TL;DR: Roughly $10.3M in crypto outflows from Iranian exchanges followed the February 28, 2026 US-Israeli airstrikes in the hours after the attack, with funds splitting between self-custody, overseas exchanges, domestic services, and other wallets, making attribution difficult in the immediate aftermath, according to Chainalysis. The episode shows how geopolitical shocks, sanctions pressure, and exchange risk can rapidly reshape on-chain movement and complicate governance, monitoring, and risk classification.
At a glance
What this is: Chainalysis says Iranian exchange outflows spiked sharply after the February 28 airstrikes, but the destinations suggest a mix of self-custody, liquidity movement, and potentially state-linked activity.
Why it matters: For security and identity practitioners, the case illustrates how fast-moving, high-uncertainty transactions can blur ownership, control, and accountability across exchange, wallet, and service boundaries.
By the numbers:
- Roughly $10.3M in cryptoasset outflows moved from Iranian exchanges between February 28 and March 2.
- Hourly outflow volume surged to as much as 873% in the early hours of March 2.
- 2025, 025, Iran's crypto ecosystem was estimated at $7.8 billion, with activity spiking around major shocks.
👉 Read Chainalysis' full analysis of Iranian exchange outflows after the airstrikes
Context
Crypto exchange activity can change quickly when geopolitics, sanctions pressure, and perceived operational risk collide. In this case, the question is not simply how much value moved, but who may have controlled those flows and whether the movement reflects retail self-custody, exchange liquidity management, or state-linked behaviour.
That ambiguity matters because on-chain movement is often treated as a proxy for intent, yet wallets, exchanges, nested services, and bridges can obscure the underlying actor. For practitioners working on identity, AML, fraud, or sanctions exposure, the challenge is to separate address-level movement from accountable control with enough confidence to support action.
Key questions
Q: How should teams handle wallet movements when ownership is unclear during a crisis?
A: Treat the first transfer as a signal, not a conclusion. Teams should separate custody change from control change, then validate the destination wallet type, clustering evidence, and any subsequent movements before making sanctions, fraud, or AML decisions. This avoids over-interpreting rapid shifts that may reflect self-custody, exchange housekeeping, or state-linked routing.
Q: Why do exchange outflows become harder to interpret during geopolitical shocks?
A: Because several actors can move at once. Retail users may pull funds into self-custody, exchanges may reshuffle liquidity or obfuscate visibility, and state-linked actors may exploit the same rails. When outages, sanctions pressure, and conflict align, the same on-chain pattern can support multiple explanations, so attribution must stay provisional.
Q: What signals indicate that an on-chain transfer needs deeper review?
A: A transfer deserves deeper review when it lands at a deposit address reused by multiple exchanges, flows through a bridge or decentralised exchange, or appears in a cluster with prior exposure to sanctioned or state-linked services. Those signals suggest the visible address may not be the true controller or final destination.
Q: Who is accountable when crypto flows may involve sanctioned or state-linked actors?
A: Accountability sits with the exchange, compliance, and investigative teams that decide how much confidence to assign to the destination and whether to freeze, escalate, or continue monitoring. In practice, teams need documented thresholds for provisional attribution, since crisis-driven flows often remain ambiguous for days or weeks.
Technical breakdown
Why exchange outflows are not the same as ownership change
A withdrawal from an exchange only proves that funds left one controlled environment. It does not prove the recipient is an end user, because the destination may be a nested service, a shared administrator account, or another wallet controlled by the same organisation. In sanctions-heavy environments, exchanges may also move funds to reduce address visibility or preserve liquidity access. That makes simple inflow and outflow charts useful for direction, but weak for attribution.
Practical implication: treat exchange outflow data as a lead signal, then validate control of destination wallets before making identity or sanctions decisions.
How self-custody, bridges, and DEXs complicate governance
Self-custody moves value outside exchange controls, while bridges and decentralised exchanges route assets across chains or protocols that may not preserve the same identity and compliance context. Once funds cross into those environments, the operational link between the origin account and the final recipient can weaken rapidly. This is a governance problem as much as a blockchain problem, because the same asset can pass through multiple control domains with very different visibility and accountability.
Practical implication: define escalation rules for cross-chain movement and bridge activity so compliance and monitoring teams know when to reclassify risk.
Why high-volume movements create attribution errors in crisis conditions
When geopolitical shocks hit, behaviour can shift simultaneously across ordinary users, platform operators, and state-aligned actors. That creates attribution overlap, especially when connectivity disruptions, sanctions pressure, and exchange outages all shape how funds move. In practice, the same wallet pattern can be consistent with self-custody, liquidity reshuffling, or illicit finance. The technical challenge is not lack of data, but lack of certainty about who controls the destination and whether downstream movement confirms an initial interpretation.
Practical implication: delay definitive attribution until onward movement, counterparty context, and wallet clustering evidence converge.
Threat narrative
Attacker objective: The objective is to preserve, move, or obscure value across control boundaries while reducing visibility to authorities and counterparties.
- Entry occurs when geopolitical shock and sanctions pressure trigger rapid withdrawal behaviour from Iranian exchanges into alternative wallets and services.
- Escalation follows as funds move through overseas exchanges, bridges, decentralised exchanges, and nested or shared deposit addresses, obscuring who controls the destination.
