Executive snapshot
The clerical regime in Iran has built one of the world’s most adaptive sanctions-evasion machines, moving billions in oil, cash, and crypto through a shifting network of ghost fleets, offshore shells, crypto exchanges, and front companies. As of mid-2025, satellite and AIS tracking confirms Iran’s “dark fleet” has expanded to over 320 tankers (roughly 250–350 tankers depending on methodology), many operating without International Group (IG) P&I insurance — raising both enforcement leverage and environmental spill risks.
Even many already-sanctioned actors remain operational, using reflagged vessels, renamed firms, and new wallet clusters to keep funds flowing.
Every loophole left open — whether a Shandong refinery, a Dubai exchange house, or a stablecoin bridge — fuels the IRGC’s missile programs, funding for Hezbollah, the Houthis, and other proxies.
Critically, Beijing’s “teapot” refineries, UAE/HK free-zone shell companies, and TRON-based stablecoin rails now account for most Iran-linked flows, as confirmed by FinCEN’s June 2025 advisory and Elliptic/TRM forensic blockchain data.
This report shows how Iran’s networks adapt after crackdowns, where critical enforcement gaps persist, and which maritime, financial, and crypto corridors continue enabling Tehran’s sanctions-evasion machine today.
A set of documents recently acquired by #Iranian dissidents reveals the Iranian regime’s efforts to establish an international club with the aim of neutralizing international #sanctions.https://t.co/I72lf9lpyL
— NCRI-FAC (@iran_policy) June 18, 2023
1) Moving the oil: the shadow fleet and deceptive shipping
Scale & destinations: Iran’s oil exports averaged around 1.4–1.8 million barrels per day in early 2025, with China buying the lion’s share, especially through “teapot” refineries in Shandong. Data from Kpler and Vortexa confirms that over 250 tankers—part of Iran’s “dark fleet”—handle the bulk of these exports. These vessels often engage in AIS blackout, name/flag swapping, and ship-to-ship transfers in the Persian Gulf, Malacca Strait, and beyond. Notably, oil is frequently routed through Malaysia, Singapore, and Indonesia and rebranded as Malaysia origin before final delivery to Chinese refineries.
How the fleet hides cargo:
- AIS darkness & spoofing, frequent renaming/reflagging, and ship-to-ship (STS) handoffs—often off Malaysia—before final delivery to China. Satellite and industry monitors have documented these routings repeatedly.
OFAC’s Apr 16, 2025, advisory emphasizes red-flag shipping behaviors like AIS manipulation, false vessel IDs, and opaque ownership structures without naming specific vessels. Its Mar 2025 actions, for example, against CORONA FUN, ENOLA, and the DINO I, illustrated these practices in real-world cases. Later enforcement (in other advisories or press releases) continues to target tankers exhibiting similar spoofing tactics.
- False paperwork/blending (e.g., “Malaysian blend”) to disguise origin. U.S. government guidance and advisories flag these exact typologies.
FinCEN’s June 2025 advisory (FIN-2025-A002) warns of falsified cargo/vessel documents and blending of Iranian oil—often relabeled “Malaysian blend” to disguise origin, and highlights the use of Hong Kong- and UAE-based front companies (including free-trade-zone shells and non-resident accounts) to move proceeds.
PRESS CONFERENCE by @NCRIUS to Expose IRGC’s Elaborate International Scheme to Evade Sanctions and Fund Terror Abroad and Repression at Home.
Wednesday, May 31, 2023 – 10:30 am EDT, Washington, DC #BlacklistIRGC #Iranhttps://t.co/jt7YKZP3A5— Alireza Jafarzadeh (@A_Jafarzadeh) May 30, 2023
2025 enforcement that reveals the channels:
- Aug 21, 2025—OFAC sanctioned Greek shipper Antonios Margaritis and a web of companies/vessels (e.g., ADELINE G, KONGM, ARES) for moving millions of barrels of Iranian oil to China via repeated STS with already-sanctioned tankers (TITAN, GOODWIN, AMAK). The press note reads like a routing manual. OFAC also identified associated ship managers/owners used to rotate vessels and paperwork (e.g., Comford Management, Hangshun Shipping), showing how management changes and reflagging helped bypass prior listings.
- May 8, 2025 — OFAC designated Hebei Xinhai Chemical Group Co. Ltd., a Chinese “teapot” refinery, along with three Shandong terminal operators—Baogang (Dongying Donggang) Logistics & Warehousing Co., Ltd., Shandong Jingang Port Co., Ltd., and Shandong Baogang International Port Co., Ltd.—for facilitating hundreds of millions of dollars in Iranian oil deliveries from shadow‑fleet tankers. This marked OFAC’s first targeting of onshore terminal operators in Shandong, signaling that land-side logistics—not just vessels—are now enforcement levers. Also in Aug 2025, Treasury named Chinese storage operators Qingdao Port Haiye Dongjiakou and Yangshan Shengang International Petroleum Storage & Transportation, expanding pressure to land-side blending nodes that receive Iranian crude after STS.
