$350 Billion Shadow War: How Russia, North Korea, and Iran Weaponized Crypto

Image: $350 Billion Shadow War: How Russia, North Korea, and Iran W

The first thing to understand about $350 billion is that it is not the real number.

Alexander Browder, founder of the Global Cryptocurrency Laundering Database and author of a new report published this week, is careful on this point. The figure he has assembled - covering 164 documented crypto money-laundering cases from 2005 through 2025 - represents only what has surfaced in court records, law enforcement announcements, and open-source reporting. The cases that never became cases. The transactions no blockchain analyst has ever flagged. The wallets no regulator has ever touched. Those are absent from the count.

"Many multiples," Browder told the Organized Crime and Corruption Reporting Project when asked about the gap between the documented total and the real one.

Three governments sit at the center of the report: Russia, North Korea, and Iran. Together they are described as the most "prolific" state exploiters of cryptocurrency markets - not primarily as a financial innovation, but as a weapons-grade sanctions-evasion tool.

Garantex: The $100 Billion Laundromat

Russia's contribution to the architecture of crypto crime is not subtle. The exchange Garantex, sanctioned by the U.S. Treasury's Office of Foreign Assets Control in 2022, continued processing transactions long after that designation. According to the report, Garantex handled more than $100 billion in total volume. Of that, 82 percent was linked to sanctioned entities worldwide.

The figure deserves a moment of attention. A sanctioned exchange, processing $100 billion. More than four out of every five dollars touching sanctioned parties. Operating, apparently, with the implicit sanction of the Russian state.

The report describes Garantex as having "functioned as a sanctions-evasion tool because it provided services that helped users move value" - a phrasing that reads almost clinical given the scale involved. What it describes, in plain terms, is a state-adjacent financial infrastructure purpose-built to make Western sanctions irrelevant.

North Korea: Nineteen Hacks, One Record

North Korea's operations are less about evasion and more about extraction. The report documents 19 cryptocurrency hacks attributed to Pyongyang-linked actors, yielding a combined $4.1 billion in stolen funds.

The largest single event came in February 2025: the breach of the exchange Bybit, which the report describes as the largest cryptocurrency hack in recorded history. The take was $1.5 billion. Blockchain forensics firms attributed the attack to the Lazarus Group, the DPRK's primary cyber-offensive unit, within days.

What made Bybit notable - beyond the scale - was the method. Attackers compromised the Safe multisig wallet interface used by Bybit's cold storage, substituting malicious code at the signing layer. The funds moved before anyone at Bybit knew they were gone. The exchange survived. Not every target does.

For North Korea, these operations are not sideline activity. They are state revenue. Sanctions have severed Pyongyang from most international financial rails. Cryptocurrency fills the gap - funding weapons programs that analysts estimate cost hundreds of millions annually. Every successful hack is, in effect, a budget line.

Iran: Oil, Crypto, and the 700 Percent Surge

Iran's approach is different again. Where Russia runs exchanges and North Korea runs hack operations, Iran has built a parallel financial system that routes oil revenue through digital assets to bypass trade barriers.

The report identifies two sanctioned individuals - Alireza Derakhshan and Arash Estaki Alivand - as having generated more than $100 million in profit for Iran through cryptocurrency derived from oil sales. The mechanism is well-documented in sanctions enforcement circles: Iranian crude moves, the payment arrives in crypto, the crypto converts to hard currency outside Western financial systems.

Then, on February 28 of this year, something more immediate happened. U.S.-Israeli airstrikes hit Tehran. Within hours, outflows from the Iranian exchange Nobitex surged 700 percent, according to blockchain analytics firm Elliptic. Capital flight, moving fast. The destination: overseas exchanges, outside Iranian regulatory reach and outside the range of any future asset freeze.

The speed of the response is the point. Whoever moved those funds knew exactly where to go and how to get there. This was not improvised. It was a rehearsed contingency.

79 Percent Walk

The report's most damning finding has nothing to do with the criminals. It concerns the enforcers.

Of 164 documented cases examined, 79 percent have not resulted in convictions. The architects of the largest sanctions-evasion network in history are, with few exceptions, operating freely. Some are operating with active state protection.

"Most of these crimes go unpunished and more vigilant prosecution needs to be carried out," the report states. The language is restrained. The implication is not.

Part of the gap is jurisdictional. Russia will not extradite its nationals. North Korea is beyond any legal reach. Iran's operators largely function within friendly jurisdictions. Part of it is technical - blockchain forensics has improved dramatically, but tracing funds through multiple hops across privacy-coin conversions and foreign exchanges remains difficult. And part of it, the report implies, is will. Enforcement has not kept pace with scale.

The United States: Most Targeted, Most Exposed

There is an irony in the data that the report does not hide. The United States, which drives more global sanctions enforcement than any other country, is also the single most-affected nation in the dataset. Of 164 cases, 39 - 23.6 percent - involve U.S. victims, markets, or entities.

The report attributes this to size and opportunity: more targets, more liquidity, more surface area for attacks. Russia ranks second at 19 cases, 11.5 percent of total documented volume. The U.K. follows.

The sanctions architecture that Western governments have built over decades rests on the assumption that bad actors need access to dollar-denominated correspondent banking to move money at scale. Cryptocurrency breaks that assumption entirely. The $350 billion documented in this report was moved without a single SWIFT message.

The infrastructure of illicit finance has been rebuilt in code. The infrastructure of enforcement has not yet caught up. That gap, Browder's database suggests, costs hundreds of billions of dollars and funds weapons programs, authoritarian governments, and organized crime simultaneously.

The real number, he says, is many multiples higher.