INSIGHTS
Terror Financing
Binance Terror Financing Lawsuit: On-Chain Evidence & Crypto Analysis | Nominis
Terror Financing

Binance Terror Financing Lawsuit: On-Chain Evidence & Crypto Analysis | Nominis

5-Minute Read
Dec 23, 2025
Example H2
Example H3
Example H4
Example H5
Example H6
Share Article

The Binance Lawsuit 

In November 2025, 306 families of Americans killed or injured as a result of the October 7, 2023 attacks on southern Israel filed a lawsuit in federal court in North Dakota against Binance, the world’s largest cryptocurrency exchange, asserting that it knowingly facilitated terrorist financing by allowing wallets connected to Hamas, Hezbollah and Iran’s IRGC. The complaint alleges that it allowed these terrorist organizations to operate freely on its platform despite various government sanctions, seizure orders and public exposure of crypto wallets affiliated with these organizations. The lawsuit, Balva v. Binance, argues that Binance not only failed to prevent designated entities from transacting, but actively enabled the continued flow of funds into the terrorist organizations’ operational ecosystems responsible for large-scale violence, including the events underlying the case itself. 

In this report, we examine on-chain activity, supplemented by the NOMINIS terror-financing database powered by a range of sources, to explore the allegations in the lawsuit.

Using blockchain forensics and cluster analysis, we map wallet-to-wallet flow, counterparty exposure, activity patterns, and post-designation behaviour; assessing whether value continued to move through Binance even after wallets were formally linked to terrorist financing.

Alongside this technical evidence, we also outline precisely what Binance is accused of, and demonstrate how the activity we observe aligns with existing intelligence on how terrorist organisations utilise cryptocurrency to transfer, store and distribute capital. 

The report is structured with the goal to provide context for the lawsuit, followed by supplementary evidence that could reinforce some of the allegations brought against Binance. First, the context surrounding terror financing and the relationship between cryptocurrency and terrorist financial infrastructure is explained, along with an explanation of efforts made by authorities to seize and prevent terror financing via digital assets. Then, the key allegations in the lawsuit against Binance are outlined. The report then moves on to our investigation, presenting wallets associated with Hamas, Hezbollah, and the IRGC, highlighting behavioural proximity, flow volume, and continued operational activity, using Binance as a facilitator. 

The final section draws the findings together, assessing how these mechanisms may reflect systematic failings and offering evidence-based insight into the practical scale of damage enabled through non-compliant blockchain entities. 

Total Exposure to Designated Wallets

Before we dive into the details, it is paramount to check the large numbers in order to assess the exposure. As part of the research NOMINIS conducted a complete exposure check to Binance wallets that interacted with designated entities, based on our analysis over 10,000 Binance deposit addresses had previously received funds from wallets that were linked to terror financing.

Examining the top 100 Binance’ deposit addresses that received funds from wallets linked to terror financing reveal over $500,000,000 of deposits in over 8,000 transactions.

Those examples include funds that were sent directly from wallets that linked to Buy Cash, Hezbollah, IRGC and other FTOs.

Part 1: The context of Balva v Binance 

Terror Financing 

Terror Financing refers to the collection, movement, or concealment of funds, or economic resources, intended to support terrorist groups or terrorist acts. It spans a wide array of mechanisms: direct donations (formal or informal charities), criminal proceeds (drug trafficking, fraud, counterfeiting) trade-based schemes, ‘hawala’ (an informal, trust-based money transfer system existing outside formal, regulated financial infrastructure), and other informal value transfer systems. Increasingly, digital channels such as cryptocurrency and stablecoins have become an attractive option for terror financiers. Terrorists buy weapons or logistical materials, pay operatives, or sustain organisational overhead and propaganda via digital assets. However, the role of crypto has been underappreciated or insufficiently recognised by leading blockchain analytics firms thus far. According to our data, publicly available estimates of the role of crypto in terror financing severely underestimate the true magnitude of crypto’s role. 

The reliance of digital assets in terror financing has actually become so significant that not only the purchase of weapons is done via cryptocurrency, but the selling of these items too.  For example, the IRGC has expanded to the sale of weapons, openly online, via a website where cryptocurrency is advertised as a viable payment source. This can be seen in the screenshots. 

