Blockchain analytics firm TRM Labs published findings Wednesday identifying CoinEx as the primary international conduit for Iranian sanctions evasion, tracing more than $3.84 billion in blockchain-verified flows between the Seychelles-registered exchange and over 60 sanctioned Iranian entities since 2019. CoinEx issued a formal denial the same day — but the distinction the exchange drew, between establishing a formal business relationship and processing documented on-chain flows, may matter less under US law than the exchange’s statement implies. Under OFAC’s sanctions enforcement framework, civil penalties for sanctions violations can be imposed on a strict liability basis, meaning the legal exposure arises from the flows themselves — not from whether the exchange knowingly entered an agreement with sanctioned counterparties.
The TRM Labs report was published the same day the Wall Street Journal cited its findings, and it lands three weeks after the US Office of Foreign Assets Control sanctioned four major Iranian domestic exchanges — Nobitex, Wallex, BitPin, and Ramzinex — in what TRM described as the third distinct enforcement action targeting Iran’s crypto infrastructure in five months. CoinEx is not among the sanctioned entities, but TRM’s global head of policy Ari Redbord said the designations addressed only the domestic side of a pipeline that remains intact.
“OFAC’s June 2 designations took out 78% of Iran’s domestic crypto volume in a single action — but the international infrastructure that enabled that ecosystem remains largely intact,” Redbord said. “Enforcement and policy now need to grapple with the international gateways, not just the domestic exchanges.”
For users holding assets on CoinEx, the report raises a concrete question: how much regulatory and legal risk does a platform’s OFAC exposure transfer to the users on it? The practical answer is that exchange-level enforcement can freeze withdrawals, disrupt operations, and expose user funds to forfeiture proceedings — without those users having done anything wrong. The Binance settlement of 2023, in which the exchange paid $4.3 billion to resolve Department of Justice and OFAC charges that included facilitating Iranian transactions, is the closest structural precedent.
$3.84 Billion, Seven Years, Sixty Entities: What TRM Labs Found
TRM’s analysis centers on a seven-year pattern of on-chain activity linking CoinEx — founded in 2017 by Haipo Yang and registered in the Seychelles — to Iran’s domestic crypto ecosystem across more than 60 platforms.
Of the $3.84 billion total, approximately $2.7 billion flowed between CoinEx and Nobitex, Iran’s largest domestic exchange, across roughly 6.2 million individual blockchain transfers — an average of approximately $1 million per day since November 2018. Nobitex sent approximately $360 million more to CoinEx than it received, a net outflow pattern consistent with Iranian holders systematically routing capital outward through CoinEx in search of international liquidity.
The scale of the CoinEx-Nobitex relationship grew rapidly. Annual volume between the two exchanges stood at roughly $13 million in 2020. By 2021 it had reached approximately $575 million — a roughly 45-fold increase in a single year. Volume reached $763 million in 2025, by which point CoinEx accounted for an estimated 16.3% of Nobitex’s total annual transaction flow and had become Nobitex’s single largest external counterparty by nearly nine times over the next-largest named exchange. That ratio, TRM said, is “inconsistent with independent market behavior.”
The flows extend well beyond Nobitex. Every major Iranian domestic exchange routed approximately 5 to 15 percent of its total volume through CoinEx — a consistent band across dozens of independent platforms that TRM characterized as evidence of a coordinated arrangement rather than organic adoption. The sequential onboarding of Iranian exchanges to CoinEx — beginning with Nobitex and Excoino in 2018, followed by Wallex, Ramzinex, and others through 2019 and 2020, with smaller operators added through 2022 — resembles a structured client rollout rather than dozens of exchanges independently discovering the same platform.
How the Money Moved: The “National-Tether” Laundering Architecture
CoinEx’s exposure includes flows directly attributable to state-level Iranian institutions. TRM found that approximately $67 million in funds originating from the Central Bank of Iran entered CoinEx addresses between June 2025 and June 2026 as part of a structured multi-chain laundering scheme administered by the National Iranian Exchange under a program internally designated “National–Tether.”
The playbook was technically layered and designed for operational resilience. Wallets operated by the National Iranian Exchange received large deposits in USDT-on-TRON — often exceeding $5 million per transfer — then split those deposits into smaller structured increments. Those increments were routed through cross-chain bridges to Ethereum, where funds entered Gnosis Safe multisig contracts and were converted into Aave protocol tokens to complicate any freeze attempts. Assets were then fragmented and bridged a second time before reconsolidating and routing toward CoinEx as the terminal off-ramp. TRM also found that CoinEx provided transaction fee funding that facilitated portions of the laundering infrastructure itself.
TRM separately traced the path of some of those funds further: portions of the Central Bank flows carry documented blockchain connections to wallets linked to the February 2025 Bybit exchange hack, a $1.5 billion theft attributed to North Korean state-sponsored actors, indicating that Iranian sanctions infrastructure and North Korean cryptocurrency theft operations share at least some common on-chain rails.
CoinEx’s affiliated mining pool, ViaBTC — operated by parent company Viabtc Technology Limited and headquartered in Hong Kong — adds a further layer of documented exposure. TRM traced more than $154 million across approximately 4.47 million transfers between ViaBTC and Nobitex-linked wallets since 2018, with nearly all flows originating from ViaBTC, consistent with mining pool payouts flowing directly into Iranian exchange wallets. The strategic significance of that relationship became apparent after the Predatory Sparrow cyberattack on Nobitex in June 2025, which stole approximately $90 million from the exchange: TRM identified 117 previously dormant Bitcoin mining wallets at ViaBTC that activated and transferred approximately $2.7 million to a new Nobitex hot wallet, functioning as a liquidity recovery mechanism for a sanctioned exchange.
Beyond Iran, CoinEx carries direct blockchain-traced exposure to the Islamic Revolutionary Guard Corps ($6 million across 186 transfers), Palestinian Islamic Jihad ($374,000), and wallets linked to the Hezbollah designation. Additional high-risk exposure includes approximately $41.5 million linked to sanctioned Russian exchange Garantex, $2.4 million tied to BlackSuit ransomware, and $51.2 million connected to wallets involved in the September 2023 CoinEx hack itself.
The illicit transaction ratio TRM reported — approximately 8% of CoinEx’s total volume — sits against an industry compliance benchmark of roughly 0.3%. The ratio is roughly 27 times the threshold associated with compliant exchanges; TRM called it the quantitative basis for its conclusion that the CoinEx-Nobitex relationship reflects a “coordinated arrangement rather than organic adoption.”
CoinEx’s Defense and the Problem It Faces
In a statement posted to X on June 25, CoinEx denied the characterization across every dimension. The exchange said it had “never established any commercial relationship with Iranian exchanges or government entities,” had no office or operating entity in Iran, and that its official domain had been blacklisted by the Iranian government in 2021 — which it offered as evidence that it was not a state-backed platform.
CoinEx also challenged the evidentiary framework directly: “Blockchain transactions are open, cross-platform, and traceable by nature. The fact that funds have passed through a platform onchain does not mean that the platform was aware of, supported, or participated in the related fund activity.” The exchange further argued that combining two-way fund flows into a single aggregate figure was misleading.
The defense is coherent on its own terms, but it may misread the relevant legal standard. Under OFAC’s sanctions enforcement framework, civil penalties for sanctions violations can be imposed on a strict liability basis — meaning a violation can be established without proof that the exchange knowingly facilitated transactions with sanctioned counterparties. The relevant question for enforcement is whether sanctioned parties transacted through the platform, not whether the platform consciously entered a commercial agreement with them. OFAC’s 2023 Binance settlement document stated explicitly that “it is no defense that an algorithm or other ‘autonomous’ system or formula serves as the mechanism for the underlying transactions or activities that violate sanctions; companies are responsible for the operation and consequences of the technologies they employ and will be held accountable where their technologies result in violations.” The knowledge gap CoinEx points to is precisely the gap that strict-liability frameworks are designed to close.
CoinEx said it has initiated a comprehensive review and exit process for Iran-related risk exposure, implemented geo-fencing and access restrictions for Iranian regions, and strengthened KYC, AML, sanctions screening, and transaction monitoring. It added that following OFAC’s June 2 designations, it has begun compliance off-boarding for identified accounts.
That reactive timeline is itself a data point. TRM’s on-chain record shows CoinEx cycling its hot wallets on June 2, the same day OFAC announced the sanctions — a behavior TRM characterized as consistent with an exchange distancing its infrastructure from newly designated counterparties.
Is CoinEx Safe to Use? What the Regulatory History Shows
The CoinEx case illustrates a structural dynamic in crypto sanctions enforcement that individual users rarely encounter until it is relevant to them. When an exchange faces enforcement action — designation, indictment, asset freeze — the platform’s operational continuity becomes uncertain. Withdrawals may be suspended during investigations. Assets held on an exchange with active OFAC exposure can become subject to freezing orders during proceedings. Users who have done nothing wrong may nonetheless find their funds inaccessible for months or years while legal processes run.
CoinEx’s history provides additional context. The exchange settled with the New York Attorney General in June 2023, paying $1.7 million and permanently exiting the US market after the NYAG found it had operated as an unregistered securities and commodities broker-dealer. Under the settlement, CoinEx was banned from offering services to New York residents, required to implement geoblocking, and forced to refund $1.1 million to 4,691 investors. CoinEx is also no longer registered with the US Financial Crimes Enforcement Network or Lithuania’s financial crimes unit, has been investigated by Germany’s BaFin, and was blocked by Thailand’s Securities and Exchange Commission in May 2025.
In September 2023, CoinEx suffered a hot wallet hack that researchers estimated at between $43 million and $54 million, with blockchain investigator ZachXBT identifying wallet address overlap with the Lazarus Group — the North Korean state-backed hacking collective the FBI has publicly attributed to numerous large-scale crypto thefts.
CoinEx also lists Monero, Zcash, and Dash among its supported assets — privacy-focused cryptocurrencies specifically designed to obscure on-chain transaction trails — a characteristic TRM highlighted in its report as relevant to the exchange’s compliance profile.
The Crypto Exchange Sanctions Enforcement Gap
The TRM Labs report is explicit about what the June 2 OFAC actions did not accomplish. The four designated Iranian exchanges represented approximately 78% of Iran’s $9.9 billion in attributed 2025 crypto volume, but the international infrastructure through which that volume accessed global markets remained intact. CoinEx, in TRM’s framing, is that infrastructure.
The behavioral data supports the framing. After the June 2 OFAC designations, CoinEx volumes with Iranian entities dropped from a sustained average of roughly $1 million per day to below $150,000. Whether that decline reflects genuine off-boarding or the establishment of new evasion infrastructure not yet attributed remains, as TRM noted, undetermined.
The pattern here is one regulators have documented repeatedly. Venue-specific enforcement displaces activity rather than eliminating it — CoinEx overtook Binance as Nobitex’s primary counterparty specifically because Binance faced US enforcement pressure and tightened its controls. A similar displacement dynamic could follow enforcement against CoinEx.
Redbord, in a separate statement to CoinDesk published earlier this year, described the shift in how US Treasury investigators approach these cases: the concern is no longer simply that sanctioned actors used crypto, but that the activity “appears concentrated through exchange-linked systems that function as repeatable financial access points for sanctioned networks.” That framing moves the analytical focus from individual wallets to platforms functioning as service-layer infrastructure — which is exactly what TRM’s CoinEx report argues.
CoinEx is not among the sanctioned entities as of this article. The enforcement gap between the scale of documented flows and the absence of action against the exchange is the structural tension TRM’s report forces into view.
Frequently Asked Questions
Is CoinEx safe to use, given the TRM Labs Iran sanctions report?
Whether CoinEx continues to operate without disruption depends on decisions US regulators have not yet made publicly. The exchange has not been designated by OFAC, and no criminal charges have been announced. However, every user holding assets on the platform now carries exposure to whatever enforcement outcome follows: if OFAC sanctions CoinEx, operations could be disrupted and withdrawals suspended. The Binance precedent — where users faced temporary disruption during a $4.3 billion settlement proceeding — is the closest comparable case. Users who hold significant assets on CoinEx and wish to reduce that regulatory risk can transfer funds to exchanges with a lower documented illicit-transaction ratio and no active regulatory proceedings in progress.
What is blockchain analytics enforcement, and does on-chain evidence actually hold up legally?
Blockchain analytics firms like TRM Labs, Chainalysis, and Elliptic trace fund flows across public blockchain ledgers using heuristic clustering algorithms, transaction-timing analysis, and open-source intelligence overlays to attribute wallet addresses to named entities. OFAC has accepted blockchain analytics findings as the evidentiary basis for sanctions designations and enforcement settlements, including in the Binance case, where on-chain data tracing transactions to Iranian counterparties formed part of the settlement record. The core legal issue for CoinEx is not whether TRM’s methodology will be challenged, but whether OFAC’s strict-liability standard means that documented flows alone — regardless of the exchange’s intent — constitute the legal basis for a violation.
What is the difference between CoinEx’s situation and the earlier Binance Iran case?
Structurally, the cases are closely parallel. Binance was Nobitex’s largest external counterparty until US enforcement pressure caused it to tighten controls, after which CoinEx displaced it — a displacement TRM explicitly documents. The $3.84 billion attributed to CoinEx is smaller than the $8 billion attributed to Binance in pre-enforcement reporting, but TRM’s current report specifically identifies the CoinEx situation as the largest single-exchange crypto sanctions-evasion pipeline tied to Iran yet documented. Binance’s 2023 settlement totaled $4.3 billion. No equivalent action against CoinEx has been announced.
What does OFAC crypto exchange sanctions enforcement actually require to act?
OFAC can sanction a company by designating it as a Specially Designated National, which immediately freezes all US-person dealings with the exchange and can block it from the dollar-clearing system. The OFAC designation path does not require proof of criminal intent; it requires that the designated entity has facilitated transactions with sanctioned parties. The strict-liability framework means that an exchange’s stated policy of not serving Iran — without demonstrated technical controls sufficient to enforce that policy — does not constitute a defense. As OFAC’s own Binance enforcement document stated, “it is no defense that an algorithm or other ‘autonomous’ system or formula serves as the mechanism for the underlying transactions.”
