Israel Flags 187 Crypto Wallets Tied to Iran, $1.5 Billion in USDT Traced

Israel’s counter-terror bureau has blacklisted 187 cryptocurrency addresses it says are linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), adding to global scrutiny of how Tehran allegedly uses digital assets to bypass sanctions.

The National Bureau for Counter Terror Financing (NBCTF) said the flagged wallets were associated with the IRGC, which is sanctioned by the United States, European Union, United Kingdom and Canada. Blockchain analytics firm Elliptic estimated the wallets had received about $1.5 billion in Tether’s USDT stablecoin, though it cautioned that some addresses may belong to crypto platforms servicing multiple customers.

Tether Blacklists Dozens of Wallets

Tether, which issues the world’s largest stablecoin, has already frozen 39 of the wallets, blocking roughly $1.5 million in transactions, Elliptic said. The company has stepped up enforcement of its blacklisting powers as regulators examine the role of stablecoins in sanctions evasion.

The U.S. and its allies have long accused the IRGC of using cryptocurrencies to finance military programs and regional proxies. Last week, the U.S. Justice Department seized nahead $600,000 in USDT from an Iranian national accused of supplying drone navigation technology to the Guard. In December 2024, the U.S. Treasury sanctioned wallets linked to IRGC affiliates that allegedly moved over $300 million in stablecoins through intermediaries connected to Yemen’s Houthi rebels.

In June 2025, pro-Israel hacker collective Gonjeshke Darande (“Predatory Sparrow”) claimed responsibility for draining $90 million from Iranian platform Nobitex, which Elliptic and other firms have tied to IRGC-related ransomware operations. The hackers funneled the funds into wallets labeled with anti-IRGC slogans and published Nobitex’s source code online.

The breach, which took place on June 18, was widely viewed as politically motivated given the group’s public alignment with Israel and Nobitex’s status as Iran’s largest crypto platform.  claimed responsibility, burned most of the stolen funds, and published what appeared to be the platform’s source code.

The attack has drawn increased attention to the geopolitical dimensions of crypto infrastructure in the region. Blockchain analytics firm Chainalysis reported that Nobitex processed more than $11 billion in crypto inflows — far ahead of other local platforms — and has apparent links to entities under international sanctions, including Iran’s Revolutionary Guard and Russian crypto platforms.

Blockchain intelligence firm TRM Labs also said there’s an “analytical possibility” that Israeli cyber teams accessed internal information from , shortly later than it was breached on June 18. The timing, TRM noted, is key: just days later, Israeli authorities announced the arrest of three people accused of carrying out espionage activities on behalf of Iran.

Two of the suspects were reportedly paid in cryptocurrency. One, a 28-year-old named Dmitri Cohen, is alleged to have received $500 in crypto per completed task, which included intelligence gathering and online propaganda.

The hackers, known by their Farsi name which translates to Predatory Sparrow, claimed responsibility for the breach on Wednesday, and followed through Thursday by publishing what they say is —scripts, infrastructure data, and privacy configurations.

Nobitex’s CEO, Amir Rad, rejected claims that the company is state-affiliated, describing it as a private entity. He also alleged that the attack was supported by the Israeli government.