 Globalisation of Terror Financing 

Cryptocurrencies offer several attractive properties to transnational terror networks: 24/7 global settlement, pseudonymous on-chain trails (harder to link directly to identities without off-chain data), low fees on some networks like TRON, and the ability to use intermediaries and mixing services to obscure origins and destinations. Law enforcement and blockchain analytics have documented adversaries shifting from on-chain Bitcoin donations, towards faster, cheaper tokens and stablecoins (USDT/ Tether on Tron has frequently been cited) because they reduce transactional friction and can be moved quickly across borders. Recent operational reporting and seizures show that groups aligned with, or sponsored by Iran (IRGC-Quds Force), Hamas, Hezbollah and Palestinian Islamic Jihad have used crypto channels to receive and move substantial sums over time. 

In fact, our research has uncovered thousands of wallets linked to terrorism that moved significant amounts. In some clusters, hundreds of millions of dollars in stablecoins and other tokens were moved by sanctioned individuals. 

While many assume crypto is only a marginal tool in terror financing, these findings suggest that the scale is broader and more structured than commonly believed. Funds often move through networks that span jurisdictions, asset types and intermediaries, exploiting regulatory fragmentation to avoid detection. Crypto flows rarely exist in isolation: they typically sit within larger financial ecosystems that are international or even intercontinental. 

The Reach beyond the M.E.

State-level and transnational links enable global reach. Iran’s IRGC and its affiliates are described in the lawsuit as central nodes (Balva v Binance complaint, p.97) that funnel money and material to proxies across Africa, Asia, Europe and the Americas. That operational route creates pathways between the ME and distant jurisdictions, for example, documented cooperation or exploitation of the permissive environments in parts of South America, notably Venezuela (Balva v Binance, p.64), where criminal/ terror networks, shadow finance, and weak anti-money laundering and counter terror financing controls are taken advantage of, to launder, move or shelter assets. Beyond theory, policy and investigative reporting have traced a long-standing criminal terror linked between IRGC-QF, Hezbollah  and Hamas- aligned networks and elements in Venezuela and the region.

To ‘Sanction a Wallet’: The consequences of Terror Financing and Prevention Tools 

Terror financing enables designated groups to expand, sustain, and create propaganda for their cause. The finances naturally provide a logistical, material and operational backbone for violent campaigns, enabling terror organizations to procure weapons and explosives, and cause widespread damage via communications, support networks and logistics. In effect, money is not only an enabler but a multiplier. The more reliable and fluid the funding stream, the boarder and more persistent the organisation’s reach can be. 

When authorities detect or suspect that a wallet (or series of wallets) is associated with illicit or terrorism-related activity, one of the most effective tools is to designate, or seize/block the wallet. 

In this context, government Financial Intelligence Units or FIUs designate crypto wallets by formally designating a specific cryptocurrency address, or series of addresses, as blocked property under its domestic sanctions or CTF (Counter Terror Financing) framework. This designation prohibits people or entities under that jurisdiction’s legal or regulatory authority from conducting any transactions with the wallet. For example, in the United States, the Office of Foreign Assets Control (OFAC) maintains the SDN (Specially Designated Nationals) List. Under OFAC regulations, once a wallet address is added to the SDN List, US citizens are generally prohibited from dealing or involving themselves with the address. 

While government designations do not erase or technically ‘delete’ funds from the blockchain, which, by design must remain immutable, they create a legal barrier around the wallet, making it effectively inaccessible for legitimate, compliant financial services providers. In practice, enforcement often relies on intermediaries: exchanges, custodian wallet providers, or stablecoin issuers that can freeze or blacklist the wallet, or refuse to process transactions involving it. This is especially effective when the wallet interacts with regulated services, moving digital funds ‘on-’ or ‘off-ramp’. Where funds remain in a non-custodial wallet, so it is under the sole control of a private key holder, a government designation does not automatically revoke access. In this case, the funds remain technically under the control of the individual who holds the private key to the sanctioned wallet. 

Sanctions through government designations serve two complimentary purposes:

  1. Legal isolation: prohibiting sanctioned wallets from interacting with the regulated financial ecosystem,
  2. Practical disruption: limiting or cutting off their ability to cash out, distribute, or further move assets through regulated channels. 

Their effectiveness depends heavily on coordinated compliance: from exchanges, custodial services, token issuers, and regulatory authorities. 

Designating or sanctioning a wallet does not destroy the funds within the wallet, but transforms the wallet into a legally blocked entity, greatly reducing its utility for illicit actors and raising the risk and cost of further transactions. 

