TL;DR: Iran’s crypto ecosystem reached more than $7.78 billion in 2025, with activity spiking around conflict, sanctions pressure, and domestic unrest, while IRGC-linked addresses accounted for about 50% of total values received in Q4 2025, according to Chainalysis. The pattern shows how political instability can turn blockchain activity into both a financial pressure valve and an illicit finance channel.
At a glance
What this is: Chainalysis shows Iran’s crypto activity scaling to more than $7.78 billion in 2025, with transaction spikes tied to conflict, unrest, and sanctions pressure.
Why it matters: For IAM, fraud, and financial crime practitioners, the case illustrates how identity-linked financial behaviours shift under pressure and why monitoring must account for state actors, proxies, and self-custodial movement.
By the numbers:
- Iran’s crypto ecosystem reached over $7.78 billion in 2025.
- The Iranian rial has lost approximately 90% of its value since 2018.
- In the fourth quarter of 2025, IRGC-associated addresses accounted for approximately 50% of Iran’s total crypto ecosystem.
- The article describes inflation rates of 40-50% in Iran.
👉 Read Chainalysis' analysis of Iran's crypto flows, sanctions pressure, and unrest
Context
Iran's crypto ecosystem is best understood as a governance and financial-control problem, not just a market story. When state pressure, currency collapse, and conflict intensify, people and state-aligned actors move value into channels that are harder to freeze, trace, or control.
This makes the topic relevant to identity verification, sanctions compliance, fraud monitoring, and financial crime teams. The same behavioural shifts that help citizens preserve value can also create cover for proxy finance, laundering, and politically motivated movement through self-custodial wallets and exchange exits.
Key questions
Q: How should teams handle crypto activity spikes during political unrest?
A: Treat them as contextual risk events, not just volume anomalies. Sudden increases in withdrawals, self-custody transfers, or exchange exits can reflect capital flight, proxy finance, or sanctions circumvention. The right response is to combine behavioural monitoring, sanctions screening, and entity review before deciding whether activity is ordinary customer movement or higher-risk transaction flow.
Q: Why does self-custody complicate financial crime monitoring?
A: Self-custody removes the intermediary controls that exchanges and banks normally provide. Once assets move into a personal wallet, the programme has less visibility into ownership, destination, and subsequent movement. That makes wallet attribution, destination risk scoring, and contextual review more important than simple account-level monitoring.
Q: What breaks when attribution depends on blockchain addresses alone?
A: Address-only analysis breaks when control is layered through facilitators, shell entities, or indirect wallets. A visible address may not reveal the real owner, the sponsoring organisation, or the sanctioned network behind it. Programs need entity resolution and corroborating intelligence because blockchain transparency does not automatically create trustworthy attribution.
Q: Who is accountable when crypto flows may involve sanctioned or state-linked actors?
A: Accountability sits with the exchange, compliance, and investigative teams that decide how much confidence to assign to the destination and whether to freeze, escalate, or continue monitoring. In practice, teams need documented thresholds for provisional attribution, since crisis-driven flows often remain ambiguous for days or weeks.
Technical breakdown
Blockchain flows as a signal of political stress
Blockchain analytics can reveal how value moves when confidence in local institutions collapses. In this case, the article links spikes in Iranian crypto activity to bombings, cross-border strikes, and protest waves. That matters because transaction patterns, wallet clustering, and exchange behaviour can show stress before traditional reporting catches up. For practitioners, the lesson is not that blockchain is inherently transparent, but that transparency only helps if entities, addresses, and counterparties are mapped in context.
Practical implication: align sanctions, fraud, and intelligence workflows so behavioural spikes trigger entity review, not just volume alerts.
State-linked wallets and the problem of attribution
The article’s IRGC analysis shows how attribution in crypto is probabilistic rather than absolute. A blockchain address is only as useful as the surrounding intelligence, because shell companies, facilitators, and indirect wallets can obscure control. That creates a classic governance gap: controls built for known counterparties struggle when ownership is layered, transnational, and politically sensitive. For identity programmes, the intersection is clear. Verification is not only about onboarding a user, but about sustaining trust in counterparty identity over time.
Practical implication: enrich wallet monitoring with entity resolution, sanctions data, and ownership review before treating a counterparty as low risk.
Self-custody changes the control boundary
The surge in withdrawals from exchanges to personal Bitcoin wallets shows how self-custody shifts the control boundary away from intermediaries. Once assets move into personal wallets, traditional account controls and banking oversight no longer apply in the same way. That is why this pattern matters to identity and access teams as much as to financial crime teams. The effective control point becomes the identity of the wallet holder, the provenance of funds, and the policy response to destination risk.
Practical implication: treat exchange exits and self-custody transfers as governance events that require policy-based review, not just transaction logging.
Threat narrative
Attacker objective: The objective is to move value and finance operations while reducing traceability, freezing risk, and state control.
- Entry occurs through conflict-driven economic pressure, sanctions exposure, or access to state-aligned financial channels that move value outside normal oversight.
- Escalation happens when facilitators, shell entities, and associated wallets layer transactions so ownership and control become harder to attribute confidently.
- Impact appears as sanctions evasion, proxy financing, and capital flight into self-custodial wallets that reduce state visibility and increase operational resilience for the actor using them.
NHI Mgmt Group analysis
Crypto under sanctions pressure is now an identity and governance problem, not only a financial one. When value moves through self-custodial wallets, the relevant control question becomes who controls the counterparty, not just whether a wallet exists. That shifts the burden onto sanctions screening, entity resolution, and ongoing ownership review, especially when proxy networks obscure the real actor. Practitioners should treat counterparty identity as a living control, not a one-time onboarding event.