Insurance & safety risks: Marine underwriters are now challenging suspect insurance documentation tied to dark-fleet tankers, and the EU has expanded ship listings—raising the odds of port denials or catastrophic uninsured spills. Many dark-fleet vessels lack International Group (IG) P&I cover or rely on non-IG/fraud-prone certificates—a leverage point for port-state control and for denying berths, bunkers, and services. Investigators should also flag AIS gap patterns around Malaysian/South China Sea STS zones and draught vs. bill-of-lading mismatches—key OFAC red flags.
#Iranian Regime’s Shadowy Deals with #China Highlight Corruption and Sanctions Evasionhttps://t.co/iTglfofTrA
— NCRI-FAC (@iran_policy) May 7, 2024
2) Selling the oil: “shadow banking” networks that settle trades
Blueprint, with typologies: FinCEN’s June 6, 2025, advisory details how Iran clears oil revenues through exchange houses and front companies in the UAE and Hong Kong, including Hong Kong firms banking with China-based financial institutions via non-resident accounts, use of free-trade-zone shells, layered transactions, and forged/falsified documents—allowing funds to be used abroad without repatriation. It provides red flags (e.g., references to “Malaysian blend” on China-bound cargo via Southeast Asia with AIS irregularities/STS, falsified bills of lading or missing consignees, UAE FTZ trading companies with opaque ownership, and HK companies using Chinese non-resident accounts) and instructs SAR filers to include “IRAN-2025-A002.”
Named case – Zarringhalam network: On June 6, 2025, OFAC designated 30+ individuals and entities tied to the Zarringhalam brothers. The network used Iran-based exchange houses (e.g., GCM, Berelian) and front companies in the UAE and Hong Kong that operated multi-currency accounts to route payments for Iranian oil/petrochemical sales, including on behalf of IRGC-QF/PGPIC. FinCEN’s advisory features this case and instructs SAR filers to use key term IRAN-2025-A002.
Offshore conduit exposed: Aug 7, 2025—OFAC sanctioned Cyrus Offshore Bank (Kish Island) and named leadership, describing it as a special-license bank secretly run by Parsian Bank to move oil proceeds (including via China’s Bank of Kunlun) outside normal oversight—plus Iran’s CIMS/RUNC payments system built to circumvent mainstream messaging rails. Counterparties connecting to CIMS/RUNC or clearing via Bank of Kunlun/RMB rails face heightened secondary-sanctions exposure; flows also incorporate gold/commodity barter to avoid USD touchpoints.
Iraq’s dollar gate tightening: Since mid-2023 the U.S. has barred multiple Iraqi banks from dollar transactions over siphoning to Iran; additional Iraqi banks faced restrictions through 2024–2025. Iraq’s central bank also revoked Bank Melli’s license in 2024. These curbs are closing a long-abused corridor. The initial wave covered 14 Iraqi banks (2023), with follow-on limits in 2024–25—pushing Iran-linked brokers to yuan settlement, barter, and crypto as substitutes for the Baghdad FX auctions.
🔶 The latest episode of our BEHIND THE IRAN HEADLINES Series:
NCRI-US Reveals: The IRGC Papers & the Scheme to Evade Sanctions and Fund Terror" –
NCRI-US Deputy Director Alireza Jafarzadeh explains.@A_Jafarzadeh @Iran_Policy #BlacklistIRGC, #IRGCFundsTerror. pic.twitter.com/yrCfsRpiSV— NCRI-U.S. Rep Office (@NCRIUS) June 6, 2023
3) Crypto as pressure release: Nobitex and Iran’s digital rails
Why Nobitex matters: Nobitex is Iran’s largest exchange (handling ~87% of Iran-linked volume in 2025) and sits at the center of domestic flows, including on-chain links to IRGC-flagged actors. After a ~$90M hack on June 18, 2025 (attributed to Predatory Sparrow), liquidity and trust deteriorated; on July 2 Tether froze 42 Iran-linked addresses (over half with Nobitex exposure), prompting a coordinated push to dump TRON-USDT and migrate to DAI on Polygon.
On-chain exposure: Elliptic’s June 30, 2025, deep dive links Nobitex infrastructure to patterns consistent with IRGC-aligned activity, plus interactions with Russia-sanctioned Garantex and other high-risk addresses. Additional TRM analysis highlights Nobitex’s use of cross-chain bridges (notably Polygon ↔ Tron ↔ BSC) to obscure provenance, as well as liquidity pooling via sanctioned Russian VASPs tied to ransomware laundering hubs. These cross-chain swaps are now a top sanctions-evasion risk vector.
