The "Tehran Account": The Licensed Crypto Exchange Secretly Moving Sanctioned Billions

Описание: NexVault Exchange looked like a fully licensed U.S. crypto platform. Behind the facade it moved $4.2 billion for sanctioned Iran, ransomware crews, and darknet markets — until two federal threads collided.

CASE FILE 9007 — DESIGNATION: OPERATION PHANTOM LEDGER
SUBJECT: NEXVAULT EXCHANGE LLC — SANCTIONS EVASION, UNLICENSED MONEY TRANSMISSION, WIRE FRAUD, CONSPIRACY
ORIGINATING AGENCIES: U.S. DEPARTMENT OF THE TREASURY / OFFICE OF FOREIGN ASSETS CONTROL; FEDERAL BUREAU OF INVESTIGATION, CYBER DIVISION; FINANCIAL CRIMES ENFORCEMENT NETWORK
STATUS: ADJUDICATED. RECORDS PARTIALLY DECLASSIFIED UNDER FOIA REQUEST 2024-TREAS-00441.
CLASSIFICATION DOWNGRADE AUTHORITY: UNDERSECRETARY FOR TERRORISM AND FINANCIAL INTELLIGENCE, MAY 2024.

WHY THIS MATTERS

NexVault Exchange LLC held a real California money-transmitter license and a real FinCEN registration — and used both to process an estimated $4.2 billion over thirty-one months for a sanctioned Iranian financial institution, a ransomware group that had hit a U.S. hospital network, a seized darknet narcotics market, and wallets tied to North Korean state actors. This file reconstructs how the fraud was built and how it broke: the one-page OFAC referral that named only a wallet and a domain, the fourteen prior bank SARs nobody had connected, and the FBI blockchain analysis that beat seven-to-nineteen-hop nested wallet chains not by counting hops but by reading their timing. The case turned on two phrases the principals wrote down themselves — "the Tehran account" and the "discretion premium" — and on a compliance employee told to mark every red flag resolved. This is the federal procedure behind the headline, ending in a 6:15 AM arrest where one founder answered the door and the other was already on a flight to Zurich.

CHAPTERS

00:00 Case File 9007: the compliant facade
03:40 The one-page OFAC referral and wallet nexvault.io
07:30 FinCEN tracking FTC-2021-04-7882 and fourteen prior SARs
11:20 San Francisco field office and Operation Phantom Ledger
15:10 Nested wallets: the seven-to-nineteen hop chains
19:00 The timing fingerprint that exposed six clusters
23:00 Naumov, Hess, and "the Tehran account" emails
27:30 340,000 documents and the enhanced onboarding pathway
31:30 UC-1, the relationship manager, and the discretion premium
35:00 CW-1: the compliance officer told to reclassify the flag
38:30 March 14, 2023 — 6:15 AM arrest, one founder gone to Zurich
41:30 Seizure of $280M, the verdict, and the closed file

TOPICS COVERED

• How NexVault used a genuine California money-transmitter license and FinCEN MSB registration obtained through a fabricated compliance manual and fake third-party audit
• How FinCEN cross-referenced domain nexvault.io against fourteen prior bank Suspicious Activity Reports under tracking number FTC-2021-04-7882
• Nested wallet architecture explained: seven-to-nineteen intermediate hops between sanctioned origin and exchange deposit
• The coordinated-pulse timing signature that proved common operational control of six wallet clusters
• The "Tehran account" email and "tolerance calibration" that quietly disabled OFAC SDN sanctions screening
• Inside the undercover op: UC-1, the encrypted relationship manager, and the "discretion premium" recorded under a Title III order
• How cooperating witness CW-1 exposed the order to "reclassify the flag as resolved" instead of filing reports
• The March 14, 2023 takedown — Naumov arrested in the Sunset District, Hess fled to Zurich, nexvault.io dark at 6:47 AM
• Outcome: $280M crypto, $47M fiat, a Napa estate seized, a 14-year sentence, and $142M returned to retail users

SOURCES BEHIND THE NUMBERS

Dramatized from the declassified case record. Procedure references: U.S. Treasury OFAC SDN List (treasury.gov), FinCEN nested-wallet and MSB red-flag guidance (fincen.gov), DOJ Northern District of California indictments (justice.gov), and FBI Cyber Division crypto reporting (fbi.gov). Names, the "Operation Phantom Ledger" designation, and FOIA reference 2024-TREAS-00441 are illustrative composites.

#OperationPhantomLedger #SanctionsEvasion #CryptoCrime #FBICyber #FederalCaseFile