How to Bypass Sanctions and Launder Crypto: An Iranian Businessman Shows How

Iranian state entities under international sanctions may have been able to receive millions of dollars in cryptocurrency without interference. For a long time, they successfully concealed financial flows despite the transparency of blockchain technology. GetBlock AML Research reveals one of the schemes through which Iran secretly accumulated crypto assets and circumvented international sanctions.

In late 2025, Iranian businessman Babak Zanjani claimed that he had sold cryptocurrency to the Central Bank of Iran and published letters bearing official stamps along with digital wallet addresses. These wallets were later identified, and their analysis revealed a sophisticated sanctions-evasion system operating at the level of large organizations.

Between April and May 2025, two wallets matching Zanjani’s description moved $48.9 million in USDT with striking precision. One routed funds through specialized cross-chain bridges and into wallets that were already sanctioned. The other sent 51% of its funds directly to entities under U.S. sanctions. Both wallets received most of their funds from unidentified sources (92–94%), processed large volumes over 15–30 days, and then distributed them through high-risk infrastructure.

The way this system operated exposes three major gaps in oversight that allowed $48.9 million to pass through sanctions-evasion channels unnoticed. These vulnerabilities are not unique to Iran.

Zanjani’s Claims and On-Chain Evidence

In posts published on December 29, 2025, Zanjani said he had sold “several million dollars in USDT” to the Central Bank of Iran via a state-owned company responsible for banking infrastructure. He shared copies of letters with official seals that included cryptocurrency wallet addresses allegedly controlled by that company on behalf of the Central Bank.

Documents from the Central Bank of Iran showing active crypto addresses

The state-owned company denied working with cryptocurrencies. The Central Bank neither confirmed nor denied the claims. Zanjani also stated that shortly after the wallet addresses were published, they appeared on Israel’s sanctions lists, which could indicate either internal leaks or the involvement of foreign intelligence services.

During the analysis, two wallets were identified that matched Zanjani’s description in terms of volume, timing, and transaction patterns, consistent with his claims of operating at a state level in April–May 2025. From a compliance perspective, the key issue is not who controlled the wallets, but how the system functioned and which regulatory blind spots it exploited.

What the Blockchain Reveals

Two wallets were identified that matched Zanjani’s description by timing, volume, and transaction behavior in April–May 2025.

Wallet 1

Address: THwJSxR9qREsgEQjX1cpRw4Rw9WbmPSHVh Volume: 28.5 million USDT Period: April–May 2025 Activity window: 15–30 days

Sources of funds:

• 92.4% — unidentified sources
• 4.8% — licensed exchanges
• 2.7% — payment services

Use of funds:

• Strong links to sanctioned wallets and Iranian crypto services
• Systematic transfers through cross-chain bridges and to sanctioned wallets
• 100% of outgoing funds sent to high-risk categories

This wallet received 70% of its funds from another wallet that processed over 515 million USDT in less than two months.

Risk analysis of address THwJSxR9qREsgEQjX1cpRw4Rw9WbmPSHVh. Source: Crystal

This wallet shows close ties to U.S.-sanctioned entities, Iran- and Russia-linked structures, and crypto exchanges in Dubai, Hong Kong, and Turkey.

Concealing Sources and Destinations

Fee analysis showed that more than 36% of the service tokens used by this wallet came from a sanctioned address, further confirming its connection to Iran. To obscure transaction trails, two bridges were used in sequence: first transferring assets between blockchains, then converting them into a different type of digital asset.

Network graph showing masked cross-chain transfers. Visualization: Crystal

Wallet 2

Address: TBaxHwoXQjAmiNZgRKECoA3b6fsrtmoZvB Volume: 20.6 million USDT Period: April–May 2025 Activity window: 15–30 days

Risk analysis of address TBaxHwoXQjAmiNZgRKECoA3b6fsrtmoZvB. Source: Crystal

Sources of funds:

• 94% — unidentified sources
• 6% — mixed categories, including illicit services, sanctioned entities, and licensed exchanges

Use of funds:

• 51% — sent directly to U.S.-sanctioned organizations
• 37.3% — sent to other entities (mostly via the Iranian exchange Nobitex and transfer services)
• 7.3% — sent to unidentified wallets
• 4.3% — sent to unlicensed exchanges

In both cases, the pattern is the same: funds arrive from largely untraceable sources, are processed quickly, and then deliberately distributed through sanctions-evasion infrastructure. These wallets were not used for ordinary commercial activity—their behavior points to a specialized system designed to bypass sanctions.

Source analysis reveals links to known networks previously used for sanctions evasion. The volumes involved—$28.5 million and $20.6 million over 15–30 days—indicate activity by large organizations rather than individuals.

1. Cross-Chain Bridges Break the Compliance Trail

The first wallet actively routed funds through services that transfer assets between different blockchains. Most compliance systems monitor transactions only within a single network. When assets move across chains, the transaction history is effectively severed.

As a result, funds originating from unidentified sources reappeared in another network as seemingly “clean,” with no visible connection to prior activity.

The second wallet combined such transfers with direct payments to sanctioned entities. This demonstrates a clear understanding of system weaknesses: some funds were “laundered” via cross-chain transfers, while others were sent directly where sanctions risk was knowingly accepted.

Conclusion: Single-chain monitoring is insufficient to detect sanctions evasion when assets move across multiple blockchains.

2. Unlicensed Exchanges Operate Outside Oversight

The second wallet sent 51% of its funds directly to sanctioned entities, primarily through Iran’s largest crypto exchange. That exchange was added to sanctions lists in 2024 but continues to operate.

Unlicensed exchanges:

• do not conduct proper customer identification,
• do not screen transactions against sanctions lists,
• do not report suspicious activity.

For licensed market participants, such transfers appear as routine transactions involving “unknown” wallets rather than direct payments to sanctioned entities.

An additional 4.3% of funds were sent to other unlicensed exchanges, reinforcing the systemic nature of the scheme.

3. Behavioral Red Flags Go Unnoticed Without Deep Analysis

Both wallets received nearly all of their funds from unidentified sources. Under standard compliance checks, such activity can appear routine.

However, behavioral analysis reveals a clear pattern:

• Volume concentration: tens of millions of dollars within 15–30 days
• Consistency: 100% of transfers sent to high-risk entities
• Recipient clustering: over 90% of funds sent to sanctioned organizations, unlicensed exchanges, and affiliated entities
• Hidden sources paired with risky destinations: funds arrive from unknown origins and are distributed according to a predefined scheme
• Links to known sanctions-evasion networks: both wallets are part of persistent, established systems

Static sanctions lists are incapable of detecting schemes like this. Even if a wallet is not formally sanctioned, its behavior—large volumes, short processing windows, and systematic transfers into high-risk zones—points to sanctions evasion at the level of state or quasi-state actors.