Back to Intelligence

OFAC Sanctions Nobitex: Disrupting Iranian Ransomware Financial Infrastructure

SA
Security Arsenal Team
June 4, 2026
5 min read

The U.S. Treasury's Office of Foreign Assets Control (OFAC) has officially sanctioned Nobitex, Iran's largest cryptocurrency exchange. This designation is a critical development for the cybersecurity community because Nobitex serves as a primary financial conduit for Iranian "encryption-based" cyber actors—specifically ransomware operators and state-sponsored groups funding malicious operations.

For defenders, this is not merely a compliance update; it is an actionable intelligence artifact. Organizations interacting with this infrastructure—even inadvertently via automated ransomware payment negotiations or data leak site traffic—violate sanctions and risk funding adversarial operations. We must immediately treat Nobitex infrastructure as hostile IOCs and block access at the perimeter.

Technical Analysis

The Threat Vector: Nobitex provides the liquidity layer for Iranian threat actors. When ransomware groups demand payment, they often rely on mixers or exchanges in jurisdictions with lax enforcement to convert crypto assets to fiat currency. Sanctioning Nobitex aims to sever this bridge, making it harder for actors to realize profit from their campaigns.

Affected Infrastructure & Scope: While this advisory targets a financial entity rather than a software vulnerability, the technical impact spans all network environments allowing outbound internet access. The scope includes:

  • Web Infrastructure: The primary web portal and API endpoints used for trading.
  • Network Traffic: Any DNS resolution or HTTP/HTTPS connections attempting to reach Nobitex domains.
  • Compliance Risk: Systems involved in financial transactions or third-party risk assessment must immediately cross-reference against the Specially Designated Nationals (SDN) list.

Why This Matters Now: As of 2026, ransomware groups have increasingly relied on Iranian exchanges due to crackdowns in other regions. By blocking Nobitex, we degrade the "cash-out" capability of these actors, increasing the operational risk and cost for them to conduct attacks against Western targets.

Detection & Response

Effective defense requires identifying any internal systems attempting to communicate with Nobitex infrastructure. The following rules focus on network telemetry and process execution patterns associated with interacting with these domains.

SIGMA Rules

YAML
---
title: Potential Network Connection to Sanctioned Nobitex Exchange
id: 9f8e7d6c-5b4a-4321-9a8b-7c6d5e4f3a2b
status: experimental
description: Detects outbound network connections to domains associated with Nobitex, a sanctioned Iranian crypto exchange used by ransomware actors.
references:
  - https://home.treasury.gov/news/press-releases/jy2143
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'nobitex'
  condition: selection
falsepositives:
  - Legitimate research or authorized financial testing (unlikely in standard corporate envs)
level: critical
---
title: DNS Query for Nobitex Infrastructure
id: 1a2b3c4d-5e6f-7890-1234-567890abcdef
status: experimental
description: Identifies DNS requests for domains related to the sanctioned Nobitex exchange, indicating potential reconnaissance or transaction attempts.
references:
  - https://home.treasury.gov/news/press-releases/jy2143
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.discovery
  - attack.t1590
logsource:
  category: dns
  product: windows
detection:
  selection:
    QueryName|contains:
      - 'nobitex.ir'
      - 'nobitex.com'
  condition: selection
falsepositives:
  - Benign typos or misconfigured software
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for network traffic to sanctioned Nobitex infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl contains "nobitex" 
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, ActionType
| summarize count() by DeviceName, RemoteUrl

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes establishing connections to Nobitex domains
-- Note: This requires VQL with network enumeration capabilities enabled
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE CommandLine =~ 'nobitex'
   OR Exe =~ 'nobitex'

-- Alternative: Scan DNS cache for references to the sanctioned entity
SELECT QueryName, Timestamp
FROM dns_cache()
WHERE QueryName =~ 'nobitex'

Remediation Script (PowerShell)

PowerShell
# Remediation: Block Nobitex Infrastructure via Windows Firewall
# Requires Administrative Privileges

$ sanctionedDomains = @("*.nobitex.ir", "*.nobitex.com")
$ ruleName = "Block OFAC Sanctioned Nobitex Infrastructure"

Write-Host "[+] Checking for existing Firewall rule..." -ForegroundColor Cyan

$ existingRule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue

if (-not $existingRule) {
    Write-Host "[+] Creating new Firewall rule to block outbound connections to Nobitex..." -ForegroundColor Yellow
    
    # Create a new rule block
    New-NetFirewallRule -DisplayName $ruleName `
                       -Direction Outbound `
                       -Action Block `
                       -Enabled True `
                       -Profile Any `
                       -RemoteAddress $sanctionedDomains
    
    Write-Host "[+] Successfully blocked Nobitex domains via Windows Firewall." -ForegroundColor Green
} else {
    Write-Host "[!] Rule already exists. Updating remote addresses if necessary..." -ForegroundColor Yellow
    Set-NetFirewallRule -DisplayName $ruleName -RemoteAddress $sanctionedDomains
}

# Optional: Add to hosts file for immediate local resolution sinkhole
$ hostsPath = "C:\Windows\System32\drivers\etc\hosts"
$ sinkholeIP = "127.0.0.1"
$ domains = @("nobitex.ir", "www.nobitex.ir")

$ currentHosts = Get-Content $hostsPath

foreach ($domain in $domains) {
    if ($currentHosts -notmatch $domain) {
        Add-Content -Path $hostsPath -Value "$sinkholeIP $domain # Blocked via OFAC Sanctions - Nobitex"
        Write-Host "[+] Added $domain to hosts file." -ForegroundColor Green
    }
}

Remediation

  1. Immediate Network Blocking: Update your perimeter firewalls, Secure Web Gateways (SWG), and DNS sinkholing services to block all domains and IP addresses associated with Nobitex. Refer to the official OFAC SDN list entry for the full list of associated crypto-wallet addresses and domains.
  2. Threat Intelligence Updates: Ensure your Threat Intelligence Platform (TIP) ingests OFAC sanction updates as high-confidence IOCs.
  3. Historical Log Analysis: Conduct a hunt on your DNS and Proxy logs for the past 12 months for any interactions with nobitex.ir or related infrastructure. If found, investigate the source host—it may have been compromised by ransomware engaging in payment negotiations.
  4. Policy Review: Update your acceptable use policies to explicitly prohibit transactions or interactions with sanctioned entities, reinforcing the legal necessity of these blocks.
  5. User Awareness: Notify your finance and treasury teams that they must verify no counterparties are utilizing Nobitex, as this poses a significant compliance risk.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirofac-sanctionsnobitexfinancial-threat-intel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
OFAC Sanctions Nobitex: Disrupting Iranian Ransomware Financial Infrastructure | Security Arsenal | Security Arsenal