On June 2, 2026, the U.S. Treasury's Office of Foreign Assets Control designated Iran's four largest cryptocurrency exchanges. Within days, the lookalike domains began to appear in Certificate Transparency logs: Persian-language login pages built to harvest the credentials and seed phrases of users scrambling to move their funds before the exchanges went dark.

That burst turned out to be the smallest, freshest corner of something much larger. It was a bulletproof-hosted, multi-exchange credential-phishing platform that had been running for months, targeting some sixty exchanges across the world, and that simply bolted the newly-sanctioned Iranian brands onto its production line the same week they were listed. This is the story of that platform, the method that surfaced it before any commercial feed had flagged it, and what it says about the second-order effects of financial sanctions in a crypto economy.

Key findings

The catalyst: "Economic Fury" and the four exchanges

The June 2 action was the third enforcement layer in five months. OFAC named Nobitex, Iran's largest exchange and, by OFAC's accounting, more than half of all Iranian digital-asset inflows in 2025, alongside Wallex, Bitpin, and Ramzinex. Nobitex was designated under Executive Orders 13224 and 13902, for material support to the IRGC and to Iran's financial sector, with secondary sanctions on all four and four Nobitex principals personally blocked.12

The numbers behind it are large. By TRM Labs' separate accounting of transaction volume, the four make up roughly 78% of Iran's 2025 crypto activity, $7.7 billion of $9.9 billion, with Nobitex alone at $4.7 billion. Elliptic ties them to more than $40 billion in lifetime flows and links Nobitex to Hamas, North Korean hacking groups, and the sanctioned Russian exchange Garantex.34 Treasury and Chainalysis describe the Central Bank of Iran routing hundreds of millions in stablecoins through Nobitex to defend the rial.

This did not happen in a vacuum. A year earlier, in June 2025, the pro-Israel group Gonjeshke Darande ("Predatory Sparrow") drained roughly $90 million from Nobitex's hot wallets and burned the funds to provably-inaccessible vanity addresses, a political act, not a theft for profit, whose stated rationale (that Nobitex enabled sanctions evasion and terror financing) reads as a near-verbatim preview of OFAC's 2026 legal theory.56 The sanctions landed inside an active Israel-Iran cyber conflict and the broader U.S. "Economic Fury" campaign.

For an exchange's users, a designation like this is a fire alarm. Secondary sanctions mean counterparties flee, on-ramps close, and account-holders rush to pull funds into self-custody. That rush is the opening. A user who has never written down a seed phrase is suddenly creating wallets under time pressure, in a panic, looking for the "official" way to secure or migrate an account, which is exactly the moment a convincing fake login page is most likely to be typed into. Sanctions do not just sever an exchange from the financial system; they manufacture a population of frightened, hurried users, and someone was waiting for them.

Two years of impersonation, intensified by the designation
timeline
    title From the Nobitex hack to the post-sanctions phishing wave
    section The setup
        Jun 2025 : Predatory Sparrow drains ~$90M from Nobitex, burns the funds
        Aug 2024 to early 2026 : Operator already impersonating Iranian exchanges on DDoS-Guard (ramzinex-login, bitpin-login, wallex-login)
    section Three enforcement layers in five months
        Jan 2026 : OFAC designates Zedcex / Zedxion
        Apr 2026 : Two CBI wallets; Tether freezes $344M USDT
        02 Jun 2026 : OFAC designates Nobitex, Wallex, Bitpin, Ramzinex (SB0519)
    section The response
        02 Jun 2026 : Lookalike certs appear in CT on the designation date
        06 to 13 Jun 2026 : Deploy burst ramps; fresh Gname-registered wave
          
Fig 1. The designation did not start the campaign; it intensified it. The operator had been impersonating Iranian exchanges on bulletproof hosting since August 2024. The June 2 action layered a fresh, higher-panic wave onto a long-running estate.

The phishing operation, up close

So we went looking, and the clearest tell came from a single IP address. 186.2.175[.]79 hosted both nobitex-dashboard[.]com and ramzinex-panel[.]com, two different sanctioned exchanges, impersonated from the same box, with the same kit. Persian titles reading "secure login to your account." Password fields, seed-phrase fields, two-factor prompts, captcha. And an identical form action on both: /system/post/submit.

