On June 2, 2026, the U.S. Treasury's Office of Foreign Assets Control designated Iran's four largest cryptocurrency exchanges. Within days, the lookalike domains began to appear in Certificate Transparency logs: Persian-language login pages built to harvest the credentials and seed phrases of users scrambling to move their funds before the exchanges went dark.
That burst turned out to be the smallest, freshest corner of something much larger. It was a bulletproof-hosted, multi-exchange credential-phishing platform that had been running for months, targeting some sixty exchanges across the world, and that simply bolted the newly-sanctioned Iranian brands onto its production line the same week they were listed. This is the story of that platform, the method that surfaced it before any commercial feed had flagged it, and what it says about the second-order effects of financial sanctions in a crypto economy.
- On 2026-06-02 OFAC designated Nobitex, Wallex, Bitpin, and Ramzinex (Treasury release SB0519), roughly 78% of Iran's attributed 2025 crypto volume. Within days, Certificate Transparency showed a date-correlated burst of lookalike infrastructure.
- The phishing is one vertical of an industrial platform on DDoS-Guard (AS57724) and IQWeb (AS59692) bulletproof hosting: approximately 640 operator-attributed domains across about 60 exchanges, seven nodes, two kit variants.
-
The kit's discriminator, the form action
/system/post/submit, is absent from every public index we could reach; the pairedpageRequest.phpexfil scaffolding is near-unique (one unrelated public host). - Detection ran ahead of the reputation ecosystem: VirusTotal flagged the live phishing domains at just 0 to 1 of 91 engines, and they had not propagated to the public abuse-feed aggregations and blocklists we checked.
- All four sanctioned brands are present, plus a fifth Iranian exchange (Kifpool) and Iran and Arabic localized variants. Two of the four were reachable only by infrastructure pivoting: they are lexically un-huntable.
- Prior art, stated plainly: the open-source tracker PhishDestroy already catalogues much of this estate domain-by-domain. Our contribution is the platform-, operator-, and kit-level characterization and the sanctions framing, not the discovery of the individual domains.
The catalyst: "Economic Fury" and the four exchanges
The June 2 action was the third enforcement layer in five months. OFAC named Nobitex, Iran's largest exchange and, by OFAC's accounting, more than half of all Iranian digital-asset inflows in 2025, alongside Wallex, Bitpin, and Ramzinex. Nobitex was designated under Executive Orders 13224 and 13902, for material support to the IRGC and to Iran's financial sector, with secondary sanctions on all four and four Nobitex principals personally blocked.12
The numbers behind it are large. By TRM Labs' separate accounting of transaction volume, the four make up roughly 78% of Iran's 2025 crypto activity, $7.7 billion of $9.9 billion, with Nobitex alone at $4.7 billion. Elliptic ties them to more than $40 billion in lifetime flows and links Nobitex to Hamas, North Korean hacking groups, and the sanctioned Russian exchange Garantex.34 Treasury and Chainalysis describe the Central Bank of Iran routing hundreds of millions in stablecoins through Nobitex to defend the rial.
This did not happen in a vacuum. A year earlier, in June 2025, the pro-Israel group Gonjeshke Darande ("Predatory Sparrow") drained roughly $90 million from Nobitex's hot wallets and burned the funds to provably-inaccessible vanity addresses, a political act, not a theft for profit, whose stated rationale (that Nobitex enabled sanctions evasion and terror financing) reads as a near-verbatim preview of OFAC's 2026 legal theory.56 The sanctions landed inside an active Israel-Iran cyber conflict and the broader U.S. "Economic Fury" campaign.
