A new report by US-based cybersecurity firm Resecurity has raised fresh questions about how cryptocurrency exchanges inside Iran may be used for sanctions evasion, large-value money movement, and possible financial activity linked to regime-connected actors.
At the center of the report is Ariomex, an Iran-based cryptocurrency exchange launched in 2022. Resecurity says it analyzed a leaked Ariomex database covering the period from 2022 to 2025. The dataset, according to the company, included user records, chat logs with customer support, KYC data, wallet information, and transaction-related details.
The findings suggest that while many ordinary users were buying crypto to protect savings from the falling value of the Iranian rial, a smaller set of users appeared to be moving unusually large sums. Some allegedly sought to transfer or exchange millions of dollars through the platform.
Resecurity describes Ariomex as more than a crypto exchange. It says the platform may have acted as a shadow financial channel inside Iran, potentially useful for sanctions bypass and covert fund movement.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
The420.in has not independently verified the underlying database or the identities named in the report.
What Resecurity found
The report says the database contained about 11,826 total records. Of these, around 7,710 were linked to Iran based on IP data and network intelligence. The rest were spread across several countries, including:
- United States: 381
- Germany: 330
- France: 168
- Netherlands: 136
- United Kingdom: 103
- Canada: 52
- Turkey: 48
- Russia: 30
Resecurity says the exchange was heavily tilted toward stablecoins and low-volatility assets. Around 70% of the cryptocurrencies purchased or exchanged were Tether and Tron.
Read Full Report Here: Cyber Battlefield: Ariomex, Iran-Based Crypto Exchange, Suffers Data Leak
The breakdown cited in the report includes:
- Tether: 6,680
- Tron: 2,029
- Bitcoin: 770
- Ethereum: 757
- Others: 500+
The researchers say this pattern fits a simple motive for many users: preserving value in a country facing inflation, sanctions, and currency weakness. In Iran, where the report places average monthly income at around $400 to $500, holding funds in dollar-linked stablecoins such as USDT can be a hedge against local currency erosion.
But Resecurity says another pattern stood out.
It reviewed more than 14,000 chats between Ariomex users and customer support and found repeated requests involving very large sums. In several cases, users allegedly asked how to move or convert between $50,000 and $100,000 per day. In at least 35 cases, the report says actors were attempting to bring $1 million to $5 million into Iran or cash out $50,000 to $100,000 daily.
For a market with strict financial controls and heavy sanctions scrutiny, those numbers are hard to ignore.
Examples flagged in the report
Resecurity listed several users it marked for further review based on what it called high-risk indicators. These included requests to move unusually large amounts or to raise limits far beyond normal retail activity.
Among the examples cited:
- A user identified as Zahra Khazaei allegedly asked to buy cryptocurrency worth $19 million
- Ebrahim Ghazvini Jebraeilabad allegedly sought to bring $20 million into Iran
- Ramin Lak allegedly expressed interest in depositing $5 million
- Saman Azizi allegedly sought to transfer $1.34 million
- Mohammad Parsa Nazari Hoseinabad allegedly sought a higher limit while holding $5.8 million in the account
- Seyyed Younes Shokori Bilankouhi allegedly requested help to move around $3 million, with reference to assistance from an Iranian embassy abroad
In another pattern noted by the company, some users appeared to treat the exchange like a bank. One example cited in the report involved a user named Iraj Jafari, who allegedly bought crypto worth $50,000 to $100,000 multiple times and preferred to cash out later.
That matters because, in heavily sanctioned environments, crypto platforms can become informal stores of value and transfer channels outside the traditional banking system.
ALSO READ: Resecurity Exposes ‘The Com’: Inside a Teen-Driven Cybercrime Network Behind Global Data Breaches
Possible sanctions exposure
Resecurity says it compared the leaked Ariomex records against the US Office of Foreign Assets Control, or OFAC, sanctions list. It found 27 individuals with possible matching records.
But the company also adds a major caveat. It says these matches cannot be definitively verified because of missing or incomplete identifying information such as national ID numbers. In some cases, it suggests the lack of detail may itself be suspicious.
The report says certain high-value or privileged accounts had incomplete KYC records yet were able to carry out substantial transactions. Resecurity argues that such gaps could point to special access, preferential treatment, or links to actors close to the Iranian regime. That claim, however, remains an assessment rather than a confirmed fact.
Similarities with Nobitex case
The Ariomex findings come against the backdrop of rising scrutiny on Iran’s crypto ecosystem.
