EXCLUSIVE: A cyber intelligence report examined by Digital reveals that cryptocurrency infrastructure associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) remained active during the nationwide internet outage that followed the Feb. 28 U.S.–Israeli strikes. This activity facilitated the transfer of hundreds of millions of dollars in digital assets out of the nation.
Omri Raiter, the CEO and founder of RAKIA, a cyber intelligence company that creates data analysis tools for government and security use, told Digital that his firm started tracking Iranian crypto transactions in real-time immediately after the attacks. They soon identified a massive increase in funds exiting accounts tied to Iran.
“We have witnessed a surge in funds starting from the initial hours of the conflict,” Raiter stated. “It began with tens of millions in the first few hours and expanded to hundreds of millions and beyond. Funds were simply streaming out of Iranian cryptocurrency accounts.”
According to blockchain intelligence data referenced by RAKIA, an internal report indicates that wallets connected to the IRGC received over $3 billion in cryptocurrency during 2025. The report also utilizes public data from Chainalysis, a blockchain analysis firm, which estimated the volume of Iran’s crypto ecosystem activity at $7.78 billion for 2025.
Raiter noted that the data implies Iran has established a robust financial infrastructure based on cryptocurrency that can function even amidst severe sanctions and communication blackouts.
“The IRGC has been utilizing the very same crypto channels that sanctions were meant to close to finance proxy operations,” Raiter remarked.
On Jan. 30, the U.S. Department of the Treasury sanctioned crypto exchanges associated with Iranian entities. This marked a significant shift, as it was one of the first instances where the U.S. targeted entire digital asset platforms instead of individual wallets for sanctions evasion involving the Islamic Revolutionary Guard Corps.
Treasury Secretary Scott Bessent stated that this action is part of a wider initiative to dismantle financial networks linked to Tehran, Iran.
“The Treasury remains committed to pursuing Iranian networks and corrupt elites who profit at the cost of the people,” Bessent said in a January press release, adding, “This includes the regime’s attempts to leverage digital assets to bypass sanctions.”
RAKIA’s analysis suggests that the recent spike mirrors two concurrent trends: transfers intended to support Iran’s regional proxy groups and capital flight by regime insiders aiming to secure their personal wealth.
“Funding for proxy wars and personal capital flight are interconnected,” Raiter observed. “They utilize the same pipelines.”
Raiter mentioned that the firm identified crypto flows linked to networks historically associated with groups backed by Iran.
“Some of the accounts we observed are tied to regions where money has traditionally flowed to proxy conflicts,” he informed Digital, noting activity connected to Lebanon and Yemen.
“Some of this activity could be IRGC members attempting to transfer their own funds,” Raiter said. “However, the scale and timing suggest a coordinated effort.”
The report from RAKIA asserts that this activity persisted even after Iran enforced a comprehensive internet shutdown across the country. According to internet monitoring organization NetBlocks, national connectivity fell to approximately 1% of standard levels during the blackout.
Despite the outage, RAKIA researchers reported detecting over 1,100 active cryptocurrency nodes operating within Iran.
“When internet connectivity is at one percent and you still observe over a thousand active crypto nodes, you are not looking at retail users,” said Tom Malca, RAKIA’s head of cyber and AI research, in the report. “Those nodes require dedicated bandwidth, stable power, and an intentional exemption from the shutdown.”
RAKIA researchers indicated that this activity points to specialized infrastructure that continued to function while millions of Iranian civilians were disconnected from the internet.
According to the report, the majority of nodes were located in the Tehran–Qom corridor, a region that houses key government and IRGC facilities. The analysis also identified smaller clusters in cities such as Isfahan, Mashhad, Tabriz, and Kermanshah.
RAKIA stated that its investigation depended on a mix of network monitoring and publicly accessible blockchain intelligence.
Digital contacted the Iranian mission to the United Nations in New York for a comment regarding the report’s allegations. The mission did not provide a response.