For an exchange's users, a designation like this is a fire alarm. Secondary sanctions mean counterparties flee, on-ramps close, and account-holders rush to pull funds into self-custody. That rush is the opening. A user who has never written down a seed phrase is suddenly creating wallets under time pressure, in a panic, looking for the "official" way to secure or migrate an account, which is exactly the moment a convincing fake login page is most likely to be typed into. Sanctions do not just sever an exchange from the financial system; they manufacture a population of frightened, hurried users, and someone was waiting for them.
timeline
title From the Nobitex hack to the post-sanctions phishing wave
section The setup
Jun 2025 : Predatory Sparrow drains ~$90M from Nobitex, burns the funds
Aug 2024 to early 2026 : Operator already impersonating Iranian exchanges on DDoS-Guard (ramzinex-login, bitpin-login, wallex-login)
section Three enforcement layers in five months
Jan 2026 : OFAC designates Zedcex / Zedxion
Apr 2026 : Two CBI wallets; Tether freezes $344M USDT
02 Jun 2026 : OFAC designates Nobitex, Wallex, Bitpin, Ramzinex (SB0519)
section The response
02 Jun 2026 : Lookalike certs appear in CT on the designation date
06 to 13 Jun 2026 : Deploy burst ramps; fresh Gname-registered wave
The phishing operation, up close
So we went looking, and the clearest tell came from a single IP address.
186.2.175[.]79 hosted both nobitex-dashboard[.]com and
ramzinex-panel[.]com, two different sanctioned exchanges,
impersonated from the same box, with the same kit. Persian titles reading
"secure login to your account." Password fields, seed-phrase fields,
two-factor prompts, captcha. And an identical form action on both:
/system/post/submit.
nobitex-dashboard[.]com, a Persian Nobitex "secure login" clone
on 186.2.175[.]79, registered through Gname on 2026-06-08 and
still harvesting at the time of writing. The same box served a Ramzinex clone
with the same form action. Captured 2026-06-25 (origin-shielded).
That kit fingerprint is the through-line. Across the estate it appears in two
variants, the /system/post/submit application form on some hosts,
and a PHP scaffolding (checker.php, pageRequest.php,
send.php, post.php) on others, both harvesting
credentials and seed phrases, both exfiltrating server-side (which is why there
is no wallet address on the page to grab). We later found the same
pageRequest.php signature on a second,
unrelated-looking host (poloniex-jp[.]at), in an archived urlscan
record, confirming it as a same-operator discriminator rather than a
coincidence. The /system/post/submit string returns nothing in any public index, urlscan filter, code-search engine, or
kit-sale thread we could reach.
The build is commodity bulletproof: cPanel servers (*.cprapid.com
reverse-DNS, the full 2082 to 2096 cPanel port range) fronted by DDoS-Guard,
with an exposed MySQL on 3306 and a complete mail stack, the harvest database
and the lure-mailer, sitting in the open.
Seven nodes carry the operation, five surfaced in the first pass, and two more
(186.2.175[.]29 and 45.10.243[.]93) fell out of a
later kit-fingerprint search. Their network attribution must come from BGP, not from
IP-geolocation "org" strings, which mislabel. Per bgp.he.net:
| IP | Origin AS | Notes |
|---|---|---|
186.2.175[.]79 | AS59692 (IQWeb FZ-LLC, UAE) | DDoS-Guard-fronted; cross-brand panels (the .com wave) |
186.2.175[.]29 | AS59692 (IQWeb) | sibling; the earlier .at-TLD wave, domains migrated .29 to .79 |
45.10.243[.]7 | AS57724 (DDoS-Guard) | exchange-phish + HYIP vertical |
45.10.243[.]37 | AS57724 (DDoS-Guard) | casino co-tenant (weak; see below) |
45.10.243[.]93 | AS57724 (DDoS-Guard) | the .ru-TLD wave |
185.149.120[.]107 | AS57724 (DDoS-Guard) | registrar NiceNIC; exchange cluster |
95.129.234[.]137 | AS57724 (DDoS-Guard) | registrar R01-SU; multilingual cluster |
IQWeb and DDoS-Guard recur together as a paired offshore stack: IQWeb advertising "abuse-resistant" hosting, DDoS-Guard providing the reverse-proxy fronting that conceals the origin.
Bigger than Iran
The Iranian phishing was never the whole picture. Pivoting on the
infrastructure, reverse-IP across the nodes, pulled back the curtain on an
industrial operation. After filtering legitimate co-tenants and ecosystem
noise, roughly 640 operator-attributed domains target on the
order of sixty exchanges: WhiteBIT, HTX, LBank, Poloniex,
AscendEX, BitMart, Bitget, KuCoin, MEXC, Bybit, Tapbit, CoinW, TradeOgre,
Bitunix, BTCC, Backpack, Icrypex, and many more. The kit is localized at scale,
login prefixes in Persian, Arabic, Turkish, Hindi, Korean,
Vietnamese (dangnhap-), and
French (connexion-), and the registration TLDs
cluster on .com, .at, .su, and
.ru.