Resecurity points to the June 18, 2025 cyberattack on Nobitex, Iran’s largest crypto exchange, which reportedly handled around 87% of the country’s crypto transaction volume. The attack was claimed by Predatory Sparrow, an Israel-linked group also known as Gonjeshke Darande. According to public reporting referenced in the report, the breach led to a $90 million loss from hot wallets, with the funds burned rather than stolen.
After that incident, investigators and researchers argued that Nobitex was not just a retail exchange, but also part of Iran’s wider sanctions-evasion infrastructure.
Resecurity says Ariomex showed some similar warning signs, especially around incomplete user records, privileged treatment, and large-value activity.
How the exchange may have worked
According to the report, Ariomex offered services that included:
- Crypto trading
- Fiat on and off ramps
- P2P transfers
- Methods that could be used to bypass sanctions
The report lists several mechanisms that may support sanctions evasion or illicit fund movement:
- Shell accounts
- Layered transactions
- Stablecoin routing
- Intermediary wallets
- Internal peer-to-peer transfers
These methods are not unique to Iran. They are common red flags in crypto-based money laundering and sanctions evasion investigations worldwide. But in Iran’s case, the geopolitical context makes them more sensitive.
The report argues that if offshore exchanges become harder to use because of regulatory pressure, domestic platforms like Ariomex could become even more important for state-linked networks or shadow intermediaries.
ALSO READ: Resecurity Flags KillSec Breach Compromising Nearly 95,000 Brazilian Patient Records
The Tether angle
One reason the report matters is the central role of Tether’s USDT in Iran’s crypto economy.
Resecurity says that in January 2026, the Central Bank of Iran acquired more than $507 million worth of USDT, with indications that the stablecoins were used to support the country’s fiat currency.
The report also notes earlier US Treasury sanctions against two crypto exchanges, Zedcex and Zedxion, accused of facilitating transactions for the Islamic Revolutionary Guard Corps, or IRGC.
Against that backdrop, Ariomex appears in the report as part of a broader ecosystem in which crypto is not only a store of value for ordinary citizens but also a possible tool for sanctions evasion, cross-border payments, and covert financial operations.
Wallet tracing and identity analysis
Resecurity says it linked about 700 cryptocurrency wallets to identifiable individuals using public ledger analysis across:
- Tether
- TRON
- Bitcoin
- Ethereum
- Other tokens including Shiba Inu, Litecoin and ETC
It says around 90% of those wallets belonged to individuals, not large institutions.
The company also says it used AI and OCR tools to process identity documents from the leaked data, extracting fields such as name, national ID number, date of birth, expiry date, and address. It claims 99% validation accuracy with a 1% false positive rate, alongside manual review.
Those figures come from the company’s own methodology statement. They have not been independently audited.
A breach with wider fallout
Resecurity says the Ariomex data itself appears to have come from a previous breach, likely caused by a compromised customer support or helpdesk function. The leaked material, it says, was circulating on the dark web last year.
If accurate, the implications go beyond sanctions enforcement.
The leaked data reportedly includes personal identity records, chat conversations, wallet details, financial history, and user behavior. That creates a long list of risks for affected users: identity theft, surveillance, blackmail, doxxing, and loss of privacy.
That is one of the less discussed parts of the crypto story in sanctioned states. Even if users are not involved in crime, a breach of this kind can expose people who used crypto simply to protect savings or move money under financial pressure.
Why this report matters
The biggest value of the Ariomex leak may lie in what it reveals about Iran’s split crypto economy.
On one side are regular users trying to escape inflation and currency collapse. On the other are higher-risk actors who may be using the same platforms for sanctions bypass, large-value transfers, or covert financial activity.
That mix makes exchanges like Ariomex important intelligence targets.
For law enforcement and regulators, the data could help trace wallets, identify intermediaries, and spot repeat patterns in how funds move between Iran and other jurisdictions. For cyber investigators, it offers another window into how digital infrastructure, finance, and geopolitics now intersect.
Resecurity says it will continue supporting government agencies, regulators, and law enforcement in tracking and disrupting sanctions-evasion networks tied to Iranian crypto infrastructure.
Whether Ariomex was simply a poorly governed exchange serving a distressed economy, or a more deliberate shadow channel with regime-linked users, will require deeper investigation. But the report adds to a growing body of evidence that crypto platforms inside Iran are becoming central to both survival and statecraft.
