Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1953+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. The U.S. Sanctions Nobitex Crypto Exchange Used by Ransomware
The U.S. Sanctions Nobitex Crypto Exchange Used by Ransomware
NEWS

The U.S. Sanctions Nobitex Crypto Exchange Used by Ransomware

The U.S. Treasury's OFAC has sanctioned Nobitex, Iran's largest cryptocurrency exchange, for facilitating payments linked to terrorist activities and…

Dylan H.

News Desk

June 3, 2026
5 min read

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has announced sanctions against Nobitex, Iran's largest domestic cryptocurrency exchange, targeting the platform for its role in facilitating payments tied to terrorist organizations and ransomware operations. The designation marks a significant escalation in U.S. efforts to disrupt the cryptocurrency infrastructure underpinning state-linked cyber threat actors.

What Is Nobitex?

Nobitex operates as the dominant cryptocurrency exchange within Iran, serving hundreds of thousands of users and handling substantial trading volumes in Bitcoin, Ethereum, and other digital assets. Despite Iran's isolation from the international financial system under existing sanctions, Nobitex has functioned as a critical on-ramp and off-ramp for cryptocurrency transactions within the country.

While the platform ostensibly serves ordinary Iranian citizens seeking access to digital currency markets, U.S. officials allege the exchange has knowingly or negligently processed transactions linked to terrorist financing and ransomware payment flows.

Ransomware Payment Pipeline

OFAC's designation identifies Nobitex as a conduit for converting ransomware payments — typically received in Bitcoin or Monero — into local fiat currency usable within Iran. This financial pipeline has reportedly benefited multiple Iran-aligned threat actors, including groups responsible for attacks on:

  • U.S. and Western critical infrastructure operators
  • Healthcare and hospital networks
  • Municipal government systems
  • Defense industrial base contractors

Ransomware groups operating with Iranian nexus or state tolerance have increasingly relied on domestic crypto exchanges to launder proceeds, circumventing Western financial monitoring infrastructure that would flag transactions on major international exchanges like Binance or Coinbase.

Scope of the Sanctions

Under the OFAC designation:

  • All Nobitex assets within U.S. jurisdiction are frozen
  • U.S. persons and entities are prohibited from conducting any transactions with Nobitex
  • Foreign financial institutions risk secondary sanctions for processing Nobitex transactions
  • Cryptocurrency infrastructure providers, including blockchain analytics firms and compliance teams, are now required to flag Nobitex-linked wallet addresses

OFAC has also published associated cryptocurrency wallet addresses attributed to Nobitex for blocking by virtual asset service providers (VASPs) and blockchain monitoring platforms.

Iran's Cyber-Financial Ecosystem

The Nobitex action is part of a broader U.S. campaign to dismantle the financial infrastructure enabling Iranian offensive cyber operations. Previous OFAC designations have targeted:

  • Exchange A — used to liquidate cryptocurrency stolen in state-sponsored intrusions
  • OTC brokers — over-the-counter traders who convert crypto to IRR (Iranian rial) outside regulated exchange channels
  • Hawala networks — informal value transfer systems used alongside crypto to move funds internationally

Iran has consistently denied state involvement in ransomware operations, characterizing such allegations as politically motivated. However, U.S. intelligence assessments and indictments unsealed by the DOJ have documented connections between Iranian threat actors and criminal ransomware infrastructure dating back to at least 2019.

Impact on Threat Actors

Sanctions against cryptocurrency exchanges used by ransomware operators have historically produced mixed results:

  • Short-term disruption: Threat actors must identify new laundering pathways, increasing operational friction
  • Adaptation: Well-resourced state-aligned groups typically pivot to alternative exchanges, mixers, or privacy coins within weeks
  • Deterrence: Secondary sanctions create compliance pressure on crypto businesses globally, reducing the pool of willing exchanges

Security researchers note that ransomware groups tied to Iran have already begun shifting toward privacy-enhancing technologies (PETs) such as Monero transactions and cross-chain bridges to reduce reliance on any single exchange for laundering.

What Organizations Should Do

While the Nobitex sanctions are primarily a financial and law enforcement action, organizations should use the announcement as a reminder to:

  1. Review cyber insurance policies — many now include exclusions for state-sponsored attacks; Iranian attribution may affect coverage
  2. Update threat intelligence feeds — add OFAC-published Nobitex wallet addresses to blockchain monitoring tools
  3. Reinforce ransomware response playbooks — do not pay ransoms without first consulting OFAC, which requires licenses for payments to sanctioned entities
  4. Monitor for Iranian APT IOCs — threat groups that may benefit from Nobitex financial infrastructure include MuddyWater, APT35, and Agrius
⚠️ Ransomware Payment Warning
Paying a ransom to a threat actor linked to a sanctioned entity
may itself constitute a sanctions violation — regardless of whether
the payer was aware of the connection. Organizations facing
ransomware demands should consult legal counsel and contact
OFAC before making any payment.

Broader Context

The Nobitex designation comes amid a broader hardening of U.S. posture toward Iranian cyber activity. Recent months have seen DOJ indictments targeting Iranian nationals for attacks on U.S. water utilities, a federal court unsealing charges related to Iranian influence operations, and CISA issuing emergency directives in response to Iranian threat actor activity against critical infrastructure.

Treasury officials framed the Nobitex sanctions as a "follow the money" strategy: rather than solely pursuing the technical operators of ransomware campaigns, disrupting the financial exit ramps forces threat actors to expose themselves to greater risk when attempting to convert stolen funds into usable currency.


Source: U.S. Department of the Treasury, OFAC press release. Blockchain analytics firms are expected to publish Nobitex wallet cluster data within 24–48 hours of the designation.

#Ransomware#Iran#Sanctions#Cryptocurrency#OFAC#Cybercrime#Treasury

Related Articles

U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support

The U.S. Treasury's OFAC has designated two individuals and a VPN service provider for enabling ransomware actors and other cybercriminals — marking a significant escalation in targeting the infrastructure that makes ransomware operations possible.

4 min read

US Treasury Sanctions 1VPNS: The VPN Service Favored by Ransomware Groups

The US Treasury's OFAC sanctioned First VPN Service (1VPNS) and its Ukrainian administrator for providing anonymization cover to ransomware groups attacking US critical infrastructure, causing billions in losses. Action is coordinated with the UK and follows a May 2026 European infrastructure takedown.

3 min read

In Other News: Iran Tracks US Military Phones, CrashStealer macOS Malware, CVD Blueprint

This week's security roundup covers Iranian threat actors tracking US military personnel's phones, the newly discovered CrashStealer macOS infostealer, a coordinated vulnerability disclosure blueprint, ransomware targeting naval defense firm TKMS, and more.

4 min read
Back to all News