skip to Main Content

Sanctions Research: More than 72,000 unique Iranian IP addresses linked to more than 4.5 million unique Bitcoin addresses

The following is an excerpt from our Cryptocurrency Crime and Anti-Money Laundering Report.

Since monitoring sanctions-related IP usage across the Bitcoin blockchain, CipherTrace has detected more than 72,000 unique Iranian IP addresses linked to more than 4.5 million unique Bitcoin addresses. These Iranian IP addresses were either involved in direct cryptocurrency transactions or were used to query the blockchain to verify funds in cryptocurrency addresses that they control.


Location data derived from Iranian IP queries on the blockchain. Most activity centers around Tehran.


Many of the tagged bitcoin addresses have been linked to multiple Iranian IPs, likely indicating the usage of mobile wallets connecting to multiple internet sources. IP addresses on mobile devices are constantly refreshed by service providers upon beginning new data sessions. These IP addresses are not directly visible on the blockchain, meaning banks, money service businesses or cryptocurrency exchanges do not have direct visibility into the link between a bitcoin address and users in a sanctioned country that query it.

Iranian nationals are using Bitcoin to mine and liquidate funds as the country provides licensed mining operations with inexpensive electricity to power mining rigs. Mined funds can then be liquidated on the global market, often with no indication of which part of the world they came from if the addresses are not checked for linked IP queries.

When it comes to cryptocurrency, avoiding sanctions risks must involve more than monitoring for addresses and individuals listed in a country’s designated sanctions list. These lists may include some of the cryptocurrency addresses associated with a designated person, however, they are often incomplete and only list a few addresses in the designated person’s wallet. Blockchain analysis tools can fill these gaps.


Institutions should consider reviewing blockchain ledgers for activity that may originate or terminate in Iran.”

– US Financial Crimes Enforcement Network (FinCEN)


Financial institutions should take a risk-based approach when considering the likelihood that they may encounter sanctions issues. Financial institutions may consider additional indicators and the surrounding facts and circumstances, such as a customer’s historical financial activity and the existence of other red flags, before determining that a transaction is suspicious.

IP data should supplement all sanctions risk mitigation strategies to ensure you’re a financial institution isn’t transacting with sanctioned countries. While the most common way to incorporate IP data is to collect it on customer logins to detect foreign persons accessing an institution, this tactic alone isn’t enough to detect transactions to and from sanctioned jurisdictions and is often easily thwarted by VPNs. Supplementing a financial institution’s sanctions strategy with this additional IP data collected from the blockchain will help to ensure a more accurate view of the geographies in which customers transact or interact.

CipherTrace has already collected several million IP datapoints across sanctioned countries including North Korea, Syria, and Iran. Notably, CipherTrace analysts have detected an uptick in Iranian IPs querying the Bitcoin blockchain this past year compared to other sanctioned jurisdictions.


BTC address associated with an Iranian IP accessing a large US exchange


US sanctions generally prohibit the export of goods, services, or technology to Iran. If financial institutions, including exchanges, facilitate payments for an individual or company in Iran, those institutions would be exporting services to that person or entity in violation of the Iranian Transactions Regulations.


“Institutions should consider reviewing blockchain ledgers for activity that may originate or terminate in Iran.”

 – US Financial Crimes Enforcement Network (FinCEN)


One likely explanation for this uptick in Iranian IPs is the abundant increase of Bitcoin mining by Iranian actors. Many of the new Iran-associated addresses interact with mining pools.

Recommendations for Compliance Officers:

  • In addition to screening customer IP data upon login, VASPs should screen counterparty addresses for IP data linked to sanctioned countries.
  • VASPs must not rely solely on sanctions lists for restricted addresses; there are often additional related addresses in the same wallet, controlled by the sanctioned party, that were not included on the sanctions list.

Cryptocurrency and Sanctions

On November 28, 2018, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) added two bitcoin addresses to its list of Specially Designated Nationals (SDNs) for the first time ever. These two addresses belonged to two Iranian-based cryptocurrency brokers who laundered 6,000 BTC over 40 exchanges for SamSam ransomware actors and others.

Since 2018, OFAC has sanctioned 67 additional addresses, including Bitcoin, Ethereum, Litecoin, Bitcoin SV, Bitcoin Gold, Dash, Zcash, and Monero addresses. However, CipherTrace analysts have discovered that the addresses that end up on OFAC’s SDN list are only a small handful of the actual addresses under the sanctioned person’s control or in their “wallet.” The use of blockchain analysis is necessary to uncover the additional addresses under the sanctioned person’s control but not listed by OFAC or other consolidated lists of persons.

If a financial institution is unaware of these additional addresses, it runs the risk of unknowingly transacting with sanctioned persons.


“Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and AML/CFT safeguards to further their nefarious objectives.”