A live Nobitex credential-phishing page in Persian, headed with the Nobitex purple branding and a secure-login form, served from the bulletproof node 186.2.175[.]79
Fig 2. The kit, live. nobitex-dashboard[.]com, a Persian Nobitex "secure login" clone on 186.2.175[.]79, registered through Gname on 2026-06-08 and still harvesting at the time of writing. The same box served a Ramzinex clone with the same form action. Captured 2026-06-25 (origin-shielded).

That kit fingerprint is the through-line. Across the estate it appears in two variants, the /system/post/submit application form on some hosts, and a PHP scaffolding (checker.php, pageRequest.php, send.php, post.php) on others, both harvesting credentials and seed phrases, both exfiltrating server-side (which is why there is no wallet address on the page to grab). We later found the same pageRequest.php signature on a second, unrelated-looking host (poloniex-jp[.]at), in an archived urlscan record, confirming it as a same-operator discriminator rather than a coincidence. The /system/post/submit string returns nothing in any public index, urlscan filter, code-search engine, or kit-sale thread we could reach.

The build is commodity bulletproof: cPanel servers (*.cprapid.com reverse-DNS, the full 2082 to 2096 cPanel port range) fronted by DDoS-Guard, with an exposed MySQL on 3306 and a complete mail stack, the harvest database and the lure-mailer, sitting in the open.

Seven nodes carry the operation, five surfaced in the first pass, and two more (186.2.175[.]29 and 45.10.243[.]93) fell out of a later kit-fingerprint search. Their network attribution must come from BGP, not from IP-geolocation "org" strings, which mislabel. Per bgp.he.net:

IPOrigin ASNotes
186.2.175[.]79AS59692 (IQWeb FZ-LLC, UAE)DDoS-Guard-fronted; cross-brand panels (the .com wave)
186.2.175[.]29AS59692 (IQWeb)sibling; the earlier .at-TLD wave, domains migrated .29 to .79
45.10.243[.]7AS57724 (DDoS-Guard)exchange-phish + HYIP vertical
45.10.243[.]37AS57724 (DDoS-Guard)casino co-tenant (weak; see below)
45.10.243[.]93AS57724 (DDoS-Guard)the .ru-TLD wave
185.149.120[.]107AS57724 (DDoS-Guard)registrar NiceNIC; exchange cluster
95.129.234[.]137AS57724 (DDoS-Guard)registrar R01-SU; multilingual cluster

IQWeb and DDoS-Guard recur together as a paired offshore stack: IQWeb advertising "abuse-resistant" hosting, DDoS-Guard providing the reverse-proxy fronting that conceals the origin.

Fig 3. The operation, mapped. The OFAC catalyst and the CT detection method (blue), the kit and the AS57724 DDoS-Guard nodes (crimson), the AS59692 IQWeb fronting nodes and the co-located verticals (gold), the Iranian sanctioned subset (purple), and PhishDestroy's prior per-domain coverage (gray). Solid edges are observed; dashed edges are medium-confidence inferences; the dotted edge marks the weakly-attributed casino co-tenant. Scroll to zoom, drag to pan, hover for detail.

Bigger than Iran

The Iranian phishing was never the whole picture. Pivoting on the infrastructure, reverse-IP across the nodes, pulled back the curtain on an industrial operation. After filtering legitimate co-tenants and ecosystem noise, roughly 640 operator-attributed domains target on the order of sixty exchanges: WhiteBIT, HTX, LBank, Poloniex, AscendEX, BitMart, Bitget, KuCoin, MEXC, Bybit, Tapbit, CoinW, TradeOgre, Bitunix, BTCC, Backpack, Icrypex, and many more. The kit is localized at scale, login prefixes in Persian, Arabic, Turkish, Hindi, Korean, Vietnamese (dangnhap-), and French (connexion-), and the registration TLDs cluster on .com, .at, .su, and .ru.

A 3-by-2 montage of six live phishing pages on the single node 186.2.175[.]79: top row Nobitex, Wallex and Ramzinex in Persian; bottom row LBank in Chinese, OrangeX in Korean and Poloniex in Japanese
Fig 4. One node, six brands, four countries. Six live credential pages, all on 186.2.175[.]79: the top row is the three sanctioned Iranian brands (Nobitex, Wallex, Ramzinex); the bottom row is China, Korea, and Japan localizations (LBank, OrangeX, Poloniex). The Iranian set is one vertical of a global production line. Captured 2026-06-25 (origin-shielded).

