Data leak at Iran’s Ariomex Crypto Exchange exposes user and transaction records from 2022 to 2025

Ariomex, a cryptocurrency exchange platform operating in Iran, experienced a data leak that exposed thousands of records containing user identities, account activity, and transaction details spanning 2022 through 2025, cybersecurity firm Resecurity confirmed.

The compromised database includes extensive information about end users and their cryptocurrency operations, providing insight into transaction activity and account usage on the platform. Analysts conducted a structured examination of the leaked dataset, which contains 11,826 records detailing customer profiles, email addresses, IP addresses, device information, and associated crypto transactions.

The exposed information reveals multiple high-value cryptocurrency exchanges and requests for large deposits. In one intercepted communication contained in the database, an individual identified as Seyyed Younes Shokori Bilankouhi requested assistance depositing $3 million with support from the Iranian embassy. In another instance, a user named Ramin Lak sought to exchange $5 million through the platform.

The data also indicates that some users treated Ariomex as a long-term storage platform similar to a bank account. Records show that a user named Eyraj Jaafari repeatedly purchased digital assets valued at $100,000 but chose to delay cashing out the funds.

Security analysis identified numerous records with unusually large balances where customer identity verification procedures appeared incomplete or altered. Several transactions in the dataset involve cryptocurrency transfers exceeding millions of dollars.

The leaked records also provide evidence of Iranian cryptocurrency activity beyond the country’s borders. User activity and associated network data link accounts to several countries, including the United States, the United Kingdom, Germany, France, the Netherlands, Romania, Russia, Sweden, and Turkey.

Of the 11,826 records identified in the dataset, about 7,710 originate from Iran based on IP address analysis and related network intelligence.

One example from the dataset shows a request to exchange $19 million tied to the email address khazayizahra75@gmail.com, associated with a user identified as Zahra Khazaei. The record lists an Iranian IP address and device details indicating an Android 8.0.0 operating system using Chrome version 106.

Investigators discovered the Ariomex database circulating on dark web marketplaces. The breach likely originated from a compromised customer support or helpdesk system, which exposed internal data containing customer information and transaction details. Analysts reconstructed incomplete fields and applied translation and artificial intelligence tools to build comprehensive user profiles from the leaked material.