– US Treasury Under Secretary for Terrorism and Financial Intelligence,  Sigal Mandelker


With the addition of cryptocurrency to the US sanctions list, the Department of Treasury has clarified that the cryptocurrency addresses listed in the SDN list aren’t exhaustive and any additional addresses associated with designated addresses should also be blocked.

Additional, IP data should be incorporated into all sanctions compliance programs that deal in web-based activity, such as cryptocurrency transactions. The anonymity that internet-based transactions provide often increases sanctions risk exposure. Many internet-based financial service companies already have IP address blocking procedures; however, these procedures are usually limited to uncovering customer IP data upon login. While this approach can be effective initially, it does not fully address a web-based financial institution’s compliance risks.

Blockchain technology allows financial institutions to gather additional IP data on counterparties that is impossible to see in traditional web-based transactions. This data can help inform compliance teams of whether a counterparty transaction is to or from a sanctioned country and prevent potential violations.

Blockchain IP Data Enhances Sanctions Compliance

CipherTrace has already collect over 72,000 unique Iranian IP addresses. Many of these addresses have already transacted with large exchanges domiciled in regions that could constitute a sanctions violation—such as in the US.

Unlike traditional financial institutions, Virtual Asset Service Providers (VASPs) have an increased risk of inadvertently transacting with sanctioned jurisdictions simply because of the pseudonymous, cross-border nature and global reach of cryptocurrency transactions. VASPs should use IP data derived though blockchain analytics to enhance their compliance programs and reduce sanctions risk exposure.

Transactions to and from addresses with an IP associated with a sanctioned country should be a red flag for any VASP. While IP blockchain data alone cannot guarantee that an address belongs to actors in a given region, it is enough to demonstrate significant interest from a person in the sanctioned jurisdiction and should trigger enhanced due diligence for the account holder transacting with the potentially sanctioned address.

Financial institutions should perform additional inquiries and investigations where appropriate to ensure that their assessments are in line with their internal risk profile. IP addresses can also be used by institutions to search for additional bitcoin addressees associated with a customer or counterparty IP. These additional insights can be beneficial for an institution’s risk and threat assessments and suspicious transaction reporting requirements.

Sanctions Obfuscation Red Flags

Sanctioned persons will often attempt to conceal their illicit activity, making it essential for any compliance team to know how to identify red flags that could indicate an attempt to obfuscate sanctions violations. Unlike a traditional financial institution, Virtual Asset Service Providers (VASPs) can directly send funds to unhosted (private) cryptocurrency wallets anywhere in the world, increasing their sanctions risk exposure. To help mitigate these risks, financial institutions should be able to identify the following red flags:

  • A customer sends or receives funds to or from a cryptocurrency address associated with multiple IP addresses from a sanctioned jurisdiction.
  • A customer’s deposit address at your institution has been queried by an IP from a sanctioned jurisdiction.
  • A customer sends or receives funds to or from a cryptocurrency address in the same cluster (wallet) as a sanctioned address, even if the address itself has not been identified by any sanctions list.

Bitgo and Bitpay Penalties for Sanctions Violations

At the end of 2020, OFAC levied its first enforcement action against a VASP for sanctions violations. According to OFAC, institutional crypto custodian service and wallet operator BitGo failed to prevent persons apparently located in sanctioned jurisdictions from opening accounts and sending digital currencies via its platform.


OFAC emphasized that “sanctions compliance obligations apply to all US persons, including those involved in providing digital currency services.”


OFAC and Bitgo eventually came to a settlement of $93,830. In the enforcement action, OFAC emphasized that “sanctions compliance obligations apply to all US persons, including those involved in providing digital currency services.” This action came two months after OFAC had issued an advisory warning of potential sanctions violations for allowing customers to pay ransomware.

OFAC notes that there were 183 apparent violations, adding up to over $9,000, in transactions sent to the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria. The Enforcement Action claims BitGo had reason to know that these users were located in sanctioned jurisdictions based on IP data collected when users log in to the platform, but that BitGo lacked any controls to block users in sanctioned jurisdictions from accessing its services.

Then, on February 18, 2021, OFAC entered into a $507,000 settlement with cryptocurrency payment provider BitPay. The enforcement action claims BitPay allowed persons from sanctioned jurisdictions, such as North Korea, Iran, Sudan, and Syria, to transact with merchants in the United States using crypto from BitPay’s platform.

While BitPay screened its direct customers—the merchants— against OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) and conducted due diligence to ensure they were not located in sanctioned jurisdictions, OFAC claims BitPay failed to screen location data that it obtained about its merchants’ buyers. This resulted in 2,102 transactions on behalf of individuals who, based on IP addresses, were located in sanctioned jurisdictions.

This was OFACs second enforcement action in two months against a VASP for sanctions violations related to blocked countries. These two recent actions show how important it is to screen IP data to ensure VASPs aren’t facilitating sanctioned transactions.

Back To Top