How Binance accounts moved USD1 Billion to Iranian Entities

by Evidencity | AI Assisted | 100% Human Verified

Internal investigators at Binance had uncovered a shadow banking corridor. Over several months in 2024, they tracked nearly $1 billion in cryptocurrency flowing through two VIP accounts toward "Entity A," a network of seven digital wallet addresses that law enforcement officials identified as part of a financial channel between Hong Kong and Tehran, run by the designated Islamic Revolutionary Guard Corps (IRGC). The corridor enabled Chinese companies to quietly pay for Iranian oil, circumventing U.S. sanctions through layers of crypto transactions that conventional screening tools missed.

One account belonged to Hexa, a Hong Kong firm that moved $500 million in tether stablecoin despite registering with incomplete documentation that was flagged internally. The other was Blessed Trust, which claimed to process bitumen and construction materials, both sectors Binance knew participated in the illicit China-Iran oil trade. Both accounts carried VIP status, reducing trading fees and signaling institutional importance. More concerning is that both had executive connections. Internal Telegram chats showed Blessed Trust's representative identified as "Karry…friend of Rock," referring to "Rock" Davis, a Binance executive. A Binance VIP client manager later wrote, "Karry the big shot, haha. Boss Rock has mentioned you before."

The investigators flagged the activity that had generated 14 sanctions alerts on the Blessed Trust account alone. They briefed senior leadership, including CEO Richard Teng and Chief Compliance Officer Noah Perlman, in October 2024. The FBI and IRS made inquiries about Blessed Trust, with the IRS specifically citing money laundering concerns.

Then Binance made a choice. On November 13, 2024, the company suspended the lead investigator and the head of sanctions and counterterrorist financing investigations. Both were fired within weeks. When remaining team members told a Binance executive on November 24th that they would continue investigating Blessed Trust, they were locked out of the company's systems two days later. They were fired soon after and the accounts remained open.

The Visible Surface

Binance operates under a 2023 settlement with the U.S. Department of Justice that required the company enter a monitorship, later won by FRA, forcing an overhaul of its compliance system and ongoing independent monitoring. The exchange appointed a Chief Compliance Officer, built a sanctions and counterterrorist financing investigations team, and implemented automated screening tools designed to flag suspicious transactions. On paper, Binance had the infrastructure to detect and stop illicit financial flows.

Standard compliance screening looks at account registration data, transaction patterns, and matches against sanctions lists. When those systems work as designed, they generate alerts. Investigators review the alerts, escalate genuine threats, and freeze accounts when necessary. 

The system assumes leadership acts on credible findings. In this case, leadership acted, albeit incorrectly.

The Hidden Reality

The Binance investigators weren't relying on automated alerts alone. They were mapping networks.

When they traced funds flowing to Entity A, the IRGC-linked wallet network, they identified two accounts moving nearly $1 billion combined. The first was Hexa, the Hong Kong firm that submitted incomplete documentation during registration. The missing documentation was a red flag that was noted internally but overridden when the account received VIP status anyway. Hexa moved $500 million in tether stablecoin before investigators could build a complete picture of its beneficial ownership.

The second account presented a different problem. Blessed Trust, also Hong Kong-based, claimed to help clients convert traditional currency into cryptocurrency for cross-border payments. The company operated in bitumen and construction materials, sectors that Binance's own risk assessments identified as vehicles for the illicit China-Iran oil trade. Between 2024 and early 2025, Blessed Trust moved hundreds of millions of dollars toward Entity A.

But when investigators tried to examine the account more closely, they discovered it was labeled "internal" in Binance's systems. Access required special approval from Internal Audit, a department whose lead reports directly to CEO Richard Teng. Binance later claimed the label was a standard measure to preserve investigative integrity misapplied in this case by a junior employee.

The investigators found something else: the account had already attracted attention. The FBI had made inquiries about Blessed Trust without specifying why. The IRS had also contacted Binance, specifically citing money laundering concerns. Between those inquiries and early 2025, the account triggered 14 internal sanctions alerts. Most were closed by an automated system that found no illicit activity or determined they didn't meet escalation criteria.

