How Iran Is Using Cryptocurrency to Fight the Hormuz Blockade

The Hormuz blockade cut Iran's primary revenue stream on April 13. Within 48 hours, IRGC-linked cyber activity targeting Western financial and energy infrastructure had measurably increased.

This is not a coincidence. It is the activation of Iran's parallel financial architecture — the one that does not depend on oil shipments, dollar transactions, or the SWIFT network. Cryptocurrency is the IRGC's war chest when conventional revenues are cut, and the blockade has just cut them.

Here is the complete playbook.

The IRGC's Five Crypto Revenue Channels

Channel 1: Ransomware Operations

IRGC-affiliated groups — primarily APT33 (Refined Kitten), APT34 (OilRig), and Charming Kitten — have been conducting ransomware operations against Western targets for years. The blockade intensifies both the motivation and the operational tempo.

The mechanics: a target network is compromised through spear-phishing or exploitation of unpatched vulnerabilities (frequently Citrix, Fortinet VPN, or Microsoft Exchange). A ransomware payload is deployed after lateral movement and data exfiltration. The ransom demand is in Bitcoin or Monero — $2-8 million for enterprise targets, $15-50 million for critical infrastructure. Payment is made to IRGC-controlled wallet addresses, typically run through a chain of intermediary wallets before reaching the final custodian.

The critical economic point: a single successful ransomware operation against a US hospital system or financial institution generates more hard currency than weeks of IRGC port toll revenue from Hormuz transit fees. With the toll revenue cut, ransomware is not supplemental — it becomes a primary revenue source.

The specific targets under elevated threat during the blockade period: US healthcare (high payment rates, critical need for system restoration), energy sector OT/SCADA systems (leverage for larger demands), financial services, and Gulf cloud infrastructure providers.

Channel 2: Cryptocurrency for Oil Payments

The yuan toll arrangement was the public, relatively transparent mechanism. The crypto backup is less visible but equally functional. Iranian entities accept USDT (Tether), BTC, and occasionally ETH for oil cargo transactions with buyers who cannot operate in the yuan payment system — smaller trading companies, buyers in secondary markets, sanctions-adjacent intermediaries.

The buyer pays in crypto. The Iranian intermediary receives it. The transaction does not touch the dollar system, the euro system, or SWIFT. The cargo moves. The IRGC takes its cut.

This mechanism has been operating since the 2018 JCPOA withdrawal and US sanctions reimposition. The blockade does not eliminate it — it intensifies reliance on it because conventional oil payments have been disrupted. The crypto oil payment channel was always the backup. It is now primary.

Channel 3: Bitcoin Mining

Iran operates a significant Bitcoin mining industry. Before the conflict, Iran accounted for approximately 4-5% of global Bitcoin mining hashrate — powered by subsidised domestic electricity that made Iranian mining profitable even when global hashrate competition was intense.

The conflict has disrupted domestic electricity supply and increased energy costs inside Iran. But IRGC-controlled mining operations — using dedicated facilities with priority grid access — have continued. The BTC generated is held in wallets outside the sanctions architecture and liquidated through OTC markets in Turkey, UAE, and Southeast Asia.

Mining revenue is predictable and does not require a target or victim. It is the passive income component of the IRGC crypto portfolio. At current BTC prices and Iranian hashrate estimates, IRGC mining generates approximately $3-8 million per month — modest compared to ransomware but consistent.

Channel 4: Dubai and UAE as the Off-Ramp

Dubai's crypto OTC market is the conversion point where IRGC-generated crypto becomes usable cash, gold, or tradeable commodities. UAE-based OTC desks — many registered as legitimate financial intermediaries — accept large crypto transactions and convert them to cash, wire transfers, or physical assets with minimal KYC scrutiny.

This is not a secret. The US Treasury and OFAC have sanctioned multiple UAE-based crypto intermediaries for facilitating IRGC transactions. But the OTC market in Dubai is large, fragmented, and difficult to fully surveil. New entities emerge as sanctioned ones are shut down.

The practical implication: any developer or company using UAE-based crypto services — exchanges, OTC desks, DeFi protocols with UAE liquidity — faces elevated sanctions compliance risk during the blockade period. OFAC secondary sanctions can reach non-US companies that knowingly facilitate transactions with sanctioned entities.