The July 2, 2025 inflection point: Tether conducted its largest Iran-linked freeze to date: 42 addresses, over half with substantial Nobitex exposure and flows to previously flagged IRGC-affiliated wallets, per TRM Labs. The freeze triggered a visible pivot off TRON-USDT toward DAI on Polygon—a tell for future monitoring. Investigators noted that after the freeze, Iranian wallets increased flows through Layer-2 scaling solutions (Arbitrum, Optimism) and deployed privacy-enhanced mixers like Tornado Cash forks hosted on unregulated servers. These patterns indicate an intentional migration to censorship-resistant infrastructure as enforcement tightens.
Context from prior years: Even before the 2025 shocks, Iran monetized energy via Bitcoin mining during sanctions peaks; 2021 research put Iran at ~4.5% of global BTC mining and near $1B/year in revenue then—showing why authorities tolerate industrial loads despite blackouts. Some mining farms were traced to Basij-controlled facilities receiving state-supplied transformers to bypass grid quotas.
Press Release: https://t.co/ZkmxaE4hfo
— Treasury Department (@USTreasury) August 7, 2025
4) Procurement pipelines: drones, missiles, and dual-use tech
Unsealed U.S. cases show the route map: On April 1, 2025, DOJ unsealed charges describing an Iran-based logistics network (Rah Roshd Co. and principals) procuring components for Mohajer-6 UAVs and shipping through third-country fronts—classic diversion tactics you can pattern-match in shipping and payments data. Court filings show Rah Roshd procured servo motors, pneumatic masts, and engines for the Mohajer-6, used UAE front companies to pay China-based suppliers via U.S. correspondent banks, and employed aliases/spoofed emails to mask the IRGC/QAI end-use; a downed Mohajer-6 also contained a U.S.-made component (“Company-1”).
Sanction focus up the chain: On Feb 6, 2025, Treasury sanctioned the AFGS front Sepehr Energy Jahan Nama Pars and a network moving Iranian crude to China—naming vessels and facilitators including the SIRI (ex-ANTHEA), OXIS, GIOIOSA, and Marshal Ship Management—and detailing falsified maritime documents and PRC deliveries that channel oil revenues to Iran’s military.
PRESS CONFERENCE: @NCRIUS Exposes IRGC’s Elaborate International Scheme to Evade Sanctions and Fund Terror#BlacklistIRGC #IranRevolution https://t.co/2TpitGjZRK
— NCRI-FAC (@iran_policy) May 31, 2023
5) Trade-based laundering & proxy finance: the old pipes still run
Project Cassandra’s lesson: Politico’s Project Cassandra investigation and the Lebanese Canadian Bank case remain foundational for understanding trade-based money laundering (TBML), used-car pipelines, and cash-to-bank loops historically financing Hezbollah. These methods persist today across Iran-aligned sanctions-evasion networks, now supercharged by crypto rails and ghost fleet oil flows.
FinCEN’s Oct 23, 2024, alert warns that Hizballah-linked facilitators exploit trade-based money laundering via front companies in high-risk free-trade zones across West Africa, Europe, and South America, and provides related red flags for financial institutions.
Sanctioning Facilitators of Iran Sanctions Circumvention and Political Oppressionhttps://t.co/KF1l8Fr1xl
— U.S. State Dept – Near Eastern Affairs (@StateDept_NEA) August 7, 2025
Why It Matters
With the E3’s activation of the UNSC Resolution 2231 snapback mechanism, the clerical regime in Iran faces the return of full UN sanctions on its nuclear, missile, arms, and financial sectors. But instead of moderating its behavior, the regime is poised to escalate its shadow operations.
At the heart of this strategy is the regime’s Supreme Leader Ali Khamenei’s survival doctrine: any retreat on Tehran’s “strategic leverages” — nuclear enrichment, ballistic missile expansion, proxy warfare, and global terrorism networks — would demoralize its security forces and embolden an already explosive society. Concessions, in the regime’s view, equal the overthrow of the theocracy.
The consequence for the world: leaving Iran’s evasion machine intact hardens a parallel economy that insulates Tehran from pressure— longer-range missiles, and better-armed proxies from Lebanon to Yemen. As the dark fleet expands without IG cover, the odds of an uninsured spill—and stranded victims—rise. Normalized shell companies and stablecoin rails teach other sanctioned actors to copy the playbook, eroding the credibility of sanctions and fragmenting financial oversight. Each quarter of tolerated flows deepens counterparties’ complicity, making later rollbacks costlier and the security fallout broader.