However, effectiveness of sanctions depends heavily on detection, and detection is far from comprehensive. Our data suggests that many terror-linked wallets operate undetected for extended periods, even while interacting with regulated platforms. 

Balva v Binance 

Who is Binance?

Binance is widely regarded as the largest cryptocurrency exchange globally. In practical terms, centralised exchanges (CEXs) like Binance function as on- and off- ramps between fiat currencies and crypto, offer custody for user assets, and provide liquidity and the ability to convert one token into another, or into fiat. They also support deposit and withdrawal services and internal transfers, often across jurisdictions. 

Terrorist actors or their facilitators most frequently exploit exchanges such as Binance, in two ways: 

  • On-ramp / off-ramp mechanism: Illicit or donated fiat (or other currencies/ assets can be converted into crypto, or vice versa, enabling the movement of value into or out of the crypto ecosystem. 
  • Aggregation, laundering and redistribution: Small donations or fragmented proceeds can be aggregated, mixed, converted, transferred and ultimately withdrawn, possibly in different jurisdictions, especially where KYT (Know Your Transaction) or KYC (Know Your Customer) controls are weak and can be easily circumvented. 

In Balva v Binance, plaintiffs allege that Binance ‘knowingly and systematically’ provided these functionalities to terrorist organisations (Hamas, Hezbollah, PIJ, IRGC affiliates), facilitating their receipt, distribution, and concealment of funds despite public reporting and repeated warnings. Not only this, but ‘actively tried to shield its Hamas customers and their funds from scrutiny by US regulators’. (Balva v Binance, p.4)

Who is NBCTF?

To understand the lawsuit, it is important to understand those in the position of responsibility for prevention and counter- terror financing in crypto. The regulation and enforcement of sanctions and anti-terror financing in the digital asset space fall under FIUs such as OFAC in the United States. OFAC’s guidance, most recently codified in its Sanctions Compliance Guide, makes clear that sanctions obligations apply equally to virtual-currency transactions as to fiat transactions. Entities in the crypto space, such as exchanges, wallet providers, administrators and miners, are all required to ensure that they do not facilitate transactions involving sanctioned persons or jurisdictions. Outside of the US, other country-level authorities with a mandate similar to, or sometimes cooperating with OFAC, may also designate wallets, block or freeze digital asset holdings, or issue administrative seizure orders. In Israel, for example, agencies such as the National Bureau for Counter Terror Financing (NBCTF) have authority under domestic law to designate and freeze wallets, linked to designated terrorist entities coordinating with internal counterparts where appropriate. 

The Lawsuit 

The Balva v Binance lawsuit, filed in a U.S. federal court by a group of 306 American plaintiffs, who are victims and families of victims of the October 7th 2025 attack on Israel, alleges that Binance and certain of its principals, including recently freed Changpeng Zhao or “CZ”, founder of Binance, knowingly provided material support to terrorist organisations by facilitating crypto transfers for them. 

The lawsuit states that Binance continued to process transactions involving wallets linked to Hamas, Hezbollah, PIJ, IRGC and other designated terrorist groups, despite repeated internal warnings and public reporting (Belva v Binance, p.4). 

Specifically, the lawsuit outlines Binance’s failures to follow compliance and AML/CTF (anti-money laundering / counter terror financing) controls. The internal compliance officers reportedly treated known terrorist-linked transactions as ‘small sums’ dismissing their significance. A number of other accusations against Binance brought forward by the 306 American plaintiffs are as follows: 

Binance structured its compliance functions in order to facilitate money laundering, sanctions evasion, and terror financing, in an attempt to evade regulatory oversight.

Specifically, attempts were made by the key stakeholders at Binance to create a system in which regulations could be evaded. ‘Zhao and his confederates set up an amorphous, decentralized structure designed to avoid regulatory scrutiny, protect the anonymity of its customers, and preserve Binance’s appeal as a safe haven for global money laundering’ (Balva v Binance, p. 27). 

Binance employees were encouraged to intentionally circumvent the processes of KYC (Know Your Customer), despite Binance’s effort to appear as if they were complying with Anti-Money Laundering and Counter Terror Financing frameworks, in which KYC is required (Balva v Binance pgs.42-44).  

Binance used ‘pooled wallets’ and weak compliance controls to allow illicit transfers. 

