Notice: Editorial analysis based on public data as of June 25, 2026 (Wall Street Journal investigation and TRM Labs on-chain tracing). This does not constitute financial or legal advice, nor an accusation: as of this date, OFAC has sanctioned Nobitex, not CoinEx, which denies the allegations. CleanSky does not receive commissions or referral payments from any platform mentioned.
Iran-linked entities moved $3.84 billion through CoinEx since 2019 to evade U.S. sanctions, according to on-chain analysis by TRM Labs, published by the firm on June 24, 2026, and reported by the Wall Street Journal. The pattern is clear: Nobitex — Iran's largest domestic exchange — served as the entry ramp, and CoinEx as the exit ramp to global markets. In 2024, CoinEx surpassed Binance as Nobitex's largest foreign counterparty, right after Binance tightened its compliance controls and withdrew from the channel. CoinEx (headquartered in Seychelles, founded in 2017) denies any commercial relationship and maintains that the data confuses ordinary user activity with state-level sanctions evasion. This article breaks down where that $3.84 billion comes from, explains why a second-tier exchange ends up becoming evasion infrastructure, and what regulatory risk this leaves for the rest of the sector.
What did the TRM Labs investigation reveal about CoinEx and Iran?
On June 24, 2026, the Wall Street Journal published an investigation based on chain tracing by TRM Labs — one of the blockchain intelligence firms used by U.S. agencies to track sanctioned flows — stating that more than 60 Iran-linked entities channeled $3.84 billion through CoinEx since 2019. TRM tracked the funds to wallets associated with Nobitex, Iran's largest domestic exchange, and the Iranian Central Bank itself.
The figure is not a vague estimate of suspicious activity: it is the result of following specific wallet-to-wallet transactions on public chains. And, as the analysis itself warns, it represents only what could be traced on-chain. The actual volume — that which passed through mixers, opaque bridges, or networks with difficult attribution — could be substantially higher. The $3.84 billion is the verifiable floor, not the ceiling.
Timing matters. On June 2, 2026, just three weeks before the publication, the U.S. Treasury's Office of Foreign Assets Control (OFAC) sanctioned Nobitex, citing links to the Islamic Revolutionary Guard Corps (IRGC), designated as a terrorist organization by Washington. In that same action, OFAC also designated three other domestic Iranian exchanges — Wallex, BitPin, and Ramzinex — pointing to a coordinated strike against Iran's internal crypto infrastructure rather than an isolated case. The WSJ investigation, therefore, lands on an already sanctioned counterparty and describes the complete pipeline through which money left the Iranian economy toward the global crypto system.
How did the Nobitex → CoinEx → global markets channel work?
The evasion architecture follows a two-step logic that is worth separating. Nobitex is the domestic step: a user or entity within Iran exchanges rials or receives funds from the Central Bank and converts them into crypto assets. But Nobitex, on its own, does not solve the underlying problem of a sanctioned economy: it needs an exit toward global liquidity, toward dollars, stablecoins, or assets that can be moved and spent outside the Iranian perimeter.
That is where the second step comes in. CoinEx functioned as the exit ramp: the foreign counterparty where those assets were converted into internationally usable liquidity. Nobitex was the local on-ramp; CoinEx, the global off-ramp. At its peak, traffic between the two platforms reached $763 million in a single year.
The mechanism does not require an exchange to sign anything with Iran or to know, transaction by transaction, the ultimate origin of every deposit. It is enough for the compliance policy to be lax enough — or poorly enough enforced — for funds to enter, convert, and exit without friction. This is precisely the tension of the case: the difference between active complicity and structural negligence is difficult to prove from the outside, but the on-chain consequences are identical.
Why does a sanctioned economy depend on exchanges as a bridge?
To understand why this channel exists, one must look at Iran's structural problem. Excluded from the SWIFT banking messaging system and cut off from relationships with dollar correspondent banks, the country cannot move value across borders through conventional financial routes. Crypto solves exactly that friction: a digital asset crosses borders without asking permission from any intermediary bank and without passing through the payment network that sanctions block.
