The Iranian Regime's Crypto Shadow Arsenal

Authored by Tamuz Itai via The Epoch Times,

In 2025, Iran’s crypto ecosystem swelled to more than $7.78 billion, according to Chainalysis, marking a notable acceleration from prior years amid economic collapse and geopolitical turmoil.

For ordinary Iranians—roughly one in six of the population—crypto served as a vital lifeline. Facing relentless rial depreciation (down nearly 90 percent since 2018), chronic inflation of 40 to 50 percent, and frequent power blackouts or internet shutdowns during protests, citizens turned to Bitcoin and stablecoins like U.S. dollar-pegged stablecoins (USDT) on the Tron network to hedge savings, facilitate remittances, and move value when traditional banking failed. Spikes in Bitcoin withdrawals to personal wallets often coincided with domestic unrest and regional conflicts.

Yet this parallel financial system has also become a powerful tool for the state. The Islamic Revolutionary Guard Corps (IRGC) steadily tightened its grip on Iran’s crypto flows. IRGC-linked addresses received more than $3 billion in 2025—up from over $2 billion in 2024—with their share rising to more than 50 percent of total Iranian crypto inflows by the end of 2025. These figures represent conservative lower bounds based only on identified and sanctioned wallets.

The regime and its proxies used these funds to facilitate illicit oil sales, procure dual-use goods for missile and drone programs, finance regional militias such as Hezbollah, Hamas, and the Houthis, and sustain sanctions evasion operations. USDT on Tron (USDT-TRC20) emerged as the preferred rail for its speed, liquidity, and relative resilience. Iran’s Ministry of Defense even began openly offering to accept cryptocurrency for arms exports.

This dual-use nature of cryptocurrency echoes the history of Tor, the anonymizing network originally developed by U.S. intelligence agencies to protect spies and assets. Designed for secure communication, Tor now powers both legitimate privacy efforts and dissidents in repressive regimes, as well as the vast criminal ecosystems of the Dark Web. Just like Tor, the same technical features—such as decentralization, pseudonymity, borderless transfers, and resistance to single-point censorship—that help ordinary people escape tyranny also let regimes and bad actors bypass accountability.

The Procurement and Laundering Pipeline

Once oil proceeds or other regime revenues entered the crypto ecosystem, they moved through a sophisticated international pipeline designed to convert funds into usable military capabilities. Iranian oil—primarily purchased by Chinese “teapot” refineries—was shipped via shadow-fleet tankers and often settled through shadow-banking networks. Chinese “teapot” refineries are small, privately owned, independent refineries that process heavily discounted crude from sanctioned countries like Iran, thereby shielding major state-owned firms from sanctions risk.

Proceeds were then routed via front companies in the United Arab Emirates (UAE) and Hong Kong, where Iranian facilitators converted them into stablecoins, especially USDT on the Tron network.

Key brokers, including Iranian nationals Alireza Derakhshan and Arash Estaki Alivand, both of whom were sanctioned by the U.S. Office of Foreign Assets Control in September 2025, coordinated the purchase of more than $100 million in cryptocurrency tied directly to Iranian oil sales between 2023 and 2025. They operated networks of UAE- and Hong Kong-based front companies, including entities like Alpa Trading–FZCO, to layer transactions, obscure origins, and settle payments for dual-use goods.

These funds financed procurement of critical components for Iran’s drone and missile programs—electronics, semiconductors, batteries, and unmanned aerial vehicle parts—sourced mainly from suppliers in China and Hong Kong. Goods were frequently mislabeled and transshipped to evade export controls, ultimately reaching the IRGC-Qods Force and Iran’s Ministry of Defense and Armed Forces Logistics.

For years, Dubai served as the central hub for these operations, leveraging its existing free zones, money changers (sarraf), and informal networks. However, in early 2026, UAE authorities arrested dozens of IRGC-linked money changers, shut down associated offices, and weighed broader asset freezes—delivering one of the most significant disruptions yet to Tehran’s sanctions-evasion architecture. Even so, the underlying networks demonstrated resilience, adapting to new routes as pressure mounted.

The Enablers: Chinese Money Laundering Networks

The final leg of the pipeline relies on a powerful new layer of professional criminal infrastructure: Chinese money-laundering networks (CMLNs), whose recent rapid development appears to be an unforeseen consequence of the imposition of capital controls in China, including a sweeping crypto ban and a strict $50,000 annual foreign exchange limit.

These sophisticated, profit-driven operations—frequently built around Telegram-based guarantee/escrow platforms, money mule networks, informal over-the-counter desks, and layered wallet structures—functioned like a full-service “Amazon for criminals.”

In 2025 alone, CMLNs processed an estimated $16.1 billion in illicit crypto funds, accounting for roughly 20 percent of all known global crypto money laundering activity. Operating through more than 1,799 active wallets, they moved the equivalent of about $44 million per day.

Broader Chinese-language escrow and underground banking networks handled even larger volumes, with TRM Labs estimating more than $100 billion to $103 billion in adjusted crypto flows in 2025. These services offered reliable “laundering-as-a-service,” converting tainted stablecoins (especially the above-mentioned USDT on Tron) into usable fiat currency, like the U.S. dollar, goods, or clean assets, while minimizing risk for clients.

CMLNs served a wide clientele, including scam operators, ransomware groups, and sanctioned state actors. They helped launder proceeds from North Korean hacks (including the record 2025 Bybit theft), supported Russian sanctions-evasion flows, and enabled Iranian/IRGC networks to off-ramp oil-related crypto and settle payments for dual-use goods. These networks provided the essential “last mile” that turned raw illicit crypto into operational funding for weapons programs and proxies. 

Despite enforcement actions—such as the U.S. Financial Crimes Enforcement Network’s 2025 designation of the Cambodia-based Huione Group as a primary money laundering concern—the networks demonstrated remarkable resilience, quickly migrating to new platforms and services.

While seemingly not under direct operational command and control by the Chinese Communist Party (CCP), CMLNs have grown into a multi-billion-dollar industry with conspicuous longevity. Given the CCP’s tight grip on China’s financial system, internet, and capital flows, and its aggressive crackdowns when it perceives threats to financial stability or political control, such large-scale, cross-border activity would be extremely difficult to sustain without, at the very least, tacit tolerance from Beijing.

Enforcement and Outlook

The Trump administration’s strongly pro-crypto domestic policies—including the creation of a Strategic Bitcoin Reserve—stand in contrast to its aggressive enforcement against adversarial use of digital assets. On-chain intelligence sharpened U.S. focus on IRGC procurement networks, Russian stablecoin flows, and North Korean thefts.

Under its “maximum pressure” campaign, the U.S. Treasury’s Office of Foreign Assets Control sanctioned entire crypto exchanges in January 2026, including the UK-registered Zedcex and Zedxion, for processing large volumes of IRGC-linked funds, including more than $94 billion in total transactions on Zedcex.

Crypto had evolved into an important battleground: a lifeline for civilians in sanctioned economies and a tool for rogue regimes and criminal financing. As evasion networks adapt and migrate, the long-term success of disruption efforts remains to be seen.