- Impact is a harder attribution environment for sanctions, fraud, and illicit finance monitoring, because the same outflow pattern can represent retail self-custody, exchange liquidity management, or state-linked movement.
NHI Mgmt Group analysis
Ambiguous wallet movement is now a governance problem, not just an analytics problem. The article shows that outflows can simultaneously reflect self-custody, exchange housekeeping, and state-linked movement. That means the control question is not only where the funds went, but who can prove control at each hop. For identity and financial-crime teams, attribution discipline matters more than volume alone.
Cross-border fund movement exposes the limits of address-centric monitoring. A wallet label rarely captures the full operating model behind an exchange, nested service, or shared administrative account. This creates a verification trust gap: the visible recipient may not be the real controlling party. Practitioners should treat cluster confidence and counterparty context as governance inputs, not just investigation artefacts.
Geopolitical shocks accelerate the need for policy-based risk classification. When sanctions, outages, and conflict converge, static rules produce too many false assumptions about intent. The better model is a dynamic one that combines source risk, destination type, and onward movement before the case is finalised. Practitioners should build controls that can adapt as the wallet path evolves.
Crypto exchange monitoring intersects directly with identity verification and AML governance. The article sits at the boundary between digital identity, fraud detection, and sanctions compliance. That is where control design becomes most fragile, because the same movement can represent lawful self-custody or illicit concealment. Practitioners should align wallet attribution with identity verification thresholds and escalation policy.
On-chain volatility creates a metadata problem that outpaces manual review. High-speed movement during crisis events compresses the time available for human analysis and increases the risk of misclassification. The lesson is not to chase every transfer, but to separate high-confidence exceptions from noisy background movement. Practitioners should invest in triage models that can prioritise the few flows that genuinely change risk.
What this signals
Wallet attribution during crisis events should be treated as a governance workflow, not a one-off analysis. The practical issue is not whether funds move, but whether teams can prove who controlled them at each step. That pushes financial-crime and compliance programmes toward stronger clustering logic, better counterparty metadata, and more cautious provisional decisions.
Identity verification and AML controls increasingly need to understand control transfer across services. When funds pass through exchanges, bridges, or nested wallets, the visible address may no longer represent the accountable actor. Programmes should therefore calibrate review thresholds around control evidence, not just transaction volume.
For practitioners
- Separate control from movement Build investigation workflows that distinguish exchange-origin transfers from end-user controlled withdrawals, especially where a single deposit address may represent a nested service or shared admin account. Require evidence of destination ownership before escalating sanctions or fraud conclusions.
- Classify bridge and DEX activity as elevated-risk routing Treat transfers into bridges, decentralised exchanges, and smart contracts as a separate risk class, because those pathways break the direct relationship between origin wallet and final control point. Use a higher review threshold before assuming legitimate self-custody.
- Correlate wallet clustering with exposure context Combine wallet graphs with counterparty metadata, sanctions lists, and historical upstream or downstream exposure to state-linked services before assigning ownership or intent. A transfer pattern that looks ordinary in isolation may be material once clustered.
- Delay final attribution until onward movement appears Set a policy that crisis-period flows remain provisional until downstream movement, destination reuse, or service-level evidence confirms the initial hypothesis. This reduces false positives when retail, exchange, and state activity overlap.
Key takeaways
- The article shows that crypto outflows after airstrikes can reflect self-custody, exchange reshuffling, or state-linked movement, so volume alone is not enough for attribution.
- The reported scale, about $10.3M in outflows with hourly surges reaching 873%, shows how quickly crisis conditions can reshape on-chain behaviour.
- The limiting control is destination verification, because teams need evidence of wallet control and onward movement before they assign intent or accountability.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM-2 | Asset and transaction visibility matter when custody and control are ambiguous. |
| NIST SP 800-53 Rev 5 | AU-6 | Rapid review and correlation are needed when transactions move across multiple control domains. |
| GDPR | Art.32 | If wallet data or identity data is linked, security of processing becomes relevant to governance. |
Apply Art.32-style safeguards where identity-linked transaction data is handled for monitoring or investigations.
Key terms
- Nested Service: A nested service is an intermediary wallet or account structure that sits behind a visible deposit address. It can hide the real operational controller of funds, which makes attribution harder for compliance teams and can blur the line between user activity and service-level liquidity management.
- Self-Custody: Self-custody is an identity and asset model where the user, not a central provider, holds the credentials that control access. It improves control and portability, but it also means lost credentials can become unrecoverable unless backups and emergency paths are designed in advance.
- Wallet clustering: The practice of grouping wallets that likely belong to the same actor based on transaction behaviour, timing, or shared service use. It helps investigators move from isolated addresses to behavioural patterns, which is often necessary to detect fraud, laundering, or coordinated market activity.
What's in the full report
Chainalysis' full analysis covers the transaction-level detail this post intentionally leaves for the source:
- Hourly outflow charts and destination breakdowns that show how the spike evolved after the airstrikes.
- Category-level routing detail across overseas exchanges, Iranian exchanges, other wallets, bridges, and smart contracts.
- Interpretive notes on why some flows may reflect retail self-custody, exchange liquidity management, or state-linked behaviour.
- The article's additional context on Iran's wider crypto ecosystem and how earlier shocks shaped flow patterns.
Deepen your knowledge
NHI Mgmt Group's NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management. It helps practitioners connect access control, accountability, and operational review across the programmes they run.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org