The lawsuit noted that its architecture, including wallet structures, off-chain networks, and omnibus accounts, allowed users tied to sanctioned or terrorist entities to move funds with minimal oversight. (Balva v Binance, p.12) 

Binance knowingly provided services to sanctioned countries and entities, as well as Terrorist Organizations

The lawsuit asserts that Binance knowingly provided financial services to sanctioned countries and entities, as well as U.S. designated terrorist organizations. The sanctioned countries included Iran and the designated terrorist organizations included Iran’s IRGC. Internal communications cited in the complaint indicate that Binance compliance staff were aware that they were servicing users from sanctioned regions ‘non-publicly’, suggesting ‘Binance knew it was violating US laws, including counter terrorism laws designed to prevent Iran from financing terrorist groups’ (Balva v Binance, p.58.) Iran, alongside Qatar, is undoubtedly one of Hamas’s largest benefactors as well as the largest financial backer of Hezbollah and PIJ. The plaintiffs allege that Binance aided and abetted their acts of terrorism by ‘knowingly and willingly assisting’ them in moving and concealing their assets. (Balva v Binance, p.8). 

According to the plaintiffs, the scale of illicit activity was not isolated or incidental. They argue that it was sustained, long-running, and continued even after the October 7th attack. Balva v Binance asserts that between 2019 and the October 7th attack, ‘Binance knowingly facilitated the equivalent of more than $700 million in transactions for these FTOs’ [Foreign Terrorist Organisations] such as Hamas, Hezbollah, and the PIJ, groups deemed the ‘Axis of Resistance’ by Iran. Since the attack, Binance 'also knowingly facilitated the equivalent of more than $50 million’ for Hamas, the IRGC, Hezbollah and the PIJ on public blockchains (Balva v Binance, p.11). 

With these allegations forming the backdrop, the next stage of this report examines on-chain evidence. To evaluate the extent and structure of the funds allegedly routed through Binance, we conducted an independent investigation using the transaction monitoring platform, NOMINIS Vue, focusing on wallets that exhibit transactional proximity to designated terror-linked entities. 

Part 2: Assessment of Balva v Binance Allegations provided by NOMINIS Vue 

This investigation examines cryptocurrency wallets that have engaged in transactions with, or shown behavioural proximity to sanctioned terrorist-linked entities, specifically Hezbollah, Hamas-affiliated operators such as Buy Cash, and Iran’s IRGC network. Using blockchain forensics and a combination of sources to inform our database, we mapped inflow and outflow activity, time-stamped transfers, counterparties, and cross-entity exposure to identify transactional clusters operations across the Middle East, and in some instances, South America. NOMINIS conducted a detailed review of several wallets with transactional links to designated wallets. Notably, some of these wallets remain active today. 

Our approach involved clustering and wallet attribution based on blockchain heuristics, off-chain information, common withdrawal/deposit patterns, as well as other, proprietary methodology. Efforts also included time-zone behaviour modelling, used to differentiate LATAM-hour wallets (based in South America) and MENA-hour wallets (based in the Middle East), and risk-identity propagations, tracking indirect exposure of designated wallets to still-active addresses.

Overview of our Findings 

Our investigation identified more than 8,000 deposit addresses on the Binance platform that interacted with wallets that were later designated by OFAC or Israel’s NBCTF. A significant proportion of these accounts are still active, receiving and transferring funds despite associations with sanctioned entities. This persistence demonstrates a gap between government designations and enforcement, as well as the role of blockchain entities, such as Binance, in continuing to be used by terror-linked networks to move value even after exposure of counterparty links to terror financing. 

The following wallets investigated have relationships with Hamas, Hezbollah, or the IRGC itself. This methodology allowed us to trace transactional proximity across networks, identify shared liquidity corridors, and surface exchanges of value between groups that would otherwise appear unconnected. 

Binance Wallets Associated with Hamas

Our first cluster focuses on Buy Cash, the Hamas-linked exchange house designated by the United States whose wallets and extended financial infrastructure  emerged as a central node in this ecosystem. 

Our analysis identified several wallet clusters that displayed sustained interaction with entities associated directly or indirectly with Hamas. These wallets did not operate in isolation, but rather, sat within broader transactional networks involving Hezbollah, Iran-linked actors, and OTC desks with prior exposure to terror financing. Among these wallets, a subset stands out due to the scale of inflow volume, the persistence of activity after designation, and their proximity to Buy Cash. 

