Ariomex, Iran-based crypto exchange, suffers data leak

Resecurity says Iran’s Ariomex crypto exchange suffered a data leak exposing user and transaction data from 2022 to 2025.

Resecurity (USA) reports that Ariomex’s database, one of Iran’s cryptocurrency exchange platforms, suffered a data leak. The report published by the cybersecurity company presents the findings of a structured analysis of the leaked database, which contains information about end users, their transactions, and the context surrounding their operations, covering the period from 2022 to 2025.

For example, in one of the intercepted communications, Resecurity identified an individual named Seyyed Younes Shokori Bilankouhi requesting to deposit 3 million USD “with the help of the Iranian embassy.” In another case, an individual named Ramin Lak wanted to exchange 5 million USD. Notably, some users used Ariomex as a “bank”—purchasing crypto and storing it there for future use, similar to a traditional bank account. For example, user Eyraj Jaafari bought digital assets worth 100,000 USD multiple times but preferred to “cash out later.”

The experts highlighted that some of the observed records with substantial balances lacked KYC, or the provided information was modified. Resecurity identified multiple suspicious transactions involving large amounts exceeding millions of USD in value.

Leaked customer records:

The data highlights the footprint of Iranian cryptocurrency holders in other geographies, including the US, the UK, Germany, France, the Netherlands, Romania, Russia, Sweden, Turkey, and many others. This intelligence could help block Iranian moneylenders and criminals from entering foreign markets.

A total of 11,826 records were identified, of which around 7,710 originate from Iran, based on IP address data and associated network intelligence. Ariomex data reveals substantial details about the user profiles, their identities, e-mails, IP addresses, and associated cryptocurrency operations.

Example:

• Asking to buy (exchange) $19 Million USD
• Email: [email protected]
• FirstName: Zahra
• Surname: Khazaei
• IP: 5.126.48.39
• OS: Android 8.0.0
• Browser: Chrome 106.0.0.0
• Country: Iran

Resecurity identified a stolen Ariomex database circulating on the Dark Web. The root cause of the breach was likely a compromised customer support (helpdesk), leading to the exposure of customer information. The company was able to reproduce missing fields, as well as to apply translation and AI to build profiles of each user with the associated information.

Notably, last year, another prominent cryptocurrency exchange platform in Iran, Nobitex, was hit by a major cyberattack that resulted in the destruction of approximately USD 90 million in digital assets.

Resecurity interprets Ariomex as a shadow financial institution aligned with the Iranian regime. The company emphasizes that disrupting the financial flows linked to the Iranian regime and taking control of crypto exchanges serving malign interests should be among the strategic priorities to identify threat actors and their activity.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ariomex)