Counterparty opacity: when shell entities and facilitators sit between source and destination, blockchain transparency does not eliminate attribution risk. The article shows that even large on-chain totals can be lower-bound estimates because hidden wallets, unlisted facilitators, and indirect control structures are difficult to prove. That is the same governance failure seen in other high-risk identity domains: trust collapses when ownership can change faster than policy can verify it. Practitioners should design for uncertain control, not assume clean attribution.
Self-custody becomes the escape valve when trust in institutions collapses. The withdrawal surge to personal wallets during protests shows that users will exit managed channels when political or economic conditions deteriorate. That has implications for financial crime programmes because the control perimeter moves from exchange accounts to wallet destination intelligence and behavioural thresholds. Practitioners should monitor for control boundary shifts, not just suspicious balances.
Geopolitical volatility increasingly determines crypto risk appetite and transaction timing. The article’s event-linked spikes show that transaction monitoring cannot be calibrated only to baseline commercial behaviour. Political shocks, internet blackouts, and military escalation can all change how people and state actors move value. For governance teams, the lesson is to add geopolitical context to risk scoring so activity is interpreted in the right threat frame.
Blockchain analytics now function as an early warning system for both financial stress and coercive state behaviour. That makes the discipline more relevant to GRC, sanctions, and fraud teams that need to understand how external shocks reshape payment behaviour. The practical takeaway is to connect chain analysis with entity risk, adverse media, and policy triggers so control actions follow context, not just raw volume.
What this signals
Counterparty identity is becoming a dynamic risk signal. For programmes monitoring digital assets, the main question is no longer whether a wallet is present, but whether the entity behind it can be trusted under changing geopolitical conditions. That is where identity verification, sanctions intelligence, and policy enforcement need to work together rather than operate as separate functions.
As pressure increases, organisations should expect more behaviour that looks like legitimate self-protection but still sits within a sanctions or fraud risk frame. The practical move is to fuse transaction monitoring with adverse media, beneficial ownership, and escalation rules so unusual movement gets triaged in context, not treated as generic noise.
The broader signal is that asset movement can now reflect political trust collapse as much as economic preference. That has implications for controls built around stable assumptions, because governance models that only understand normal customer behaviour will miss how quickly state pressure reshapes user intent.
For practitioners
- Reweight alerting for conflict-linked spikes Tune transaction monitoring to elevate alerts when volume or withdrawal patterns change during protests, blackouts, or military escalation. Use context such as jurisdiction, adverse media, and sanctions pressure so the team reviews entity behaviour, not just aggregate flow.
- Strengthen wallet attribution workflows Combine blockchain intelligence with sanctions lists, entity resolution, and beneficial ownership review to reduce false confidence in counterparty identity. Prioritise cases where funds pass through facilitators, shell companies, or known proxy-linked infrastructure.
- Treat exchange exits as governance events Create a review step for large transfers from managed exchange accounts into personal self-custody wallets, especially where destination risk is unknown. This is where policy, KYC, and ongoing counterparty review should intersect.
- Link sanctions monitoring to geopolitical triggers Feed event intelligence into sanctions and fraud operations so the control model responds to regional conflict, blackouts, and state pressure. That helps the programme distinguish routine market movement from politically driven capital flight or proxy finance.
Key takeaways
- Iran’s crypto activity shows how political instability, sanctions pressure, and state power can reshape digital asset flows at scale.
- The IRGC’s share of on-chain value and the surge into self-custody wallets show that attribution and control are now the central governance problems.
- Practitioners should combine behavioural monitoring, entity resolution, and geopolitical context so transaction review reflects real risk rather than raw volume.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Identity and access control matter where wallet ownership and counterparty trust change. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management is relevant where account control and wallet access can shift quickly. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0010 , Exfiltration | The article's proxy finance and asset movement patterns map to access and transfer abuse. |
| GDPR | Only indirectly relevant where personal data and identity evidence are processed. |
Track suspicious wallet movement against TA0006 and TA0010 to prioritise escalation and containment.
Key terms
- Self-custody: Self-custody means holding digital assets in a wallet controlled directly by the user rather than through an exchange or custodial intermediary. In practice, it shifts responsibility for access, recovery, and transaction approval away from the platform and onto the wallet holder, reducing intermediary oversight.
- Wallet Attribution: Wallet attribution is the practice of linking blockchain addresses to entities, campaigns, or behaviours. In compliance work, it turns a raw address into an identity context that can be screened, monitored, and escalated when associated with sanctions, fraud, or laundering activity.
- Lower-bound estimate: A lower-bound estimate is a conservative figure that captures only the activity confidently identified in the data. In blockchain intelligence, this often means the true total may be higher because hidden wallets, indirect control, or unattributed flows are not yet visible with certainty.
What's in the full report
Chainalysis' full report covers the operational detail this post intentionally leaves for the source:
- Per-event transaction charts showing how Iranian activity moved around bombings, strikes, and protest periods.
- The IRGC-associated address analysis behind the more than $3 billion received in 2025.
- Methodology notes on how the report defines lower-bound estimates and attributed wallet sets.
- The exchange withdrawal pattern analysis behind the shift into personal Bitcoin wallets.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and agentic AI identity. It helps practitioners connect identity control to broader security and compliance responsibilities across modern environments.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org