Spotlight on Wallet TVB

One of the most critical examples identified in our review is Wallet TVB. Wallet TVB received ~$23 million during 2022. More than 20% of those inflows originated from wallets later blocked by the NBCTF, due to confirmed associations with Hezbollah, Buy Cash and the Palestinian Islamic Jihad (PIJ). We identified over 35 direct transfers from designated wallets into this address. While Hezbollah and the PIJ are designated terror groups, hence their designation on the sanctions list, the sanctioning of Buy Cash is not immediately clear. 

While Buy Cash appears to be a regular cash-for-crypto service, further investigation suggests that the service is not only used by Hamas, but is run by Hamas. 

This raises the question of whether Buy Cash functioned purely as a marketplace, or as an operational finance channel for Hamas. 

The role of Buy Cash 

This conclusion is reinforced by historical seizures. In June 2021, Israel’s NBCTF seized a number of virtual currency wallets in connection to a Hamas fundraising campaign, some of which were linked to Hamas’s so-called military wing, the Izz al-Din Qassam Brigades. One of the seized wallet addresses belongs to Buy Cash Money and Money Transfer Company (Buy Cash), a Gaza-based business that provides money transfer and virtual currency exchange services, including Bitcoin. 

In addition to involvement in Hamas fundraising, Buy Cash has also been used to transfer funds by affiliates in other terrorist groups. In September 2019, Buy Cash’s Bitcoin wallet 

19D1iGzDr7FyAdiy3ZZdxMd6ttHj1kj6WW received a Bitcoin transfer equivalent to over $2,000.

The transfer was facilitated by a Türkiye-based money services business operator and al-Qa’ida affiliate. Additionally, in 2017 a Buy Cash account was registered by individuals involved in payment for procurement of large quantities of online infrastructure on behalf of the Islamic State of Iraq and Syria (ISIS). Ahmed M. M. Alaqad (Alaqad), who is based in Gaza, registered Buy Cash’s domain in July 2015. Alaqad has acted as Buy Cash’s representative and is the owner of Buy Cash financial exchange.

In July 2025, a new forfeiture was published regarding Buy Cash Tron wallets. Examining one of the wallets reveals over $30m of transfers to Binance deposit addresses during 2021-2023. 

The wallet heavily interacted with wallets that are linked to Hezbollah, other BuyCash wallets, Unnamed Services that are involved with terror financing and wallets that linked to the IRGC’s terror financing network.

Further examination of the outflows from Buy Cash wallets reveals multiple deposit addresses that are heavily connected to designated wallets; Wallet TLB and Wallet TN2

Wallet TLB, one of the most significant among them, received over $72 million between 2022 and 2023. More than 81% from wallets that linked to Buy Cash, and additional 10% from wallets that linked to Gaza and services that are connected to terror financing activities.

Meanwhile, the second wallet, TN2 received $41 million between mid-2021 and mid-2022. Approximately a third of this amount originated from Hezbollah- and Hamas-associated wallets, with the remaining inflows sourced from unnamed OTC services previously tied to designated entities. 

Returning focus back to Wallet TVB… , while 20% of the flows in came from Hezbollah, Buy Cash and the PIJ, a further 25% of incoming funds appear linked to a service with strong operational and transactional ties to Iran, while the remaining flows came largely from unnamed OTC desks previously connected to terror financing activity and sanctioned entities.

While Hamas-linked networks form one branch of this ecosystem, a parallel structure emerges when analysing wallets tied to Hezbollah.

In essence, Buy Cash functions as a central financial conduit, moving funds across Hamas, Hezbollah, the IRGC and broader terror-linked networks through virtual asset channels, bridging actors, services and OTC desks across the region. 

Binance Wallets Associated with Hezbollah 

A second grouping of wallets we investigated displayed strong transaction alignment with Hezbollah funding structures. This includes Wallets TMM, TVS, TYN, TSq and TVU. 

Spotlight on Wallet TMM

This first wallet received $12m during 4 years of operation, ~28% from Hezbollah designated wallets, which were designated in May 2023 in this NBCTF Administrative Seizure Order

As you can see from the screenshot, Binance allowed this account to continue operating and receiving millions of USDT without freezing it, even after the terrorist designation of a large percentage of the counterparties sending cryptocurrency to the address. Because the deposit address continued to receive deposits, it can be determined that the wallet was not frozen. This is just one of hundreds of wallets that remained unfrozen despite the public identification of multiple counterparties as associated to terrorist organizations. 

