On June 18, 2025, Nobitex, the largest cryptocurrency exchange in Iran, suffered a significant cyberattack that resulted in the theft of over $90 million from its wallets. The attack, attributed to the pro-Israel hacker group Gonjeshke Darande, also known as Predatory Sparrow, escalated concerns regarding the security of Iran’s cryptocurrency infrastructure amidst growing geopolitical tensions.
Following the breach, Nobitex’s website and mobile application were rendered inaccessible, leading to a suspension of trading services and the withdrawal of functionality to mitigate further losses. The breach exposed critical zero-day vulnerabilities that allowed attackers to bypass existing security measures.
The hackers exploited Nobitex’s hot wallet, which is used for storing customer assets necessary for operational purposes. The stolen funds were systematically transferred to hacker-controlled addresses across multiple blockchains, including TRON, Ethereum, and Bitcoin. Blockchain forensics revealed that the funds were effectively “burned,” as they were moved to vanity addresses with political slogans embedded, such as variations of “F*ckIRGCterrorists.” The sophisticated methods utilized by the attackers, including computationally intensive brute force techniques, suggest that the funds were rendered irretrievable, even from the hackers themselves. The hack appears to be politically motivated amid escalating Israel-Iran tensions. Additionally, the hacking group has previously been linked to an attack on Iranian banks which emphasizes their focus on disrupting Iranian financial institutions.
This incident coincided with a preceding attack on Bank Sepah, a state-owned Iranian bank, further exemplifying the group’s politically motivated agenda.
Predatory Sparrow justified their actions by accusing Nobitex of financing terrorism and evading international sanctions. The implications of the cyberattack are profound, affecting over 10 million customers and severely undermining trust in Nobitex’s operations. Users faced disruption to their access to critical digital infrastructure, raising questions about long-term recovery and reimbursement strategies.
The hack highlights a new phase in cyberwarfare, as attacks against Iranian financial and military installations appear to have intensified following an escalation in the Israel-Iran conflict.
Amidst this precarious situation, the future of Nobitex and its clientele remains uncertain as investigations continue into the incident.
