Iranian Crypto Exchange Nobitex Loses $81.7 Million in Geopolitically Charged Hack

On June 18, 2025, Nobitex, Iran’s largest cryptocurrency exchange, suffered a devastating cyberattack that resulted in the theft of approximately $81.7 million in digital assets. The breach, one of the most significant crypto exchange hacks of the year, targeted hot wallets across multiple blockchains, including Bitcoin, Tron, Dogecoin, and EVM compatible chains. The pro-Israel hacker group Gonjeshke Darande, also known as Predatory Sparrow, claimed responsibility for the attack, framing it as a strategic strike against Iran’s alleged sanctions evasion and terrorism financing.

The hack was first uncovered by blockchain investigator ZachXBT, who flagged suspicious outflows from Nobitex-linked wallets on Telegram. His analysis revealed that attackers systematically drained funds over several hours, utilizing the high-speed transaction capabilities of the Tron network to move assets rapidly. The stolen funds, including $49.3 million in Tether (USDT) on Tron, $24.3 million on EVM chains, $6.7 million in Dogecoin, and $2 million in Bitcoin, were transferred to provocative vanity addresses such as “TKFuckiRGCTerroristsNoBiTEXy2r7mNX” and “0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead.” These addresses, embedded with anti-terrorist messages, underscored the political motivations behind the attack. Nobitex has since suspended its website and app, leaving thousands of Iranian traders unable to access their funds.

Geopolitical Tensions and Security Failures

The attack’s geopolitical undertones became evident when Gonjeshke Darande issued a statement, accusing Nobitex of serving as a key tool for Iran’s regime to bypass international sanctions and finance terrorism. The group, believed to have ties to Israeli intelligence, claimed that employment at Nobitex is recognized as military service in Iran, emphasizing the exchange’s strategic importance. They further threatened to release Nobitex’s source code and internal data within 24 hours, warning users to withdraw assets to avoid further losses. This follows the group’s recent cyberattack on Iran’s state-owned Bank Sepah, suggesting a coordinated campaign against Iranian financial infrastructure amid escalating tensions between Israel and Iran.

Nobitex responded swiftly, confirming unauthorized access to its hot wallets and reporting infrastructure in a public statement. The exchange assured users that cold-stored funds remain secure and pledged to fully compensate losses through its insurance fund and internal reserves. However, the breach has raised serious questions about Nobitex’s cybersecurity measures, with experts suggesting that attackers likely exploited critical access control failures to infiltrate internal systems. Blockchain security firm Cyvers noted that the stolen funds appear to have been “burned permanently,” meaning recovery is unlikely unless stablecoin issuers reissue the assets.

For Iranian users, the breach is particularly devastating, as Nobitex serves as a critical platform for accessing foreign currencies in a sanctioned economy. The attack’s timing, following Israeli airstrikes on Iranian military facilities, underscores the role of cyber warfare in regional conflicts. As Nobitex continues its investigation, the crypto community awaits clarity on the full scope of the breach and its long-term impact on both the exchange and the broader market.