Channel 5: North Korea Collaboration and Technique Sharing

The IRGC and North Korea's Lazarus Group have a documented history of technique sharing on cyber operations. The Bybit exchange hack in February 2026 — attributed to Lazarus Group, approximately $1.5 billion in crypto stolen — demonstrated techniques that IRGC groups have been observed adapting within weeks of major Lazarus operations.

The collaboration is not a formal alliance. It is a shared interest in bypassing Western financial systems and a willingness to trade knowledge about cryptocurrency theft, mixing, and liquidation techniques. When Lazarus develops a new approach to draining DeFi protocols or compromising exchange hot wallets, IRGC groups acquire the technique through a combination of observed operations and direct communication through shared intermediaries.

The practical risk: IRGC crypto operations are more sophisticated than they were 12 months ago, specifically because of Lazarus technique proliferation.

What This Means for Developers and Security Teams

Elevated ransomware risk, not just theoretical: The economic pressure from the blockade is the specific trigger that historically precedes IRGC ransomware campaign intensification. If your infrastructure has unpatched Citrix, Fortinet SSL VPN, or Microsoft Exchange vulnerabilities, the window between "known vulnerable" and "exploited" is shortening.

The IRGC targeting profile during high-economic-pressure periods: healthcare (payment urgency), energy (critical infrastructure premium), financial services (data leverage), cloud providers and managed service providers (supply chain access). If your company is in these categories or provides services to them, treat April 13 onwards as elevated risk.

Specific patches to prioritise now:

• Citrix NetScaler ADC/Gateway (multiple 2025-2026 CVEs)
• Fortinet FortiOS SSL VPN (CVE-2026-series)
• Microsoft Exchange ProxyLogon and subsequent variants
• Ivanti Connect Secure (actively exploited by IRGC-adjacent groups)
• Palo Alto GlobalProtect (recent authentication bypass CVEs)

Crypto compliance teams: If you operate a crypto exchange, OTC desk, or DeFi protocol with any UAE or Turkish liquidity providers, conduct a sanctions screening review now. OFAC is actively updating the SDN list with IRGC-adjacent crypto entities during the conflict. Secondary sanctions exposure is real.

Smart contract developers: IRGC-linked groups have demonstrated interest in DeFi protocol vulnerabilities — not just exchange compromises. Flash loan attacks, price oracle manipulation, and smart contract drains are in the toolkit. Audit coverage for protocols with significant TVL is non-optional during this period.

The Crypto-War Feedback Loop

The blockade cuts IRGC conventional revenue → IRGC intensifies crypto operations → Western targets face more ransomware and crypto theft → This generates IRGC hard currency → IRGC funds continued operations including anti-ship weapons, drone production, and cyber capability development → IRGC operations sustain the conflict → Conflict sustains the blockade.

This feedback loop means the crypto threat does not go away when the conflict ends — it may actually peak in the weeks immediately following any ceasefire, as the IRGC tries to rebuild reserves before a post-war settlement limits its operations.

The defence: patch the entry points (VPN, Exchange, Citrix), implement network segmentation to limit lateral movement, maintain offline backups that ransomware cannot reach, and run tabletop exercises for ransomware response before you need them under real incident conditions.

Key Takeaways

• The IRGC has five crypto revenue channels: ransomware for hard currency, crypto oil payments bypassing dollar/yuan, Bitcoin mining with subsidised electricity, UAE OTC off-ramp conversion, and North Korea Lazarus Group technique sharing
• Ransomware is now a primary, not supplemental, IRGC revenue source — the blockade cut conventional revenue; a single enterprise ransomware hit generates more than weeks of Hormuz toll income
• Dubai is the off-ramp: UAE OTC desks convert IRGC crypto to cash; crypto companies using UAE liquidity providers face OFAC secondary sanctions exposure
• The target profile during blockade periods: healthcare, energy, financial services, cloud MSPs — these face measurably elevated IRGC threat during economic pressure periods
• Patch priority right now: Citrix NetScaler, Fortinet SSL VPN, Microsoft Exchange, Ivanti Connect Secure — these are the IRGC's primary entry points
• The feedback loop: blockade → crypto escalation → hard currency for operations → sustained conflict → sustained blockade — the crypto threat outlasts any ceasefire by weeks

For the broader IRGC cyber threat picture, read Claude Mythos found your zero-days — what to patch now. For the economic pressure driving this escalation, read What the Hormuz blockade is doing to Iran's economy. Check AI and cloud security tool pricing with LLM API Pricing.