Reporting on Iran’s domestic instability and state pressure indicates cryptocurrency usage has expanded sharply as both a financial outlet for citizens and a funding channel for regime-linked actors. Chainalysis assessed Iran’s crypto ecosystem at ~$7.78B in 2025, with activity correlating to political events and conflict; it also reported that IRGC-linked on-chain activity represented ~50% of Iran’s total crypto activity in Q4 2025 and has been increasing over time. The same analysis noted that during recent mass protests, Iranians increased Bitcoin withdrawals to personal wallets, consistent with capital flight behavior amid currency collapse and political instability.
Separately, AlphaHunt reported telemetry consistent with an intentional national internet shutdown in Iran on 2026-01-08 (traffic falling to near-zero), alongside indicators such as a ~98.5% drop in IPv6 routing announcements observed by Cloudflare earlier that day. Based on prior patterns of Iran-linked operations (e.g., APT42), the post-blackout period is assessed as higher risk for rapid phishing, credential theft, and account takeovers targeting officials, journalists, and dissidents—driven more by “regime security” requirements (identification, monitoring, intimidation) than by novel technical exploitation.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
11 events from the most recent confirmed update back to the earliest known activity.
The AlphaHunt post also cites Google reporting that Iranian government-backed actors used Gemini to assist with reconnaissance, translation and localization, and phishing-content creation.
The AlphaHunt post cites prior public reporting that APT42 used WhatsApp-focused social engineering, impersonating tech support brands to target officials and public figures. This is presented as part of Iran-linked operators' established credential-theft playbook.
The disruption continued from January 8 through January 13, 2026, with only brief periods of restored connectivity, indicating sustained state control over communications.
On January 8, 2026, Iran's national internet traffic reportedly dropped to effectively zero around 18:45 UTC, marking the start of a near-total shutdown during mass protests.
In the period immediately preceding the January 2026 blackout, Iranians reportedly moved more Bitcoin from exchanges to personal wallets, behavior Chainalysis interprets as a flight to safety amid unrest and economic pressure.
Chainalysis reports that inflows to publicly designated IRGC-linked wallets increased to more than $3 billion in 2025, up from over $2 billion in 2024.
According to Chainalysis, IRGC-linked activity represented more than 50% of Iran's total crypto values received in Q4 2025, showing the group's dominant on-chain position.
Chainalysis says Iran's cryptocurrency ecosystem exceeded $7.78 billion in 2025 and grew faster than the previous year, underscoring the sector's expanding role in the country's economy.
The same June 2025 period also saw a breach of Iranian state television, adding to evidence that cyber operations intensified alongside the conflict.
During the June 2025 conflict period, cyberattacks targeted Iranian crypto exchange Nobitex and Bank Sepah, reflecting a broader escalation in cyber activity tied to geopolitical tensions.
Chainalysis reports that inflows to publicly designated IRGC-linked wallets in Iran totaled more than $2 billion in 2024, establishing a baseline for the group's growing role in the country's crypto ecosystem.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.