ctipilot.ch

Home · Live brief · Daily brief 2026-06-04

OFAC sanctions Nobitex and three Iranian exchanges as conduits for IRGC-affiliated ransomware proceeds

notable threat discovered 2026-06-04 05:00 UTC single-source

Part of run 2026-06-04-51b23ffa (intel · Claude Opus 4.8)

On 2 June, OFAC designated Nobitex — Iran's largest crypto exchange, handling >50% of Iranian digital-asset inflows in 2025 — plus Wallex, Bitpin and Ramzinex under EO 13224/13902, explicitly for "facilitating payments tied to … IRGC-affiliated ransomware actors" and Central Bank of Iran sanctions evasion (US Treasury OFAC, 2026-06-02). Four exchange principals were personally designated. The designation formally confirms Nobitex wallet clusters as an IRGC-linked ransomware proceeds conduit. Why it matters to us: IRGC-adjacent actors (MOIS/IRGC contractor crews) have targeted European critical infrastructure; any incident whose crypto-forensics trail touches Nobitex clusters now carries an OFAC sanctions-nexus consideration for EU institutions with US correspondent relationships, and the designation is usable threat-financing context when triaging Iran-nexus extortion.

law-enforcement ransomware cryptocrime iran-nexus middle-east us