Sanctions in the Shadows: How Rogue States Are Using Crypto

Sanctions in the Shadows: How Rogue States Are Weaponizing Crypto Infrastructure

The story of Bitcoin and geopolitics has always carried a dual narrative. On one hand, Bitcoin represents financial freedom for ordinary citizens living under authoritarian monetary systems. On the other, the same censorship-resistant properties that empower dissidents also make crypto an attractive tool for state actors seeking to evade international pressure. Two recent investigations - one into Iran's dominant domestic exchange and one into North Korea's relentless hacking operations - reveal that this dual nature is no longer theoretical. It is operational, systematic, and growing in sophistication.

What we are witnessing is not opportunistic sanctions evasion by rogue individuals. It is a structural integration of cryptocurrency into the foreign policy toolkit of sanctioned states. Understanding this shift is critical not just for regulators, but for anyone who holds, builds, or invests in Bitcoin.

The Facts

Iran has been under international sanctions since the mid-2000s over its nuclear program, including exclusion from the SWIFT financial messaging system and restrictions on oil exports ^[1]. Over time, the Iranian state has responded by quietly building a parallel financial architecture - one that increasingly relies on digital assets. The centerpiece of this architecture, according to a detailed Reuters investigation, appears to be Nobitex, the country's largest cryptocurrency exchange ^[1].

Founded in 2017 by Amir Hosein Rad and two brothers who publicly used the surname Aghamir, Nobitex has grown to serve approximately 11 million users and has processed a total volume of around $11 billion ^[1]. But the Reuters investigation raises serious questions about who else is using the platform. Internal documents and email records allegedly link the founding brothers to the name Kharrazi - a family connected to Iran's supreme leader and holders of senior government positions including foreign minister and senior advisor ^[1]. Nobitex has denied these connections and insists it has never cooperated with the Iranian central bank, the Islamic Revolutionary Guard Corps (IRGC), or any other state institution.

The on-chain evidence tells a more complicated story. Blockchain analytics firm Elliptic estimates that Iran's central bank may have purchased more than $500 million in cryptocurrency between November 2024 and June 2025, transferring roughly $347 million of that to Nobitex ^[1]. Estimates of total illicit transaction volume through the platform vary widely across firms - Elliptic puts it at a minimum of $366 million, Chainalysis at $68 million, and Crystal Intelligence at $22 million ^[1]. The discrepancies reflect genuine methodological disagreement about which wallets to classify as sanctioned. Even at the high end, this represents just over three percent of Nobitex's total volume - a figure that complicates any blanket characterization of the exchange as a state tool, while still representing hundreds of millions of dollars in potential sanctions circumvention.

The picture became sharper during the military conflict that began in late February 2026, when the United States and Israel launched strikes on Iran ^[1]. The Iranian government shut down the public internet and cracked down on VPNs - cutting off most citizens from digital asset markets entirely. Yet Nobitex kept operating for a narrow group on what Crystal Intelligence describes as "state-approved" lists, processing roughly $54 million in transactions during the conflict period ^[1]. That selective access is perhaps the most revealing data point of all.

Meanwhile, the North Korean threat vector continues to operate at a different scale entirely. The Lazarus Group and affiliated actors have built what amounts to a state-sponsored cyber-finance operation, targeting crypto exchanges and DeFi protocols with increasingly sophisticated attacks ^[2]. The theft of $1.4 billion from Bybit stands as one of the largest single financial crimes in history ^[2]. North Korea's government has dismissed all such accusations as politically motivated fabrications, with its foreign ministry calling the allegations "absurd slander" and framing them as a continuation of hostile U.S. policy ^[2]. Independent investigators and blockchain forensics firms continue to attribute the attacks to Pyongyang with high confidence.

Analysis & Context

These two cases - Iran's Nobitex and North Korea's hacking apparatus - represent distinct but converging strategies for using crypto as a geopolitical instrument. Iran has built domestic infrastructure to capture and deploy crypto at scale, embedding it into trade flows, transit fees, and potentially weapons financing. North Korea has taken the offensive route, extracting value directly from the global crypto ecosystem through technically sophisticated heists. Both strategies exploit the same fundamental property: the permissionless, borderless nature of open blockchain networks.

This is not a new problem, but the scale and institutional depth are new. OFAC first included Bitcoin addresses on a sanctions list in 2018, targeting an Iranian cybercrime network with links to the IRGC ^[1]. In the years since, the infrastructure has matured considerably. The fact that the U.S. Treasury froze $344 million in USDT linked to Iran in April 2026 is significant - but the immediate implication, as the source material correctly identifies, is that sanctioned actors will accelerate their migration away from Tether and toward Bitcoin itself ^[1]. Stablecoins are issued by centralized entities that can freeze funds on command. Bitcoin cannot be frozen. That asymmetry is not lost on Tehran or Pyongyang.

For the broader Bitcoin ecosystem, these developments demand honest engagement rather than denial. The censorship resistance that makes Bitcoin valuable to Iranians protecting their savings from rial devaluation is the same property that makes it useful to the IRGC. That tension cannot be resolved by protocol design - it can only be navigated through the policy, compliance, and exchange infrastructure that sits on top of the base layer. The real question for the next cycle of sanctions enforcement is whether Western governments will treat domestic exchanges in sanctioned countries as legitimate targets, and whether international exchanges that processed transactions linked to Nobitex - including Binance, which reportedly provided assistance as late as 2022 ^[1] - will face renewed scrutiny.