Spotlight on Wallet TVS

This is an active wallet as of Nov 28, 2025.

The wallet received $1.6m in 3 years of operation , approximately 17% from wallets confirmed to be linked to Hezbollah, that were designated by NBCTF in May, 2023.

Once again, Binance allowed the account to continue operating.

Spotlight on Wallet TYN

This is an active wallet as of Oct 13, 2025.

The wallet received $28.5 million in 3 years of operation - 8% from wallets confirmed to be linked to Hezbollah, that were designated by NBCTF in May, 2023.

In addition, the wallet received funds directly from Ansar Allah (commonly known as the Houthis) and Dubai Exchange, both designated entities.

Ansar Allah was designated as a Foreign Terrorist Organisation by the US in 2025. They are closely aligned with Iran, and considered one of the IRGC’s proxies.

Dubai Exchange is a Gaza-based money exchange company that has been designated as a terrorist organisation by the NBCTF. The group has played a significant role in Hamas’ economic infrastructure, laundering and moving digital assets from oversees, to source the group’s activity in the West Bank and Gaza Strip. 

In this case again, Binance allowed the account to continue operating.

One of the most significant findings were two wallet that appears to operate at the intersection of Latin American narcotics trafficking and Hezbollah’s financial distribution network. While they were not mentioned in the lawsuit, these addresses are highly significant. 

Spotlight on Wallet TSq

Wallet TSq received over $125 million during 20 months of operation.

Based on the activity timeline, the wallet seems to be active during the time of Latin America (UTC-4).

As discussed earlier in this report, operational routes between Hezbollah and Central and South America have been structured, with documented cooperation between drug cartels and the Lebanon-based terror group. Central and South cartels generate enormous volumes of cash that require elaborate money laundering schemes to conceal their sources and facilitate their reinvestment in legitimate enterprises, such as businesses and real estate. Binance wallets such as Wallet TSq allow a cash-to-crypto transformation, where funds can be deposited and mixed, held or redistributed rapidly. 

This wallet received over $6.5m from Hezbollah and additional $1.5m from Buy Cash.

Examining the top senders of this wallet reveals a systematic pattern – multibillion dollars’ worth of financial activity with exposure to different illicit actors including Ansar Allah, IRGC, Hezbollah and Iranian exchanges. Additionally, some of the wallets interacting with Wallet TSq are active during business hours in Iran’s time zone while the rest are active during business hours in during western hemisphere time zones, suggesting cross-continent collaboration.

Spotlight on Wallet TVU 

Wallet TVU received over $31m, over 10% from Hezbollah linked wallets. The wallet is still active as of Nov 28, 2025.

The main sender to Wallet TVU is a wallet that is closely linked to the IRGC and made 100s of interactions with sanctioned entities that are linked to terror financing (over $25m in transfers to terror financing addresses).

Binance Wallets Associated with the IRGC 

Despite extensive global sanctions, evidence suggests that elements linked to the IRGC continued to access liquidity through Binance during key operational periods. Binance’s scale, high volume of retail flow, and previously limited KYC enforcement created an environment where sanctioned actors could transact with reduced friction and visibility. For the IRGC, Binance has acted as a gateway for dollar-adjacent liquidity, conversion networks, and downstream partners. 

Unlike the comparatively smaller and fragmented Hamas- and Hezbollah- linked flows, IRGC-associated wallets show a consolidated pattern of value aggregation, then redistribution across exchanges, including Binance. 

Spotlight on Wallet TLi

During 2023-2025 this deposit address received over $50m, more than 75% from wallets that were designated and flagged as IRGC wallets.

Conclusion 

This report takes no view of the legal merits of the Balva v. Binance lawsuit, but it does confirm several of the allegations in the complaint that describe the on-chain transactions into and originating from Binance accounts by Hamas-affiliated entities like BuyCash. More importantly, the findings presented in this report demonstrate, in measurable and activity-verified terms, how cryptocurrency wallets tied to Hamas, Hezbollah, and the IRGC continued to move value freely through Binance long after designations, seizure orders, and clear public identification of these wallets’ counterparties. Across more than 1,000 Binance-linked deposit addresses, many of which are still active, we identified sustained inflows, clustered behavioural patterns, cross-network interactions and systematic exposure between sanctioned terror financing wallets and one of the world’s largest digital asset exchanges.

This activity extends beyond what is detailed in the Balva case and raises serious ongoing concerns.