Binance’s investigators disagreed. They briefed senior leadership in October 2024, presenting evidence of the connection between Blessed Trust, Entity A, and the IRGC shadow banking corridor. They explained how the network enabled Chinese buyers to pay for Iranian oil through cryptocurrency, layering transactions across jurisdictions to obscure the ultimate beneficiaries.

Leadership's response came on November 13, 2024, when the lead investigator and the head of sanctions and counterterrorist financing investigations were suspended and later fired within weeks. When the remaining team members informed a Binance executive on November 24 that they intended to continue investigating Blessed Trust, they were locked out of company systems two days later and fired soon after.

The accounts remained open. The network continued operating.

Why This Invisibility Creates Risk

The Binance case reveals a compliance structure that exists to satisfy regulators on paper while being systematically dismantled when it threatens commercial relationships. This creates cascading liability for every institution in the crypto ecosystem.

Under the 2023 US DOJ settlement, Binance operates under a compliance monitor with authority to review the company's adherence to anti-money-laundering and sanctions obligations. The company agreed to implement "effective" compliance controls and report suspicious activity. Firing investigators who uncovered $1 billion flowing to IRGC-linked networks, then keeping those accounts open, suggests the monitoring framework has failed to prevent the exact conduct it was designed to address.

For financial institutions, the exposure is immediate. Any bank processing fiat currency conversions for Binance clients, any payment processor enabling on-ramps to the exchange, and any custodian holding assets for Binance users faces secondary sanctions risk. U.S. Treasury regulations allow OFAC to designate foreign financial institutions that knowingly facilitate significant transactions with sanctioned Iranian entities. The Blessed Trust and Hexa accounts moved nearly $1 billion toward Entity A, a network law enforcement identified as IRGC-linked. That volume crosses any threshold for "significant."

The timing compounds the risk. In February 2025, President Trump ordered a "maximum pressure" campaign to deny Iran and its proxies access to cash. The Treasury has since expanded enforcement against the shadow fleet of tankers moving Iranian oil and the financial networks enabling payment. Crypto exchanges that facilitate those payments are explicit targets. Binance's decision to fire investigators rather than freeze accounts places the company directly in the enforcement crosshairs.

For corporate counsel and compliance officers, the lesson is clear: internal controls at counterparties cannot be trusted when those controls threaten revenue. Standard due diligence asks whether a crypto exchange has a compliance team. The correct question is whether that team has the authority to act when they find something, or whether they get fired for looking too closely.

Call to Awareness

This isn't a theoretical risk. Binance investigators submitted their findings to the company's internal criminal conduct committee, chaired by Chief Compliance Officer Noah Perlman, in accordance with the 2023 DOJ plea agreement requiring reports on suspicious transactions. The committee took the information to the Justice Department. Binance then removed Hexa as a client, claiming it managed the risk appropriately by offboarding the user and cooperating with law enforcement.

But Blessed Trust, the account that moved over $1 billion and triggered 14 sanctions alerts, remained active even after investigators were fired for continuing to pursue it. The network they uncovered continued operating. The shadow banking corridor between Hong Kong and Tehran stayed open.

For institutions conducting due diligence on crypto counterparties, the question is no longer whether compliance controls exist. The question is whether those controls can be overridden when they threaten commercial relationships with executive-linked accounts. Standard screening tools flag transactions after they occur. They cannot reveal the internal decision-making that keeps flagged accounts open or the retaliation structures that silence investigators who look too closely.

Evidencity's Illicit Network Intelligence maps the hidden relationships that connect VIP accounts to sanctioned entities, revealing the beneficial ownership and executive connections that internal compliance teams are prevented from investigating. Our RiskSolve offering allows an even deeper look into what happened and why it matters, but more importantly, what this means moving forward.

When internal controls fail by design, external visibility becomes the only defense against secondary sanctions exposure.

The Binance investigators found the network. They reported it. They were fired for it. The accounts stayed open. That sequence reveals everything corporate counsel needs to know about trust-based compliance in the crypto ecosystem.