The Iranian set, properly cleaned, is 32 domains. It includes all four sanctioned brands, plus a fifth Iranian exchange, Kifpool, that is not sanctioned, and regionalized lures such as coinex-iran[.]com and coinex-arabic[.]com. Nobitex and Ramzinex matched by brand token; Wallex and Bitpin surfaced only through the infrastructure pivot, because their names are lexically un-huntable, a brand token that collides with too many unrelated businesses to search cleanly.

Fig 5. Exchanges targeted, by operator-attributed domain count (a reverse-IP enumeration floor; the full estate is larger). The four OFAC-sanctioned Iranian brands are in crimson, Kifpool in gold. They are not the biggest targets; they are a small, high-panic vertical of a platform whose largest verticals are global exchanges like WhiteBIT, HTX, and LBank.

One clarification on those last two, because the timing invites confusion: they are impersonation domains aimed at CoinEx's users, not CoinEx infrastructure, and not connected to CoinEx's own conduct. The real CoinEx exchange was separately identified this week, in Wall Street Journal reporting built on TRM Labs blockchain analysis, as a major on-chain conduit for Iranian illicit cash (more on that below); our coinex-* domains are brand-abusing pages on the operator's estate that target that exchange's account-holders, an entirely different thing. For a while coinex-iran[.]com served automated crawlers only a Nuxt "login guide," not a form; an interactive ANY.RUN render on 2026-06-26 returned the real thing, a live Persian CoinEx credential clone, account and password fields and all. We did not submit, so the harvest is inferred, as with every page on the estate, but the form is no longer in doubt.

Two interactive ANY.RUN browser renders of coinex-iran[.]com side by side: left, the live page in Persian with account and password login fields and CoinEx branding; right, the same page auto-translated to English showing a 'check in' form with account and password fields, both verdicted 'No threat' by the sandbox
Fig 6. The doorway opens. An interactive ANY.RUN render of coinex-iran[.]com on 2026-06-26: the live Persian CoinEx credential clone (left) and the same page with the browser's Persian-to-English translation switched on (right). Account and password fields, not the "login guide" served to crawlers. The sandbox's automatic verdict, "No threat," is the ahead-of-the-feeds problem in a single frame.

The operator targets the Iranian exchange sector broadly, with the sanctioned four simply being the freshest, highest-panic vertical. And "freshest" is the operative word: WHOIS dates the operator's oldest confirmed Iranian-exchange domain, ramzinex-login[.]com, to August 2024, with bitpin-login[.]su and wallex-login[.]com following in early 2025, so this operator has been impersonating Iranian exchanges on DDoS-Guard for roughly two years. The June 2026 designations did not start the campaign; they intensified it, layering a fresh wave, the 2026-06-08-registered nobitex-dashboard[.]com, still harvesting at the time of writing, onto a long-running estate. The wave even carries a registrar tell: the 2024 to 2025 estate used NiceNIC and R01-SU, while the post-designation registrations moved to Gname.com.

Two other verticals share the same infrastructure, and they deserve different confidence levels. A Russian-language HYIP / "claim" scam vertical, memebet-claim[.]run, fast-wealth[.]ru, and kin, is confirmed co-located on 45.10.243[.]7, the same IP as the exchange-login cluster, and is, as far as we can find, undocumented anywhere else. A casino vertical (Pin-Up, RioBet, Vavada, Pokerdom) is more weakly attributed: it rests on passive-DNS resolutions to 45.10.243[.]37 only, and we could not corroborate the co-location through urlscan, so we present it as a probable-but-unconfirmed tenant rather than a load-bearing claim.

Catching the response in Certificate Transparency

There is a reason this surfaced before the reputation feeds reacted. The premise of the investigation was methodological: take a hard, dated, public event and ask whether the criminal response to it is visible in Certificate Transparency before commercial threat intelligence reports it.

