TL;DR: Roughly $10.3M in crypto outflows from Iranian exchanges followed the February 28, 2026 US-Israeli airstrikes in the hours after the attack, with funds splitting between self-custody, overseas exchanges, domestic services, and other wallets, making attribution difficult in the immediate aftermath, according to Chainalysis. The episode shows how geopolitical shocks, sanctions pressure, and exchange risk can rapidly reshape on-chain movement and complicate governance, monitoring, and risk classification.
NHIMG editorial — based on content published by Chainalysis: update on crypto outflows from Iranian exchanges after the February 28, 2026 airstrikes
By the numbers:
- Hourly outflow volume surged to as much as 873% in the early hours of March 2.
Questions worth separating out
Q: How should teams handle wallet movements when ownership is unclear during a crisis?
A: Treat the first transfer as a signal, not a conclusion.
Q: Why do exchange outflows become harder to interpret during geopolitical shocks?
A: Because several actors can move at once.
Q: What signals indicate that an on-chain transfer needs deeper review?
A: A transfer deserves deeper review when it lands at a deposit address reused by multiple exchanges, flows through a bridge or decentralised exchange, or appears in a cluster with prior exposure to sanctioned or state-linked services.
Practitioner guidance
- Separate control from movement Build investigation workflows that distinguish exchange-origin transfers from end-user controlled withdrawals, especially where a single deposit address may represent a nested service or shared admin account.
- Classify bridge and DEX activity as elevated-risk routing Treat transfers into bridges, decentralised exchanges, and smart contracts as a separate risk class, because those pathways break the direct relationship between origin wallet and final control point.
- Correlate wallet clustering with exposure context Combine wallet graphs with counterparty metadata, sanctions lists, and historical upstream or downstream exposure to state-linked services before assigning ownership or intent.
What's in the full report
Chainalysis' full analysis covers the transaction-level detail this post intentionally leaves for the source:
- Hourly outflow charts and destination breakdowns that show how the spike evolved after the airstrikes.
- Category-level routing detail across overseas exchanges, Iranian exchanges, other wallets, bridges, and smart contracts.
- Interpretive notes on why some flows may reflect retail self-custody, exchange liquidity management, or state-linked behaviour.
- The article's additional context on Iran's wider crypto ecosystem and how earlier shocks shaped flow patterns.
👉 Read Chainalysis' full analysis of Iranian exchange outflows after the airstrikes →
Iranian exchange outflows after airstrikes: what does the pattern mean?
Explore further
Ambiguous wallet movement is now a governance problem, not just an analytics problem. The article shows that outflows can simultaneously reflect self-custody, exchange housekeeping, and state-linked movement. That means the control question is not only where the funds went, but who can prove control at each hop. For identity and financial-crime teams, attribution discipline matters more than volume alone.
A question worth separating out:
Q: Who is accountable when crypto flows may involve sanctioned or state-linked actors?
A: Accountability sits with the exchange, compliance, and investigative teams that decide how much confidence to assign to the destination and whether to freeze, escalate, or continue monitoring. In practice, teams need documented thresholds for provisional attribution, since crisis-driven flows often remain ambiguous for days or weeks.
👉 Read our full editorial: Crypto outflows after Iranian airstrikes reveal crisis-driven fund movement