Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Insights
March 3, 2026

Understanding Nobitex: Iran’s Largest Crypto Exchange

TRM Team
Understanding Nobitex: Iran’s Largest Crypto Exchange

Key takeaways

  • Nobitex is central to Iran’s crypto ecosystem.  With over USD 5 billion in observed volume from 2025 to the present — and tens of billions processed since 2019 — Nobitex serves as Iran’s primary crypto on- and off-ramp, connecting domestic users to global markets.
  • Post-strike activity reflected operational fund management — not clear capital flight. Following the February 28 US-Israeli strikes, TRM observed increased flows, including transfers exceeding USD 35 million to cold storage. Based on historical behavior and wallet attribution, these movements aligned with routine liquidity management rather than user-driven withdrawals.
  • The 2025 hack exposed sophisticated internal architecture. The June 2025 breach — resulting in approximately USD 90 million in losses — revealed a multi-tier custody system (hot, warm, and cold wallets), automated routing logic, and differentiated controls for high-value or politically connected clients. Documentation suggested additional structures designed to mitigate sanctions-related constraints.
  • Dormant mining reserves helped stabilize operations. After the breach, TRM identified approximately USD 2.7 million consolidated from more than 100 previously dormant mining-linked wallets. The timing suggests Nobitex mobilized reserves to restore liquidity as it resumed services.
  • Nobitex sits at the nexus of a sanctioned cross-border ecosystem.On-chain exposure includes flows linked to sanctioned exchanges such as Garantex, high-risk platforms like BitPapa and A7, and wallets associated with designated terrorist organizations. These patterns reflect Nobitex’s role within a broader network connecting sanctioned jurisdictions and offshore facilitators.

{{horizontal-line}}

Background

Iran’s crypto economy has grown as both ordinary Iranians and regime-linked actors look for alternate settlement rails under strict sanctions – a trend likely to continue even as the conflict shifts into the kinetic following strikes on Iran and the onset of a broader regional war. Nobitex, Iran’s largest digital asset platform, provides a focal point through which to consider the regime’s financial strategy and assess how it might evolve. 

Nobitex is the central hub of the country’s crypto ecosystem, with approximately USD 5 billion in observed volume from 2025 to the present. It serves both as a retail gateway for ordinary Iranians seeking access to foreign currency and as a key component of Iran’s financial infrastructure, facilitating cross border value transfers outside traditional banking channels.

Given its scale, reach, and integration into Iran’s economy, Nobitex is one of the most consequential exchanges operating within a comprehensively sanctioned jurisdiction. In a country largely cut off from the global financial system, the platform plays an important role in enabling liquidity, settlement, and capital movement.

Nobitex employs sophisticated operational techniques to manage liquidity, reduce transaction costs, and obscure the origin and destination of customer funds when interacting with global services. These behaviors are common for exchanges operating in heavily sanctioned environments. Details regarding aspects of these operational methods became public following a hack and leak operation in 2025, offering rare insight into how a major exchange adapts to sustained sanctions pressure.

Understanding Nobitex is essential to understanding how crypto functions within Iran’s broader economic and geopolitical strategy during periods of escalation and conflict.

Nobitex showed increased activity in wake of US-Israeli strikes

This graph does not include the below USD 40 million cold storage transaction.

In the immediate aftermath of the US-Israeli strikes on February 28, Nobitex recorded higher incoming and outgoing activity compared to the prior day. TRM observed an increase of nearly USD 3 million in aggregate flows on February 28 relative to February 27. Our analysis indicates that this increase was driven primarily by an internal transfer on Polygon from a Nobitex hot wallet to a cold storage wallet.

TRM also identified a separate transfer of more than USD 35 million from a Nobitex hot wallet to a Nobitex-controlled cold wallet during the same period. Based on historical behavior and wallet attribution, we assess that this movement reflects routine infrastructure liquidity management rather than user-driven withdrawals. In context, these transfers align with normal operational fund rebalancing and do not, at this stage, provide evidence of capital flight from the exchange.

2025 hack showed Nobitex inner workings

In June 2025, the Israel-linked hacking group Predatory Sparrow breached Nobitex, resulting in the loss of approximately USD 90 million in digital assets. TRM’s on-chain analysis in the immediate aftermath showed rapid cross-chain movement of compromised funds alongside defensive repositioning of exchange-controlled assets. Shortly after the breach, attackers published Nobitex’s internal source code, configuration files, and system documentation.