186.2.175[.]79: the top row is
the three sanctioned Iranian brands (Nobitex, Wallex, Ramzinex); the bottom
row is China, Korea, and Japan localizations (LBank, OrangeX, Poloniex). The
Iranian set is one vertical of a global production line. Captured 2026-06-25
(origin-shielded).
The Iranian set, properly cleaned, is 32 domains. It includes all four
sanctioned brands, plus a fifth Iranian exchange, Kifpool, that is not
sanctioned, and regionalized lures such as coinex-iran[.]com and
coinex-arabic[.]com. Nobitex and Ramzinex matched by brand token;
Wallex and Bitpin surfaced only through the infrastructure
pivot, because their names are lexically un-huntable, a brand token that
collides with too many unrelated businesses to search cleanly.
One clarification on those last two, because the timing invites confusion: they
are impersonation domains aimed at CoinEx's users, not CoinEx
infrastructure, and not connected to CoinEx's own conduct. The real CoinEx
exchange was separately identified this week, in Wall Street Journal
reporting built on TRM Labs blockchain analysis, as a major on-chain conduit
for Iranian illicit cash (more on that below); our coinex-* domains
are brand-abusing pages on the operator's estate that target that exchange's
account-holders, an entirely different thing. For a while
coinex-iran[.]com served automated crawlers only a Nuxt "login
guide," not a form; an interactive ANY.RUN render on 2026-06-26 returned the real
thing, a live Persian CoinEx credential clone, account and password fields and
all. We did not submit, so the harvest is inferred, as with every page on the
estate, but the form is no longer in doubt.
coinex-iran[.]com on 2026-06-26: the live Persian CoinEx
credential clone (left) and the same page with the browser's Persian-to-English
translation switched on (right). Account and password fields, not the "login
guide" served to crawlers. The sandbox's automatic verdict, "No threat," is the
ahead-of-the-feeds problem in a single frame.
The operator targets the Iranian exchange sector broadly, with the sanctioned
four simply being the freshest, highest-panic vertical. And "freshest" is the
operative word: WHOIS dates the operator's oldest confirmed Iranian-exchange
domain, ramzinex-login[.]com, to August 2024,
with bitpin-login[.]su and wallex-login[.]com
following in early 2025, so this operator has been impersonating Iranian
exchanges on DDoS-Guard for roughly two years. The June 2026 designations did
not start the campaign; they intensified it, layering a fresh
wave, the 2026-06-08-registered nobitex-dashboard[.]com, still
harvesting at the time of writing, onto a long-running estate. The wave even
carries a registrar tell: the 2024 to 2025 estate used NiceNIC and R01-SU, while
the post-designation registrations moved to Gname.com.
Two other verticals share the same infrastructure, and they deserve different
confidence levels. A Russian-language HYIP / "claim" scam
vertical, memebet-claim[.]run,
fast-wealth[.]ru, and kin, is confirmed co-located
on 45.10.243[.]7, the same IP as the exchange-login cluster, and
is, as far as we can find, undocumented anywhere else. A casino
vertical (Pin-Up, RioBet, Vavada, Pokerdom) is more weakly attributed:
it rests on passive-DNS resolutions to 45.10.243[.]37 only, and we
could not corroborate the co-location through urlscan, so we present it as a
probable-but-unconfirmed tenant rather than a load-bearing claim.
Catching the response in Certificate Transparency
There is a reason this surfaced before the reputation feeds reacted. The premise of the investigation was methodological: take a hard, dated, public event and ask whether the criminal response to it is visible in Certificate Transparency before commercial threat intelligence reports it.
The technique is simple. Every certificate a phishing operator provisions, for
nobitex-dashboard[.]com or anything else, lands in the public CT
logs as a timestamped record, whatever registrar, TLD, or hosting sits behind it.
So we took the brand tokens of the four sanctioned exchanges and scanned the
certificate stream for them, bucketed around the designation date.
