FinCEN Alert Spotlights Risk of Evasive IRGC Tactics

On May 11, 2026, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an Alert warning financial institutions about the Islamic Revolutionary Guard Corps’ (IRGC) use of facilitators such as front companies, exchange houses, shadow fleet vessels and digital assets to evade US sanctions by laundering proceeds of illicit oil sales that fund Iran’s weapons procurement and terrorist activity.

The Alert signals the Trump administration’s intent — consistent with its “maximum pressure campaign” on Iran — to hold companies and financial institutions accountable when they knowingly ignore or facilitate IRGC-linked activity. It emphasizes that the IRGC is a designated Foreign Terrorist Organization (FTO), underscoring the potential exposure not only under US sanctions laws, but also under criminal federal material support statutes for parties that knowingly facilitate IRGC-linked activity, the latter of which carry penalties up to and including life in prison. And the Alert’s treatment of oil smuggling signals the administration’s view that proceeds from Iranian oil sales directly benefit both the Government of Iran and the IRGC, funding weapons procurement, terrorism and Iran’s malign activities abroad — facts the DOJ and the FBI may use when opening criminal investigations under both US sanctions and federal material support to terrorism statutes.

To identify and combat the IRGC’s illicit evasion tactics, the Alert provides a detailed set of operational and transactional red flags relevant to four areas:

maritime oil smuggling and trade concealment tactics;
front companies and layered financial structures;
facilitators and third-party intermediaries; and
digital assets and stablecoin activity.

It also requests that all report such activity and reference the Alert in Suspicious Activity Reports (SARs) by including the key term “FIN-2026-Alert002” in SAR field 2 and the narrative section and selecting the terrorist financing designation in SAR field 33(a).

Below we provide more detail on each area of guidance, including with a visual representation of how the IRGC structures transactions to evade US laws, and discuss how stakeholders can best protect against unwittingly doing business with prohibited entities. In sum, the Alert reflects FinCEN’s expectation that financial institutions remain vigilant to not only detect Iranian counterparties but also the layered transactional activity, intermediary structures and digital asset activity that may obscure Iranian nexus or IRGC involvement.

1. Maritime Oil Smuggling and Trade Concealment Tactics

FinCEN describes how the IRGC generates revenue through the transport and sale of Iranian oil using a “shadow,” “ghost” or “dark” fleet of aging vessels that are often owned, managed or leased through front companies located outside Iran and operate outside the standard maritime practices, relying on deceptive shipping tactics designed to conceal any Iranian nexus.

The Alert discusses deceptive shipping tactics, including vessel renaming and reflagging, ship-to-ship transfers, AIS irregularities, manipulated ownership structures, falsified shipping documentation and the blending or relabeling of Iranian oil as originating from another jurisdiction, including “Malaysian blend” designations intended to conceal and disguise cargo origin and Iranian nexus. FinCEN also notes that much of this oil is ultimately sold to small independent “teapot” refineries in China.

FinCEN cautions financial institutions to look out for:

petroleum or shipping companies transacting with counterparties tied to Iran or vessels associated with the “shadow fleet”;
bills of lading, shipping invoices, or other trade documentation that omit consignees or otherwise appear manipulated to conceal Iranian nexus;
vessels that recently changed names, flags, ownership, or operators, particularly following sanctions designations; and
references to “Malaysian blend” oil, particularly where the vessel is bound for China or where there are AIS gaps and ship-to-ship transfers in geographic corridors of concern or without commercial need.

2. Front Companies and Layered Financial Structures

The Alert explains that the IRGC uses front companies, exchange houses and layered cross-border payment structures (known as “shadow banking”) to access the international financial system while obscuring Iranian involvement. Specifically, Iranian banks, exchange houses and affiliated “rahbar” companies establish entities in third-country jurisdictions and free trade zones to move funds and facilitate cross-border transactions outside Iran.

According to FinCEN, indicators of shadow banking include recently incorporated entities transacting in unusually large sums, often in round dollar payments at a rapid clip and transactions between companies in disparate lines of business. The Alert emphasizes that entities need not be formally owned by the IRGC to nevertheless function as part of broader sanctions evasion and financial facilitation networks.