The technique is simple. Every certificate a phishing operator provisions, for nobitex-dashboard[.]com or anything else, lands in the public CT logs as a timestamped record, whatever registrar, TLD, or hosting sits behind it. So we took the brand tokens of the four sanctioned exchanges and scanned the certificate stream for them, bucketed around the designation date.

The result was unambiguous. Lookalike certificates for Nobitex began appearing in CT on June 2, the designation date itself, and ramped through June 6 to 13. At the time of collection, VirusTotal scored the live phishing domains at 0 to 1 of 91 engines, and they had not propagated to the public abuse-feed aggregations and blocklists we checked. The CT signal led the reputation ecosystem by days to weeks.

Fig 7. Operator domains first seen per day on one kit-confirmed node, 186.2.175[.]79 (64 domains across roughly 38 exchange brands). The deploy burst lands on the 05-31 to 06-02 window, the days around the designation, then tapers as the operator rotates. The June 2 OFAC action is marked in gold.

One detail matters for anyone trying to reproduce this. Zone-file diffs, the registry data behind ICANN's CZDS, are the more obvious way to catch newly-registered domains, but they miss this estate on two counts. Country-code TLDs like Iran's .ir and free subdomain hosts never appear in a zone file at all. And .com, where much of the estate lives, is available through the program but is more than our pipeline ingests: the daily .com zone is enormous, and diffing it in full every day is compute we do not currently spend. The certificate stream, by contrast, sees all of it.

A naive brand-token match drowns in noise: bulk Let's Encrypt certificates pack dozens of unrelated domains into a single SAN list, so a real *nobitex*[.]shop drags in a hundred innocent co-tenants; the token wallex collides with drywall-experts, Cornwall-ex, firewall-ex, and several legitimate Southeast-Asian fintechs also named Wallex. In fact Wallex, one of the four sanctioned exchanges, is effectively un-huntable by lexical CT search, the first sign that the lexical approach alone would not be enough.

Three populations

Not everything the certificate sweep surfaced was this operation. Active verification, with every request routed through a VPN tunnel and no credentials ever submitted, sorted the burst into three distinct populations.

(A) Phishing and fraud. The credential operation described above: Persian-language "secure login" pages capturing passwords and seed phrases.

(B) Circumvention infrastructure. A parallel and entirely separate phenomenon: Cloudflare Workers and V2Ray nodes fronting the real exchanges, run under individual Iranian-named accounts, to preserve access to platforms that sanctions and blocking had cut off. This is not fraud. It is the same event, the designation, driving ordinary people to build proxies, and it is worth naming precisely so it is not misattributed as malicious.

(C) Legitimate false positives. The real Bitpin exchange; a legitimate enterprise network-monitoring company confusingly named "Bitping"; a cluster of unrelated German hobby projects on a bitping[.]de domain; an Estonian e-commerce shop that happens to own nobitex[.]com; and a separate Chinese redirect campaign. All excluded with evidence.

Attribution, and what we do not claim

The operator's naming grammar, <exchange>-login, -user, -exchange, on .su / .at / .ru, is not a unique fingerprint. It is a shared commodity convention across the entire crypto-phishing scene. We confirmed this the hard way: a grammar sweep across the Certificate-Transparency firehose and public trackers returned 1,211 matching domains, but when we resolved a sample of the ones not already tied to our nodes and checked their origin AS, only about 6% landed on the operator's infrastructure. The rest were other operators entirely, 1win and 1xbet login domains on Stark Industries and Google Cloud, Bitget clones on Cloudflare Pages, Kraken lookalikes on Squarespace. The grammar is everywhere; the operator is not.

So we attribute by IP, AS, and kit fingerprint, never by naming grammar. The defensible operator figure is roughly 640 domains, IP-attributed; the 1,211 is ecosystem context, not one actor. Nor is the casino vertical confirmed, nor is there a traceable cryptocurrency wallet: this is a credential-harvest operation, not a wallet-drainer, so exfiltration is server-side, the only "swap"-style drainer domains in the set are offline, and the HYIP front carries no on-page deposit address. On-chain tracing is the right lens for a drainer, not for this.