The leaked materials provided rare visibility into the exchange’s internal architecture. Nobitex operated a multi-tier custody model structured around hot, warm, and cold wallet layers, each managed through distinct internal services and APIs. Asset movement relied on orchestration logic spanning internal approval flows, automated routing rules, and system-level reconciliation processes. The documentation also revealed differentiated handling for high-value and politically connected clients, with transaction pathways and controls that diverged from those applied to general users.

The breach exposed how ownership records, withdrawal logic, and internal ledger reconciliation were distributed across both on-chain and off-chain systems. While this design mirrors patterns used by global exchanges, the Nobitex implementation showed additional layers specifically designed to minimize the impact of sanctions and external monitoring. Additionally, Nobitex explicitly outlines in the documents that the structures are designed to defeat US regulatory bodies.

In the aftermath of the hack, incoming transaction volumes dropped by more than 70% year over year. However, Nobitex resumed service in stages beginning in late June, aided in part by reserves held in bitcoin, including funds consolidated from previously dormant mining-linked wallets.  

TRM identified a newly created bitcoin address associated with the exchange that received approximately USD 2.7 million from more than 100 previously dormant mining-linked wallets over a ten-day period after the breach. These wallets had accumulated mining rewards in 2021 and 2022 and had not previously moved funds. The majority of upstream flows traced back to two major global mining pools, EMCD and ViaBTC. The timing of this consolidation, immediately after the hack and shortly before withdrawals were reportedly restored, indicates that the exchange mobilized dormant reserves to stabilize operations during a period of acute stress.

Leadership links to the Iranian regime

TRM analysis indicates that Seyed Mohammad Aghamir likely plays a senior leadership role within Nobitex’s blockchain and transaction infrastructure, based on open-source reporting, sanctions records, and analysis of leaked internal Nobitex source code following the June 2025 breach. 

Open source information consistently identifies Aghamir as Nobitex’s blockchain lead, while US Treasury sanctions designations confirm his senior role within Iran’s cyber governance apparatus. This assessment is strengthened by review of internal Nobitex code and documentation released by the Predatory Sparrow hack, which revealed centralized control over high-value and VIP transaction flows and identified oversight functions that align with Aghamir’s publicly reported role. Many senior Nobitex executives have familial and/or personal ties to Iranian officials at the highest levels of the regime.

Little is known about Nobitex’s CEO and founder Amir Rad aside from his educational background and position with the exchange.

Operational model and on-chain footprint

Since 2019, Nobitex has processed tens of billions of dollars in transaction volume, supporting millions of users across Bitcoin, Ethereum, TRON, and other major networks. It functions as the primary gateway between Iran’s local currency environment and global crypto markets, serving as the central on and off-ramp for digital assets within the country.

Over time, Nobitex has emerged as a recurring nexus point in blockchain tracing connected to Iranian regime linked activity. On-chain exposure includes transaction flows associated with entities tied to the Islamic Revolutionary Guard Corps (IRGC), the recently sanctioned exchange Zedcex, and regime financiers such as Alireza Derakhshan and Arash Estaki Alivand. These patterns reflect the exchange’s position within a broader national financial architecture.

Nobitex operates as a critical node in what can be described as a shadow financial ecosystem linking sanctioned jurisdictions and their offshore facilitators. Domestic exchanges, offshore brokers, shell companies, Russian and Venezuelan intermediaries, and Chinese suppliers interact across shared settlement pathways, with cryptocurrency serving as a flexible rail for cross border value transfer. Within that ecosystem, Nobitex provides liquidity, routing, and integration between domestic capital and external counterparties, anchoring a network designed to access foreign currency and sustain financial connectivity under sanctions pressure.

On-chain analysis shows that Nobitex maintains extensive transactional exposure to a range of sanctioned and high-risk entities. This includes flows linked to the sanctioned and now-defunct Russian exchange Garantex, peer-to-peer platform BitPapa, and cross-border settlement network A7. TRM has also identified interactions connected to wallets associated with Hamas, including through the sanctioned fundraising network Gaza Now, and designated foreign terrorist organization Palestinian Islamic Jihad.

These patterns reflect the exchange’s position within a broader transnational ecosystem where sanctioned actors, facilitators, and aligned organizations intersect across shared digital asset infrastructure.