FinCEN cautions financial institutions to look for:

customers receiving wire transfers with unclear, incomplete, or inconsistent source-of-funds information, particularly where the transfers involve exchange houses, intermediary companies, or jurisdictions associated with Iranian sanctions evasion activity;
general trading companies with opaque ownership, especially those registered in the UAE free trade zones or similar jurisdictions, with counterparties in places such as Singapore or Hong Kong and bank accounts in China, Hong Kong, Oman or the UAE;
Hong Kong registered companies using Chinese non-resident accounts, with little or no web presence, shared addresses with similar entities, recent incorporation, large round-dollar payments without explanation, or payments to UAE general trading companies or free trade zone intermediaries without a clear business purpose; and
customers routing transactions through multiple exchange houses or trading companies in a way that adds fees, costs, or complexity not consistent with ordinary commercial practice.

3. Facilitators and Third-Party Intermediaries

The Alert discusses the role of the vast web of facilitators such as brokers, logistics providers, money services businesses (MSBs), trust and company service providers, investment companies and shipping intermediaries in facilitating IRGC-linked activity. FinCEN notes that these networks often pose as legitimate services and may involve both knowing and unwitting participants.

The Alert also discusses the IRGC’s coordination with terrorist proxy and partner organizations such as Hizballah and Ansarallah, which maintain their own facilitation and financing networks.

4. Digital Assets and Stablecoin Activity

According to the Alert, digital assets play a large role in Iran’s broader sanctions evasion and shadow banking architecture, particularly the use of cryptocurrency-related payments tied to the recent toll on tanker passage through the Strait of Hormuz. The Alert also highlights the role of Iran-based digital asset service providers (DASPs), nested exchanges, peer-to-peer exchangers and stablecoin activity tied to Iranian actors and proxy groups. FinCEN explains how Iranian actors may exploit gaps in onboarding, geolocation and AML/CFT controls across the digital asset ecosystem to obscure Iranian nexus.

FinCEN specifically identifies stablecoins as a preferred mechanism because of their liquidity, relative stability and ease of settlement. The Alert notes that Iranian actors have engaged in stablecoin minting activity, movement between large stablecoin issuers and development of proprietary stablecoins, including USDZ, which FinCEN identifies as associated with OFAC-designated stablecoin issuer Zedxion.

FinCEN cautions financial institutions to look for:

companies operating in sectors with potential exposure to Iranian oil smuggling or sanctions evasion using digital assets in a manner inconsistent with ordinary business practices or to effect significant commercial payments;
customers located in jurisdictions associated with Iranian illicit finance activity receiving stablecoin payments that do not align with their stated business and are unsupported by adequate source of funds documentation;
customers, including purported foreign trust companies or other offshore entities, engaging in repeated stablecoin minting activity, frequent requests for increased transaction limits or activity inconsistent with their reported business;
digital asset activity that may be linked directly or indirectly to Iranian entities or Iran-based DASPs;
account activity suggesting activity from Iran, including Iranian IP addresses, Iranian phone numbers or email services, device settings consistent with Iran or use of VPNs, residential proxy services or Tor nodes in a manner suggesting attempts to circumvent geolocation; and
customer activity suggesting operation as an unregistered peer-to-peer exchanger, foreign-located MSBs, or nested exchange facilitating Iranian digital asset activity, including large volumes of offsetting transactions.

Below is an example of a chain of transactions orchestrated to subvert US laws. Users operating in this space should consider where their business activities intersect with the chain below to understand their exposure and to think about implementing targeted controls where the risk is most likely to materialize.

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
algoliasearch-client-js	1 year	Necessary in order to optimize the web site's search-bar function . The cookie ensures accurate and fast search results.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	1 year, 11 months	Registers a unique ID that is used to generate statistical data on how the visitor uses the web site.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_#	1 year, 11 months	Used by Google Analytics to collect data on the number of times a user has visited the web site as well as dates for the first and most recent visit.
nmstat	1 year 1 month 4 days	This cookie is set by SiteImprove. This cookie is used for web analytics, the cookie contain a ID string about the session. The cookie records the visitor use of the website. This information is used to improve the site experience.The cookie doesnot contain any personal information.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	Tries to estimate the users' bandwidth on pages with integrated YouTube videos.
YSC		Youtube sets this cookie to track the views of embedded videos on Youtube pages.