What it means: a Russia-Iran convergence and a sanctions-efficacy signal

Step back from the indicators and the picture is geopolitically legible. Russian bulletproof hosting, DDoS-Guard, operating out of Rostov-on-Don, a provider with a decade-long record of harboring phishing and cybercrime, is serving Persian-language phishing against IRGC-nexus Iranian exchanges, in the slipstream of an Israel-linked hack and a U.S. sanctions campaign.7 The choice of DDoS-Guard is not incidental; it is a deliberate bet on takedown resistance. (DDoS-Guard is Russian-operated and abuse-tolerant, but not itself under OFAC, EU, or UK sanctions.)

This kit harvests seed phrases, not just exchange passwords. A stolen exchange password can be contained: accounts frozen, sessions revoked. A stolen seed phrase is the keys to a self-custody wallet: irreversible, uninsurable, total. Seed-phrase theft through fake front-ends was already the dominant consumer-crypto-fraud pattern of 2025.8 The sanctions pushed users toward exactly the self-custody migration that maximizes that exposure, and the operator was positioned to catch them.

And there is a second-order read for sanctions practitioners. The circumvention population, the V2Ray and Cloudflare-Worker proxies fronting the real exchanges, is a live signal that the user base is routing around the designation as fast as it is imposed. A sanction that severs an exchange from the formal financial system can simultaneously displace its retail traffic into harder-to-observe channels and into the path of opportunistic crime. The designation worked as intended at the institutional level while creating measurable harm at the user level. Both things are true at once.

There is a money-laundering counterpart to this story, reported the same day this analysis was finalized. The Wall Street Journal, drawing on TRM Labs' blockchain analysis, documented how the exchange CoinEx became a major on-chain conduit for Iranian illicit cash: more than $3.84 billion in Iran-linked flows since 2019, with CoinEx overtaking Binance by 2024 as Nobitex's largest foreign counterparty (north of $763 million between the two in the past year alone), carrying funds U.S. officials attribute to the IRGC and proceeds that trace back to the North Korean hack of Bybit.9 (CoinEx disputes TRM's figures: it told the Journal that TRM's aggregation of back-and-forth volumes is "misleading," that a separate third-party provider's estimates were lower, and that no single analytics platform should be treated as definitive; it said it would conduct an internal review of the Bybit-linked transactions.) TRM's work and this one are two faces of the same event: TRM traces where the money went; we trace the predatory infrastructure that went up to prey on the users. And they dovetail in a precise way. TRM reports that after the June 2 designations, CoinEx-to-Iran flows collapsed to under $150,000 and the exchange began blocking Iranian IP addresses, but the reporting leaves open whether new infrastructure has since been established to evade detection.10 That open question is about laundering infrastructure. The present report documents a different post-designation build-out that demonstrably did happen: phishing aimed at the very users the sanctions sent fleeing.

Fig 8. The two faces of June 2. One designation, two different infrastructure responses: a complicit exchange moving the money out (traced on the blockchain by TRM), and an anonymous operator standing up fake login sites to prey on the users (traced here through CT, DNS, and a kit fingerprint). The coinex-* domains in our indicators are operator-run lookalikes, not CoinEx.

Prior art, and what is actually new

A great deal of this estate is already public, domain by domain. The open-source tracker PhishDestroy has catalogued individual domains across at least four of the five original nodes, including the Iranian ones, including the .su variants, with samples flagged by Fortinet and SOCRadar and carrying low single-digit VirusTotal detections.11 The registrars (NiceNIC, R01-SU), the DDoS-Guard and IQWeb hosting, and several of the impersonated exchanges' own advisories are all on the record.

A PhishDestroy tracker page for ramzinex-login[.]com, showing it catalogued on AS57724 DDoS-Guard at 185.149.120[.]107 with same-IP sibling domains, demonstrating prior per-domain public coverage
Fig 9. Prior art, credited. ramzinex-login[.]com on PhishDestroy: catalogued per-domain since August 2024, on 185.149.120[.]107 (AS57724 DDoS-Guard, Rostov), with its same-IP siblings listed. The individual domains are not our discovery; the platform-level synthesis is.