Outlook

As the conflict evolves and economies adjust, monitoring Nobitex’s liquidity posture, exchange controls, and on-chain counterparties will be important to assess how Iran’s broader crypto financial ecosystem adapts under geopolitical strain. Nobitex is so closely linked to the regime that its operational picture as the conflict continues or settles will likely be directly connected to the fate of regime actors – reflecting capital flight if they flee, or falling back into old patterns if appointed successors return to the negotiating table.

TRM will continue to closely monitor developments and provide updates as conditions change.

{{horizontal-line}}

Frequently asked questions (FAQs)

1. What is Nobitex?

Nobitex is Iran’s largest cryptocurrency exchange and the country’s primary gateway between the domestic currency environment and global crypto markets. It supports major networks such as Bitcoin, Ethereum, and TRON, and serves millions of users.

2. Why is Nobitex significant in the context of sanctions?

Iran faces comprehensive sanctions that limit access to traditional banking infrastructure. Nobitex provides an alternative settlement rail, enabling cross-border value transfers and access to foreign-denominated assets outside conventional financial channels.

3. Did users withdraw funds after the February 28 strikes?

TRM observed increased activity immediately following the strikes, including large transfers to cold storage. However, the available on-chain evidence suggests these movements were consistent with internal liquidity management rather than widespread customer withdrawals.

4. What did the June 2025 hack reveal?

The breach exposed internal source code and system documentation, revealing a layered custody model and orchestration systems governing asset movement. It also highlighted differentiated controls for certain client categories and structures designed to operate under sustained sanctions pressure.

5. How did Nobitex recover after losing approximately USD 90 million?

Incoming transaction volumes initially dropped more than 70% year over year. Nobitex resumed services in stages and consolidated bitcoin from dormant mining-linked wallets, indicating the use of reserve assets to stabilize operations.

6. What is Nobitex’s exposure to sanctioned or high-risk entities?

On-chain analysis shows transactional exposure to sanctioned exchanges, cross-border settlement networks, and wallets associated with designated organizations. These flows reflect Nobitex’s position within a broader transnational financial ecosystem where sanctioned actors intersect through shared digital asset infrastructure.

This is some text inside of a div block.

Related posts

arrow right
BLOG
March 2, 2026

How Iran’s Crypto Market is Reacting to Conflict

arrow right
BLOG
August 26, 2025

Iran’s Crypto Economy in 2025: Declining Volumes, Rising Tensions, and Shifting Trust

arrow right
BLOG
July 17, 2025

Inside the Nobitex Hack: How the Iran-Israel Conflict Exposed Tehran's Grip on Its Crypto Services

No posts to show
No posts to show
No posts to show
No posts to show
No posts to show
Subscribe and stay up to date with our insights
No items found.
Digital illustration showing a pie chart, masked criminal figure, and crypto coin symbol on a data grid background—representing crypto crime analytics.
REPORT
See the trends and typologies that shaped the illicit crypto ecosystem in 2025
READ THE REPORT →
Blue diamond with a circle overlayed in white on a dark blue background
REPORT
Unlocking more clarity for institutional adoption with key crypto policy shifts in 2025
READ THE REPORT →
3D illustration of a blue magnifying glass hovering over a digital fingerprint on a dark background, symbolizing crypto investigations or forensic analysis.
FLIP BOOK
Learn more about common crypto-enabled scam typologies in our "Investigating Crypto Scams" flip book
Get your copy →
Illustration of a stablecoin represented by a dollar symbol surrounded by icons for growth, risk alert, user profiles, and a security shield with a target, connected through a network of hexagons — symbolizing the interconnected risks and compliance considerations in digital asset ecosystems.
USE CASE
Learn how TRM helps compliance teams monitor exposure, detect threats, and safeguard their organizations
TRM for stablecoin risk management →
A worn silver wrench tool on a brown-red background, as a metaphor for violent crime
BLOG
Learn about the recent rise of "wrench attacks" and crypto-related violent crime
Read the post →
Illustration of a financial institution icon and a compliance document with checkboxes, symbolizing regulatory due diligence and financial compliance in the digital asset ecosystem.
GUIDE
Learn best practices for evaluating the legal, operational, and financial integrity of crypto entities before engagement
Get the guide →
A judge's gavel rests beside a stack of gold-colored cryptocurrency tokens, including Bitcoin, Dogecoin, Ethereum, and others, symbolizing the intersection of digital assets and regulatory or legal oversight.
REGULATORY ACTION TRACKER
Stay updated on the latest crypto-linked regulatory actions available in the public domain
Check it out →
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT