Investigators reportedly traced funds from wallets linked to the Central Bank of Iran to assets stolen in the 2025 Bybit hack, which the FBI attributed to North Korean hackers. While CoinEx has not been accused of wrongdoing or faced new US enforcement action, the report renewed scrutiny of the exchange's anti-money laundering and sanctions compliance measures.
CoinEx Under Fire
The Wall Street Journal reported that crypto exchange CoinEx processed more than $3.84 billion in transactions linked to Iranian entities since 2019. According to the report, which referred to blockchain analytics firm TRM Labs and public on-chain data, CoinEx allegedly became one of the primary channels used by Iran-linked entities to move digital assets beyond the reach of US sanctions.
The report focuses on blockchain activity involving two crypto wallets that investigators identified as being controlled by the Central Bank of Iran. Analysts reportedly traced the movement of funds from these wallets and found connections to crypto that was stolen during the massive 2025 hack of crypto exchange Bybit.
While CoinEx has not been accused of wrongdoing by US authorities or subjected to new enforcement action, the report still raised serious questions about the exchange's anti-money laundering controls and sanctions screening procedures.
Investigators reportedly followed the transaction trail backward from the Iranian central bank wallets, and eventually linked the funds to assets stolen during the Bybit breach. The stolen cryptocurrency is said to have passed through numerous wallets and transactions before eventually reaching CoinEx.
The Bybit hack is one of the largest crypto thefts on record. The US Federal Bureau of Investigation previously attributed the attack to North Korean hacking groups, and alleged that the stolen assets were laundered through an extensive network of wallets before being converted into Bitcoin and other cryptocurrencies.
US authorities are increasing pressure on Iran's cryptocurrency ecosystem. Earlier this year, the US Treasury sanctioned four Iranian cryptocurrency exchanges, including Nobitex, as part of its Economic Fury campaign. Officials alleged that these platforms enabled sanctioned individuals and organizations to access digital asset markets despite existing financial restrictions. Blockchain analytics company Chainalysis has also reported that Nobitex accounts for roughly half of Iran's crypto trading activity.
The CoinEx findings also build on concerns surrounding the laundering of assets stolen from Bybit. After the exchange hack, blockchain investigators reported that decentralized protocol THORChain processed close to $3 billion in swap volume linked to the stolen funds. Unlike decentralized protocols, centralized exchanges like CoinEx are generally expected to implement customer verification and transaction monitoring systems designed to detect suspicious activity.
Although the Wall Street Journal report does not allege that CoinEx knowingly facilitated sanctions evasion or money laundering, the findings are likely to draw even more regulatory attention.