What no public or academic source we could find has done is characterize the thing as a whole: a single operator, running a single kit with a single naming grammar, across roughly sixty exchanges and multiple ASNs and TLDs, with a Persian-language vertical aimed at sanctioned exchanges. Three contributions are, to our knowledge, genuinely new:

  1. The platform- and operator-level characterization, and specifically the Iran / sanctions framing: no one has connected post-designation phishing to OFAC's June 2 action.
  2. The kit fingerprint as a same-operator discriminator: /system/post/submit is unindexed in any public source we could reach, and pageRequest.php is near-unique (one unrelated public host).
  3. The HYIP-to-phishing co-location on 45.10.243[.]7, tying two verticals to one operator.

To put it in one line: PhishDestroy enumerates the trees, domain by domain; we have mapped the forest. And one caveat: this assessment covers public prior art. A paywalled vendor intelligence portal may well track this under an internal cluster name we cannot see.

Two indicators, finally, appear genuinely un-burned, present nowhere in public reporting we could reach: the IP 45.10.243[.]37, and the /system/post/submit kit string itself.

Defense

For the impersonated exchanges, the four Iranian platforms and the sixty-odd others, the kit fingerprint and naming grammar are usable hunting heuristics, with the loud caveat from above: the grammar is commodity, so confirm by IP/AS before attributing anything to a single actor. The pageRequest.php and /system/post/submit paths are far higher-precision pivots.

For users, the guidance is old but never more relevant: a seed phrase is never required to "log in" to anything. During any disruption, a sanction, an outage, a breach, a forced migration, that is precisely when the fake "secure login" is waiting. Slow down; verify the domain; never type a seed into a web form.

How the lures reach those users is the one part of the kill chain we could not directly observe, but the surrounding evidence points to SMS smishing and Telegram, the dominant delivery layer for Iranian-crypto fraud, with the SEO-doorway pages (the coinex-iran[.]com "login guide" it serves crawlers) likely seeding search results as a parallel channel. And web phishing is not the only thing reaching those users from that layer: the same four exchanges appear in the target list of "Aks-e Yadegari," a Telegram-distributed Android remote-access trojan (sold as malware-as-a-service, first observed October 2025) that steals one-time codes from the Rubika messenger and exfiltrates over SMS when a device is offline. We reverse-engineered sibling samples of it (Basic4Android package com.xnotice.app): its command channel is Firebase Cloud Messaging, and its exfiltration is a runtime-assembled upload URL plus SMS-relay and Rubika OTP theft. There is no web hosting, no bulletproof host, and not a single domain, IP, or kit shared with the phishing platform. The only overlap is the target brand names. These are distinct operators. But the convergence is the point: web credential-phishing and mobile OTP-stealing malware funnelled to the same panicked users through the same Telegram delivery layer is the real threat picture for an Iranian exchange user in 2026.

Conclusion

A sanctions designation is a public, dated event with a predictable human aftermath, and that aftermath is an attack surface. On June 2, OFAC named four Iranian exchanges; within days, a Russian-bulletproof-hosted phishing platform had a Persian-language vertical live and harvesting seed phrases, and Certificate Transparency had recorded the whole thing before a single reputation feed reacted. The platform is not new and not Iranian-specific: it is a global, industrial, sixty-exchange operation that treated a geopolitical shock as a market opportunity. What is new is seeing it whole, and seeing it early. The lane is open: as of this writing, no public report has connected post-sanctions phishing to Iran's designated exchanges. This is one.

Appendix A · Indicators

All indicators are defanged. Treat the domains and IPs below as hostile. Indicators are point-in-time; see Appendix B on rotation.

Nodes (AS57724 DDoS-Guard unless noted)
IQWeb (fronted)186.2.175[.]79 · 186.2.175[.]29 (AS59692)
DDoS-Guard45.10.243[.]7 · 45.10.243[.]37 · 45.10.243[.]93
DDoS-Guard (registrars)185.149.120[.]107 (NiceNIC) · 95.129.234[.]137 (R01-SU)
Iranian phishing domains
Nobitexnobitex-dashboard[.]com · nobitex[.]at
Ramzinexramzinex-panel[.]com · ramzinex-users[.]com · ramzinex[.]at · ramzinex-login[.]com
Wallex / Bitpinwallex-login[.]com · wallex-user[.]com · bitpin-login[.]su
Kifpool (unsanctioned)kifpool-login[.]com
CoinEx (Iran/Arabic lures)coinex-iran[.]com (live credential form, ANY.RUN 2026-06-26) · coinex-arabic[.]com
Kit fingerprint
Application formform action /system/post/submit
PHP scaffoldingchecker.php · pageRequest.php · send.php · post.php
Second host (kit corroboration)poloniex-jp[.]at (archived urlscan record)
BuildcPanel (*.cprapid.com, ports 2082 to 2096) behind DDoS-Guard; MySQL 3306 + mail stack exposed
Hosting & registrars
HostingDDoS-Guard (AS57724) · IQWeb FZ-LLC (AS59692)
RegistrarsNiceNIC · R01-SU · Gname.com (the 2026 wave)