But crypto alone is not enough. A Bitcoin or a stablecoin inside Iran is only valuable as a bridge if there is a counterparty to convert it into spendable liquidity outside. Hence the dependence on a foreign off-ramp: without that exit, assets remain trapped in an isolated domestic market. The mining portion of the breakdown illustrates this — $154 million in Bitcoin mining rewards channeled via ViaBTC to Nobitex: mining generates new Bitcoin, with no prior transaction history, within the country itself, which then needs an exit ramp to be monetized. This is why a second-tier exchange willing not to look too closely becomes critical infrastructure for an economy under embargo.
What is the breakdown of the $3.84 billion?
The aggregate figure circulates in headlines, but its value for understanding the case lies in the breakdown that TRM's tracing allows us to reconstruct. This is where the data stops being a round number and becomes structured evidence:
| Flow Component | Amount | Origin / Nature |
|---|---|---|
| Total Iran-linked flow through CoinEx | $3,840 M | Accumulated since 2019, over 60 entities |
| Flow directly linked to Nobitex | $2,700 M | Domestic exchange, primary counterparty |
| Net imbalance Nobitex → CoinEx | $360 M | Net outflow (not offset bi-directional) |
| Mining payments via ViaBTC to Nobitex | $154 M | Bitcoin mining rewards |
| Central Bank of Iran funds | $67 M | Period June 2025 to June 2026 |
| Annual peak traffic between platforms | $763 M | Maximum in a single year |
Two items deserve specific attention. The first is the net imbalance of $360 million: CoinEx argues that TRM misleadingly adds bi-directional flows, but a net outflow balance means that, after accounting for what returned, $360 million more left than entered. This weakens the "ordinary user traffic in both directions" thesis. The second is the Central Bank component: $67 million traced to the Iranian monetary authority's wallets in the last year moves the case from the realm of the individual user to that of a state actor.
Why did part of the Bybit hack flow through this same channel?
A detail that connects this case to the North Korean laundering plot: TRM identified that a portion of the Bybit hack — the $1.5 billion theft attributed to actors linked to North Korea (the Lazarus group) — ended up at CoinEx. The sequence matters for understanding the legal implication: the funds stolen by Lazarus reached Iranian Central Bank wallets and from there were sent to CoinEx; CoinEx acted as an off-ramp for Iran, not for Lazarus directly. This is no minor coincidence. The exit corridors that serve to evade state sanctions are the same ones that organized crime and state-sponsored actors use to recycle stolen funds.
The pattern repeats in other episodes we have covered: off-ramp infrastructure with weak compliance is a shared resource. Whoever leaves a door open to move money out of a sanctioned economy leaves the same door open to launder the proceeds of a $1.5 billion exploit. The overlap of flows — North Korean-sourced funds channeled to CoinEx through Iranian intermediaries — is what makes a second-tier exchange a priority target for regulators.
Why did CoinEx fill the gap that Binance left?
The most instructive element of the case is not Iran: it is the dynamic of compliance arbitrage between exchanges. Before 2024, Nobitex's largest foreign counterparty was not CoinEx, but Binance. Binance strengthened its controls — identity verification (KYC), geoblocking, filtering of sanctioned wallets — and withdrew from the Iranian channel. As soon as Binance closed that exit, the flow did not disappear: it was redirected. CoinEx filled the gap and, in 2024, became Nobitex's largest foreign counterparty.
This is what is known in compliance as risk displacement: tightening controls on one platform does not eliminate the illicit flow; it pushes it toward the next platform with the lowest bar. Sanctioned money behaves like water: it looks for the crack. The regulatory question stops being "is this exchange complicit?" and becomes "who is now the weakest link in the chain?".
| Stage | Nobitex's Primary Foreign Counterparty | Factor |
|---|---|---|
| Until ~2023 | Binance | Largest global liquidity available |
| Transition | Binance withdraws | Stricter KYC, geoblocking, OFAC filtering |
| Since 2024 | CoinEx | Lower compliance bar, fills the gap |
What does CoinEx say in its defense and how much weight does the argument carry?