This activity is neither isolated nor incidental. It reflects a systematized financial infrastructure capable of operating at scale, executing liquidity conversion, cross-regional distribution, and intercontinental cash-to-crypto pathways. Wallets such as TSq, TVB, TLi make this reality visible: high inflow volume, repeat interaction with designated entities, multi-jurisdictional movement, and continued operational functionality despite direct links to Hamas fundraising channels, Hezbollah-aligned networks, and IRGC aggregation hubs.

Table reflects the highlighted wallets, amounts received and terror group associations / links

Across just the 9 highlighted Binance wallets featured in this report, ~$130million of the total $383.8 million funds received were illicit funds. This means approximately 30% of total funds received by these 9 wallets were from terror-linked origins. These nine Binance wallets, some of which associated with Hezbollah, Hamas or the IRGC are just a few of over a thousand Binance deposit addresses that interacted with wallets designated by OFAC or the NBCTF. This demonstrates how even a small sample of wallets can reveal significant exposure and risk.

Taken collectively, these findings provide practical, on-chain evidence that corresponds with core assertions presented in Balva v Binance. While the lawsuit alleges that Binance knowingly assisted digital asset movements linked to terror financing, our findings illustrate how such transaction flows occurred in practice, offering  observable transaction pathways, risk-exposure chains, timestamped transfers, and crypto asset balances still in circulation today.

However, this investigation goes beyond tracing wallet activity. It contextualises how cryptocurrency now fits within the broader architecture of terrorist financing. Hamas, Hezbollah and the IRGC do not rely on crypto in isolation; they blend it with hawala infrastructure, cash-based movement, criminal income streams, OTC channels and global liquidity brokers. Crypto is an accelerator of terrorist financing, flattening geography, lowering friction, reducing traceability, and enabling persistent financial autonomy even under heavy sanctions.

Our analysis confirms a mature ecosystem that:

  • spans the Middle East, Latin America and Iran-aligned regions
  • leverages Stablecoins and exchanges as conversion points
  • rapidly routes capital between actors with aligned operational interests
  • persists even after public government designations and legal intervention
  • frequently intersects with high-volume, Binance linked deposit addresses 

What emerges is a picture of terror finance evolving, not disappearing, under sanctions pressure. Crypto does not replace traditional channels; it fortifies them, extending their reach and survivability. Enforcement without exchange-level intervention is therefore insufficient. Sanctions only isolate wallets; they do not constrain them unless intermediaries choose to act.

The purpose of this report is to provide objective, measurable evidence that contributes to the ongoing discussion surrounding the allegations set forth in the Balva case. On-chain data cannot reveal Binance’s intent, but it can document transaction behaviours, their scale, flow and persistence. In doing so, our findings offer analytical insight into how illicit financial activity may continue to operate within digital ecosystems, and how this intersects with claims asserted in the current legal proceedings. 

The core conclusion is therefore evaluative, rather than interpretive: Terror-linked cryptocurrency activity remains active, transnational, and structurally resilient. This is in part due to blockchain entities that, for whatever reasons, have failed to prevent or mitigate the use of their platforms for terror financing. 

Disclaimer: All research content and accompanying reports are provided for informational purposes only and should not be relied upon as professional advice. Accessing these materials does not create any professional relationship or duty of care. Readers are encouraged to consult appropriately qualified professionals for guidance. We uphold the highest standards of accuracy in all the information we provide. For any questions or feedback, please contact us at contact@nominis.io

INSIGHTS

Related posts

View All
Terror Financing

Binance Terror Financing Lawsuit: On-Chain Evidence & Crypto Analysis | Nominis

An on-chain investigation into allegations that Binance facilitated terrorist financing, analysing crypto wallets linked to Hamas, Hezbollah and Iran’s IRGC using blockchain forensics.
Read more
Terror Financing

After the Bondi Beach Massacre: Investigating Terror Financing in Australia through Banks and Cryptocurrency

An investigation into how terror-linked networks may be leveraging Australian banks and cryptocurrency, exposing compliance risks in the wake of the Bondi Beach attack.
Read more
Terror Financing

Crypto Terror Financing Misconceptions: Understanding the True Scale

This article investigates the genuine scale of terror financing in crypto. Learn how Hamas, Hezbollah, Houthis, and IRGC-linked actors use digital assets, why public estimates are often misleading, and the real scale of crypto-based terror funding.
Read more