A newly obtained database from Iranian cryptocurrency exchange Ariomex suggests the platform may have played a role in sanctions evasion and large-scale capital transfers linked to actors inside the country.
The findings, published by Resecurity on Monday, are based on an analysis of internal records covering 2022 to 2025.
The data leak comes amid increased scrutiny of Iran’s financial system and its growing reliance on digital assets. In January 2026, the Central Bank of Iran reportedly acquired about $507m worth of Tether’s USDT, a move analysts believe was aimed at stabilising the national currency.
Earlier measures by the US Treasury Department targeted two crypto exchanges accused of facilitating transactions for the Islamic Revolutionary Guard Corps (IRGC).
Database Analysis Reveals High-Risk Activity
Resecurity said it reviewed 11,826 verified user records, identifying 27 potential matches against sanctions lists, though it noted that incomplete national ID data prevented definitive confirmation. Approximately 7,710 records originated from Iran, while others were linked to users in the US, Germany, France, the Netherlands and the UK.
Read more on cryptocurrency-based attacks: Crypto Hack Losses in First Half of 2025 Exceed 2024 Total
According to the report, 70% of traded assets on Ariomex were Tether and Tron. The majority of transactions were small, reflecting attempts by individuals to shield savings from currency devaluation. However, investigators also flagged larger requests, including daily transfers between $50,000 and $100,000.
Among the mechanisms identified were:
Large Transfers And VIP Profiles
Resecurity documented several cases involving multimillion-dollar transactions. In one example, a user sought to exchange $19m in cryptocurrency. Others reportedly attempted to move between $1m and $5m into or out of Iran, amounts that analysts described as inconsistent with average monthly salaries of $400 to $500 in the country.
The report also pointed to similarities with the June 2025 cyberattack on Nobitex, Iran’s largest crypto exchange, which was attributed to the group Predatory Sparrow and resulted in a $90m loss.
Resecurity said Ariomex imposed withdrawal limits of roughly $30,000 per month and $1,000 per day for most users, while verified customers could access up to $50,000 monthly. Some high-value accounts, however, allegedly operated with incomplete verification data yet handled substantial balances.
The company said it will continue assisting government agencies and regulators in identifying crypto-based sanctions evasion networks linked to Iran.