Appendix B · Method and limitations

Indicators are point-in-time. The operator rotates domains within days: on a re-check the day this was written, of the headline examples nobitex-dashboard[.]com, ramzinex-panel[.]com, ramzinex-users[.]com, ramzinex[.]at, and coinex-iran[.]com were still live (HTTP 200), while nobitex[.]at had gone to 410 and bitpin-login[.]su, wallex-login[.]com, kifpool-login[.]com, and the kit-corroborating poloniex-jp[.]at had dropped to NXDOMAIN. Network attribution (the IPs to their origin ASNs) was independently re-confirmed via BGP (RIPEstat). Treat the domain list as a snapshot of a moving target, not a current blocklist.

Limitations, stated for the record: the roughly 640 operator figure is a floor (search-tier pagination caps the visible inventory); the casino vertical is weakly attributed (passive-DNS only); no traceable wallet exists for this credential-harvest model; the novelty assessment covers public prior art only. The CoinEx volume figures are TRM estimates that CoinEx disputes as aggregated; attribute accordingly. DDoS-Guard is Russian-operated and abuse-tolerant but is not itself sanctioned.

Sources

  1. U.S. Department of the Treasury / OFAC. Press release SB0519, "Economic Fury Targets Iran's Largest Digital Asset Exchange," June 2, 2026. home.treasury.gov.
  2. Elliptic. "OFAC sanctions Nobitex and three other Iranian crypto-asset exchanges," 2026. elliptic.co.
  3. TRM Labs. "Three enforcement layers in five months: OFAC designates Iran's domestic crypto exchanges," 2026 (four exchanges = $7.7B / 78% of Iran's attributed 2025 volume). trmlabs.com.
  4. Chainalysis. IRGC-linked addresses received more than 50% of Iranian crypto value in Q4 2025; the Central Bank of Iran routed hundreds of millions in stablecoins through Nobitex (2026).
  5. Elliptic. "Iranian crypto exchange Nobitex hacked by pro-Israel group" (~$90M drained and burned, June 2025). elliptic.co.
  6. "Predatory Sparrow" (Gonjeshke Darande), Wikipedia. en.wikipedia.org.
  7. DDoS-Guard (ownership, Rostov-on-Don base, abuse and phishing record; not OFAC/EU/UK sanctioned), Wikipedia and KrebsOnSecurity. en.wikipedia.org · krebsonsecurity.com.
  8. TRM Labs. 2026 Crypto Crime Report (Iran section; seed-phrase theft and fake front-ends as the dominant 2025 consumer-fraud pattern). trmlabs.com.
  9. Dylan Tokar & Will Brislin. "How a Crypto Exchange Became a Major Hub for Illicit Iranian Cash," The Wall Street Journal, June 24, 2026 (TRM Labs blockchain analysis of CoinEx; $3.84B Iran-linked flows since 2019; CoinEx's dispute carried in the article body). Paywalled.
  10. Ari Redbord (TRM Labs, Global Head of Policy), public summary of the CoinEx findings, LinkedIn, June 24, 2026 (post-06-02 CoinEx-Iran flows under $150,000; the open question of new evasion infrastructure).
  11. PhishDestroy, open-source phishing tracker (per-domain prior coverage of part of the estate, including ramzinex-login[.]com on 185.149.120[.]107 and bitpin-login[.]su on 95.129.234[.]137). phishdestroy.io.
sanctions-evasion infrastructure bulletproof-hosting credential-phishing certificate-transparency iran threat-intelligence OSINT

CrimsonVector, investigative research by Diego Parra into criminal infrastructure, threat-actor attribution, and security research. Defanged URLs and IPs are intentionally bracketed per responsible disclosure conventions.