019. The firm also found direct transactions involving accounts tied to the Islamic Revolutionary Guard Corps. This isn't a story about a few criminals finding a temporary loophole. It is a story about infrastructure, built over years, with enough volume to make compliance failures look less like accidents and more like a business model.
The route is not especially mysterious. Nobitex, Iran's largest domestic crypto exchange, acted as the local entry point. CoinEx gave those funds a path into wider crypto markets. According to the Journal, transactions between the two platforms reached $763 million in one year, and by 2024 CoinEx had overtaken Binance as Nobitex's largest foreign counterparty. Binance pulled back after tightening its sanctions controls. CoinEx kept taking the traffic.
That detail matters more than any abstract argument about crypto anonymity. Blockchains are public enough for TRM Labs to follow the money. The problem begins when a centralized exchange sees the same flows and keeps the door open.
The U.S. sanctioned Nobitex on June 2, 2026, alongside three other Iranian digital asset exchanges, with the Associated Press reporting that Treasury accused Nobitex of supporting Iran's sanctions-evasion network and processing more than half of Iran's digital asset income last year. Nobitex chairman and co-founder Amir Hossein Rad was also targeted. Once that designation arrived, CoinEx said it would geo-fence Iranian regions and review Iran-related risk exposure.
Frankly, that is late. If an exchange needs a sanctions designation and a front-page investigation before it starts blocking obvious Iran exposure, you are not looking at a strong compliance culture. You are looking at controls that worked only after the reputational damage became unavoidable.
The Journal reported that $67 million linked to the Central Bank of Iran flowed through CoinEx between June 2025 and June 2026. That is only the slice investigators could tie to those wallets. The larger TRM Labs estimate, the $3.84 billion figure going back to 2019, shows how long the pipeline had been operating before this week's attention landed on it. CoinEx disputes the characterization and says it does not facilitate sanctioned transactions. Readers should take that denial seriously, but not as the last word. The on-chain numbers are specific, dated, and tied to named counterparties.
The Weak Link Is Enforcement
Crypto defenders are right about one thing: blockchain transparency can make large-scale laundering easier to trace than cash or shell-company banking. TRM Labs could read the ledger. The question is what happens after the ledger speaks.
Right now, too many offshore exchanges have made a quiet bet that being outside the U.S. or EU is enough. MiCA gives Europe a cleaner rulebook for exchanges serving European customers. FinCEN rules bite when firms touch the U.S. system. But CoinEx's exposure, as described by the Journal and TRM Labs, sits in the harder zone: non-Western flows, sanctioned jurisdictions, and platforms that can claim they are not directly serving Washington or Brussels.
That leaves secondary sanctions. They are blunt, but they are built for exactly this problem: non-U.S. firms doing business with sanctioned parties. If a crypto exchange can process hundreds of millions of dollars from a counterparty in Iran and still keep access to enough banking, stablecoin, market-making, and vendor relationships to function, the cost of looking away is too low.
As The Block reported this week, CoinEx's Iranian exposure spans more than 60 linked entities. That is not a stray account slipping past a junior compliance analyst. It is a sustained relationship, and it forces a simple question for regulators: how many warnings does an exchange get before the market treats it as part of the sanctions-evasion system rather than a platform that failed to notice one?
The Bybit hack gave this story its hook, but the Iran trail is the bigger issue. North Korea can steal crypto. Iran can try to move sanctioned money. You cannot stop either by pretending the ledger is the weak point. The ledger did its job. The exchanges, and the governments deciding whether to punish them, are the test now.
Also read: The CLARITY Act has four weeks to pass the Senate or crypto regulation waits until 2030 • Bitcoin's drop to a 20-month low is testing whether the institutional adoption story was ever real • Binance is running out of EU doors to knock on as the MiCA clock expires