On June 25, 2026, one day after the WSJ publication, CoinEx formally denied the allegations. Its position, reported by CoinDesk, rests on several pillars: "we firmly reject any narrative that confuses ordinary user activity with state-level sanctions evasion" and "we do not provide services to any sanctioned entity or individual." The exchange adds that it never established commercial relationships with Iranian platforms, that Iran blacklisted it in 2021, and that TRM's data combines bi-directional flows in a way that inflates the apparent magnitude. Following the June 2 sanctions, it claims to have implemented geoblocking and new identity verification measures for users in Iran.
The defense should be taken seriously because part of it is plausible. The fact that blockchain data passes through a platform does not, on its own, prove that the platform endorsed it or knew its origin. An exchange can be an involuntary transit point. And the bi-directional flows argument has a real technical basis: adding up inflows and outflows as if they were all "evasion" is an exaggeration.
However, three elements strain that defense. The net outflow balance of $360 million already accounts for bi-directional traffic. Traceability to Iranian Central Bank wallets is difficult to explain as simple "ordinary user activity." And the calendar works against them: KYC and geoblocking measures arrived after the OFAC sanctions, which the specialized press has described as a reactive, not proactive, move. CoinEx may be right about methodological nuances without that clearing the central question regarding the robustness of its controls over six years.
Did OFAC sanction CoinEx or only Nobitex?
This is the legal distinction that the case requires us to clarify and which should not be overlooked. As of June 25, 2026, OFAC has sanctioned Nobitex (on June 2, for its links to the IRGC), but it has not sanctioned CoinEx. CoinEx is not, as of this date, on the U.S. Treasury's Specially Designated Nationals (SDN) list. The WSJ investigation and TRM tracing are journalistic and forensic evidence, not an official designation.
The dated chronology makes the sequence clear:
| Date | Milestone |
|---|---|
| 2019 | Start of tracked flows between Nobitex and CoinEx |
| 2021 | Iran blacklists CoinEx (according to the exchange itself) |
| 2024 | CoinEx surpasses Binance as Nobitex's largest foreign counterparty |
| Jun 2, 2026 | OFAC sanctions Nobitex for links to the IRGC |
| Jun 24, 2026 | TRM Labs publishes its analysis; WSJ publishes an article based on it |
| Jun 25, 2026 | CoinEx formally denies the allegations |
The fact that there is no designation yet does not mean the risk is zero. The historical sequence of the sector — public investigation, regulatory pressure, designation or settlement — suggests that a platform identified as the primary off-ramp for an already sanctioned counterparty comes under intense scrutiny. What follows depends on whether OFAC concludes there was systematic compliance failure or an involuntary occurrence.
What regulatory risk does this leave for second-tier exchanges?
The lesson the CoinEx case leaves for the rest of the sector is structural, not anecdotal. Compliance has ceased to be an optional cost and has become the line separating an operational exchange from a designated one. Binance did not withdraw from the Iranian channel out of kindness: it did so because the cost of appearing in an investigation like this — fines, exclusion from the dollar banking system, loss of correspondent banking relationships — far outweighs the yield from that flow.
For anyone operating or evaluating platforms, there are concrete implications. An exchange with lax KYC is not "more convenient": it is a latent regulatory liability that can freeze funds or be cut off from fiat ramps overnight if it enters a sanctions list. An exchange's counterparty risk is not measured only by its solvency or insurance: it is also measured by who it shares its pipeline with. And risk displacement guarantees that there will always be a "next CoinEx" — the platform that has the lowest bar today will be tomorrow's counterparty for the sanctioned economy of the moment.
For the end user, the practical conclusion is sober: an exchange's jurisdiction and compliance policy are not fine print; they are part of the asset's risk. Custodying value on a platform identified as a sanctions off-ramp exposes one to freezes, delays, and exclusion from fiat ramps. The on-chain transparency that allowed TRM to trace $3.84 billion is the same transparency that allows anyone to audit where they keep their money before a regulator does.
Related articles: How Lazarus uses protocols without strict KYC to launder funds. Stablecoins as financial infrastructure in sanctioned economies. The real risks of stablecoins, explained. Monitor which platforms your wallet shares a pipeline with and track your positions on-chain at CleanSky — the same chain transparency used by TRM Labs, available to everyone.