The result was unambiguous. Lookalike certificates for Nobitex began appearing in CT on June 2, the designation date itself, and ramped through June 6 to 13. At the time of collection, VirusTotal scored the live phishing domains at 0 to 1 of 91 engines, and they had not propagated to the public abuse-feed aggregations and blocklists we checked. The CT signal led the reputation ecosystem by days to weeks.
186.2.175[.]79 (64 domains across roughly 38
exchange brands). The deploy burst lands on the 05-31 to 06-02 window, the days
around the designation, then tapers as the operator rotates. The June 2 OFAC
action is marked in gold.
One detail matters for anyone trying to reproduce this. Zone-file diffs, the
registry data behind ICANN's CZDS, are the more obvious way to catch
newly-registered domains, but they miss this estate on two counts. Country-code
TLDs like Iran's .ir and free subdomain hosts never appear in a zone
file at all. And .com, where much of the estate lives, is available
through the program but is more than our pipeline ingests: the daily
.com zone is enormous, and diffing it in full every day is compute we
do not currently spend. The certificate stream, by contrast, sees all of it.
A naive brand-token match drowns in noise: bulk Let's Encrypt
certificates pack dozens of unrelated domains into a single SAN list, so a real
*nobitex*[.]shop drags in a hundred innocent co-tenants; the token
wallex collides with drywall-experts, Cornwall-ex,
firewall-ex, and several legitimate Southeast-Asian fintechs also named
Wallex. In fact Wallex, one of the four sanctioned exchanges, is
effectively un-huntable by lexical CT search, the first sign that the
lexical approach alone would not be enough.
Three populations
Not everything the certificate sweep surfaced was this operation. Active verification, with every request routed through a VPN tunnel and no credentials ever submitted, sorted the burst into three distinct populations.
(A) Phishing and fraud. The credential operation described above: Persian-language "secure login" pages capturing passwords and seed phrases.
(B) Circumvention infrastructure. A parallel and entirely separate phenomenon: Cloudflare Workers and V2Ray nodes fronting the real exchanges, run under individual Iranian-named accounts, to preserve access to platforms that sanctions and blocking had cut off. This is not fraud. It is the same event, the designation, driving ordinary people to build proxies, and it is worth naming precisely so it is not misattributed as malicious.
(C) Legitimate false positives. The real Bitpin exchange; a
legitimate enterprise network-monitoring company confusingly named "Bitping"; a
cluster of unrelated German hobby projects on a bitping[.]de
domain; an Estonian e-commerce shop that happens to own
nobitex[.]com; and a separate Chinese redirect campaign. All
excluded with evidence.
Attribution, and what we do not claim
The operator's naming grammar, <exchange>-login,
-user, -exchange, on .su /
.at / .ru, is not a unique fingerprint. It is
a shared commodity convention across the entire crypto-phishing scene. We
confirmed this the hard way: a grammar sweep across the Certificate-Transparency
firehose and public trackers returned 1,211 matching domains, but when
we resolved a sample of the ones not already tied to our nodes and
checked their origin AS, only about 6% landed on the
operator's infrastructure. The rest were other operators entirely,
1win and 1xbet login domains on Stark Industries and
Google Cloud, Bitget clones on Cloudflare Pages, Kraken lookalikes on
Squarespace. The grammar is everywhere; the operator is not.
So we attribute by IP, AS, and kit fingerprint, never by naming grammar. The defensible operator figure is roughly 640 domains, IP-attributed; the 1,211 is ecosystem context, not one actor. Nor is the casino vertical confirmed, nor is there a traceable cryptocurrency wallet: this is a credential-harvest operation, not a wallet-drainer, so exfiltration is server-side, the only "swap"-style drainer domains in the set are offline, and the HYIP front carries no on-page deposit address. On-chain tracing is the right lens for a drainer, not for this.
What it means: a Russia-Iran convergence and a sanctions-efficacy signal
Step back from the indicators and the picture is geopolitically legible. Russian bulletproof hosting, DDoS-Guard, operating out of Rostov-on-Don, a provider with a decade-long record of harboring phishing and cybercrime, is serving Persian-language phishing against IRGC-nexus Iranian exchanges, in the slipstream of an Israel-linked hack and a U.S. sanctions campaign.7 The choice of DDoS-Guard is not incidental; it is a deliberate bet on takedown resistance. (DDoS-Guard is Russian-operated and abuse-tolerant, but not itself under OFAC, EU, or UK sanctions.)
This kit harvests seed phrases, not just exchange passwords. A stolen exchange password can be contained: accounts frozen, sessions revoked. A stolen seed phrase is the keys to a self-custody wallet: irreversible, uninsurable, total. Seed-phrase theft through fake front-ends was already the dominant consumer-crypto-fraud pattern of 2025.8 The sanctions pushed users toward exactly the self-custody migration that maximizes that exposure, and the operator was positioned to catch them.
And there is a second-order read for sanctions practitioners. The circumvention population, the V2Ray and Cloudflare-Worker proxies fronting the real exchanges, is a live signal that the user base is routing around the designation as fast as it is imposed. A sanction that severs an exchange from the formal financial system can simultaneously displace its retail traffic into harder-to-observe channels and into the path of opportunistic crime. The designation worked as intended at the institutional level while creating measurable harm at the user level. Both things are true at once.
There is a money-laundering counterpart to this story, reported the same day this analysis was finalized. The Wall Street Journal, drawing on TRM Labs' blockchain analysis, documented how the exchange CoinEx became a major on-chain conduit for Iranian illicit cash: more than $3.84 billion in Iran-linked flows since 2019, with CoinEx overtaking Binance by 2024 as Nobitex's largest foreign counterparty (north of $763 million between the two in the past year alone), carrying funds U.S. officials attribute to the IRGC and proceeds that trace back to the North Korean hack of Bybit.9 (CoinEx disputes TRM's figures: it told the Journal that TRM's aggregation of back-and-forth volumes is "misleading," that a separate third-party provider's estimates were lower, and that no single analytics platform should be treated as definitive; it said it would conduct an internal review of the Bybit-linked transactions.) TRM's work and this one are two faces of the same event: TRM traces where the money went; we trace the predatory infrastructure that went up to prey on the users. And they dovetail in a precise way. TRM reports that after the June 2 designations, CoinEx-to-Iran flows collapsed to under $150,000 and the exchange began blocking Iranian IP addresses, but the reporting leaves open whether new infrastructure has since been established to evade detection.10 That open question is about laundering infrastructure. The present report documents a different post-designation build-out that demonstrably did happen: phishing aimed at the very users the sanctions sent fleeing.
coinex-* domains in our indicators are operator-run lookalikes, not
CoinEx.
Prior art, and what is actually new
A great deal of this estate is already public, domain by domain.
The open-source tracker PhishDestroy has catalogued individual
domains across at least four of the five original nodes, including the Iranian
ones, including the .su variants, with samples flagged by Fortinet
and SOCRadar and carrying low single-digit VirusTotal
detections.11 The registrars
(NiceNIC, R01-SU), the DDoS-Guard and IQWeb hosting, and several of the
impersonated exchanges' own advisories are all on the record.
ramzinex-login[.]com on PhishDestroy: catalogued per-domain since
August 2024, on 185.149.120[.]107 (AS57724 DDoS-Guard, Rostov),
with its same-IP siblings listed. The individual domains are not our discovery;
the platform-level synthesis is.
What no public or academic source we could find has done is characterize the thing as a whole: a single operator, running a single kit with a single naming grammar, across roughly sixty exchanges and multiple ASNs and TLDs, with a Persian-language vertical aimed at sanctioned exchanges. Three contributions are, to our knowledge, genuinely new:
- The platform- and operator-level characterization, and specifically the Iran / sanctions framing: no one has connected post-designation phishing to OFAC's June 2 action.
-
The kit fingerprint as a same-operator discriminator:
/system/post/submitis unindexed in any public source we could reach, andpageRequest.phpis near-unique (one unrelated public host). -
The HYIP-to-phishing co-location on
45.10.243[.]7, tying two verticals to one operator.
To put it in one line: PhishDestroy enumerates the trees, domain by domain; we have mapped the forest. And one caveat: this assessment covers public prior art. A paywalled vendor intelligence portal may well track this under an internal cluster name we cannot see.
Two indicators, finally, appear genuinely un-burned, present nowhere in public
reporting we could reach: the IP 45.10.243[.]37, and the
/system/post/submit kit string itself.
Defense
For the impersonated exchanges, the four Iranian platforms and
the sixty-odd others, the kit fingerprint and naming grammar are usable hunting
heuristics, with the loud caveat from above: the grammar is commodity, so confirm
by IP/AS before attributing anything to a single actor. The
pageRequest.php and /system/post/submit paths are far
higher-precision pivots.
For users, the guidance is old but never more relevant: a seed phrase is never required to "log in" to anything. During any disruption, a sanction, an outage, a breach, a forced migration, that is precisely when the fake "secure login" is waiting. Slow down; verify the domain; never type a seed into a web form.
How the lures reach those users is the one part of the kill chain we could not
directly observe, but the surrounding evidence points to SMS smishing
and Telegram, the dominant delivery layer for Iranian-crypto fraud, with
the SEO-doorway pages (the coinex-iran[.]com "login guide" it serves crawlers)
likely seeding search results as a parallel channel. And web phishing is not the only
thing reaching those users from that layer: the same four exchanges appear in the
target list of "Aks-e Yadegari," a Telegram-distributed Android
remote-access trojan (sold as malware-as-a-service, first observed October 2025)
that steals one-time codes from the Rubika messenger and exfiltrates over SMS
when a device is offline. We reverse-engineered sibling samples of it
(Basic4Android package com.xnotice.app): its command channel is
Firebase Cloud Messaging, and its exfiltration is a
runtime-assembled upload URL plus SMS-relay and Rubika OTP theft. There is no web
hosting, no bulletproof host, and not a single domain, IP, or kit shared with the
phishing platform. The only overlap is the target brand names. These are
distinct operators. But the convergence is the point: web
credential-phishing and mobile OTP-stealing malware funnelled to the same panicked
users through the same Telegram delivery layer is the real threat picture for an
Iranian exchange user in 2026.
Conclusion
A sanctions designation is a public, dated event with a predictable human aftermath, and that aftermath is an attack surface. On June 2, OFAC named four Iranian exchanges; within days, a Russian-bulletproof-hosted phishing platform had a Persian-language vertical live and harvesting seed phrases, and Certificate Transparency had recorded the whole thing before a single reputation feed reacted. The platform is not new and not Iranian-specific: it is a global, industrial, sixty-exchange operation that treated a geopolitical shock as a market opportunity. What is new is seeing it whole, and seeing it early. The lane is open: as of this writing, no public report has connected post-sanctions phishing to Iran's designated exchanges. This is one.
Appendix A · Indicators
All indicators are defanged. Treat the domains and IPs below as hostile. Indicators are point-in-time; see Appendix B on rotation.
| IQWeb (fronted) | 186.2.175[.]79 · 186.2.175[.]29 (AS59692) |
| DDoS-Guard | 45.10.243[.]7 · 45.10.243[.]37 · 45.10.243[.]93 |
| DDoS-Guard (registrars) | 185.149.120[.]107 (NiceNIC) · 95.129.234[.]137 (R01-SU) |
| Nobitex | nobitex-dashboard[.]com · nobitex[.]at |
| Ramzinex | ramzinex-panel[.]com · ramzinex-users[.]com · ramzinex[.]at · ramzinex-login[.]com |
| Wallex / Bitpin | wallex-login[.]com · wallex-user[.]com · bitpin-login[.]su |
| Kifpool (unsanctioned) | kifpool-login[.]com |
| CoinEx (Iran/Arabic lures) | coinex-iran[.]com (live credential form, ANY.RUN 2026-06-26) · coinex-arabic[.]com |
| Application form | form action /system/post/submit |
| PHP scaffolding | checker.php · pageRequest.php · send.php · post.php |
| Second host (kit corroboration) | poloniex-jp[.]at (archived urlscan record) |
| Build | cPanel (*.cprapid.com, ports 2082 to 2096) behind DDoS-Guard; MySQL 3306 + mail stack exposed |
| Hosting | DDoS-Guard (AS57724) · IQWeb FZ-LLC (AS59692) |
| Registrars | NiceNIC · R01-SU · Gname.com (the 2026 wave) |
Appendix B · Method and limitations
- Detection: a brand-token scan of a Certificate Transparency lake, bucketed around the 2026-06-02 designation date.
- Verification: VPN-tunnelled, source-asserted active collection (DNS-over-HTTPS, HTTP capture); no credentials submitted; suspect infrastructure never touched off the tunnel.
- Enumeration: free passive-DNS reverse-IP (VirusTotal resolutions, OTX passive DNS, HackerTarget) rather than paid pivot services.
- Attribution: by IP / origin-AS (BGP) plus kit fingerprint, not naming grammar.
Indicators are point-in-time. The operator rotates domains
within days: on a re-check the day this was written, of the headline examples
nobitex-dashboard[.]com, ramzinex-panel[.]com,
ramzinex-users[.]com, ramzinex[.]at, and
coinex-iran[.]com were still live (HTTP 200), while
nobitex[.]at had gone to 410 and bitpin-login[.]su,
wallex-login[.]com, kifpool-login[.]com, and the
kit-corroborating poloniex-jp[.]at had dropped to NXDOMAIN. Network
attribution (the IPs to their origin ASNs) was independently re-confirmed via BGP
(RIPEstat). Treat the domain list as a snapshot of a moving target, not a current
blocklist.
Limitations, stated for the record: the roughly 640 operator figure is a floor (search-tier pagination caps the visible inventory); the casino vertical is weakly attributed (passive-DNS only); no traceable wallet exists for this credential-harvest model; the novelty assessment covers public prior art only. The CoinEx volume figures are TRM estimates that CoinEx disputes as aggregated; attribute accordingly. DDoS-Guard is Russian-operated and abuse-tolerant but is not itself sanctioned.
Sources
- U.S. Department of the Treasury / OFAC. Press release SB0519, "Economic Fury Targets Iran's Largest Digital Asset Exchange," June 2, 2026. home.treasury.gov. ↑
- Elliptic. "OFAC sanctions Nobitex and three other Iranian crypto-asset exchanges," 2026. elliptic.co. ↑
- TRM Labs. "Three enforcement layers in five months: OFAC designates Iran's domestic crypto exchanges," 2026 (four exchanges = $7.7B / 78% of Iran's attributed 2025 volume). trmlabs.com. ↑
- Chainalysis. IRGC-linked addresses received more than 50% of Iranian crypto value in Q4 2025; the Central Bank of Iran routed hundreds of millions in stablecoins through Nobitex (2026). ↑
- Elliptic. "Iranian crypto exchange Nobitex hacked by pro-Israel group" (~$90M drained and burned, June 2025). elliptic.co. ↑
- "Predatory Sparrow" (Gonjeshke Darande), Wikipedia. en.wikipedia.org. ↑
- DDoS-Guard (ownership, Rostov-on-Don base, abuse and phishing record; not OFAC/EU/UK sanctioned), Wikipedia and KrebsOnSecurity. en.wikipedia.org · krebsonsecurity.com. ↑
- TRM Labs. 2026 Crypto Crime Report (Iran section; seed-phrase theft and fake front-ends as the dominant 2025 consumer-fraud pattern). trmlabs.com. ↑
- Dylan Tokar & Will Brislin. "How a Crypto Exchange Became a Major Hub for Illicit Iranian Cash," The Wall Street Journal, June 24, 2026 (TRM Labs blockchain analysis of CoinEx; $3.84B Iran-linked flows since 2019; CoinEx's dispute carried in the article body). Paywalled. ↑
- Ari Redbord (TRM Labs, Global Head of Policy), public summary of the CoinEx findings, LinkedIn, June 24, 2026 (post-06-02 CoinEx-Iran flows under $150,000; the open question of new evasion infrastructure). ↑
- PhishDestroy, open-source phishing tracker (per-domain prior coverage of part of the estate, including
ramzinex-login[.]comon185.149.120[.]107andbitpin-login[.]suon95.129.234[.]137). phishdestroy.io. ↑
CrimsonVector, investigative research by Diego Parra into criminal infrastructure, threat-actor attribution, and security research. Defanged URLs and IPs are intentionally bracketed per responsible disclosure conventions.