Nobitex

On June 18, 2025, Nobitex, Iran’s largest cryptocurrency exchange, was targeted in a cyberattack resulting in the theft of over $90 million in digital assets from its hot wallets. The pro-Israel hacking group Gonjeshke Darande (“Predatory Sparrow”) claimed responsibility, framing the attack as a politically motivated strike against Iranian digital infrastructure, accusing Nobitex of facilitating sanctions evasion and terrorism financing for the Islamic Revolutionary Guard Corps (IRGC). The stolen funds, spanning cryptocurrencies like Bitcoin, Ethereum, Dogecoin, Ripple, Solana, Tron, and Ton, were transferred to vanity addresses containing variations of the phrase “F*ckIRGCterrorists.” These addresses were generated through computationally infeasible brute-force methods, indicating the hackers lacked private key access, effectively “burning” the funds to send a political message rather than for financial gain. Nobitex confirmed the breach, noting unauthorized access to its hot wallet and reporting infrastructure, and suspended its website and app, which remained inaccessible. The group also threatened to leak Nobitex’s source code and internal data within 24 hours, escalating risks for the platform’s reported 7 million users. This attack followed a similar cyberattack by Predatory Sparrow on Iran’s state-owned Bank Sepah a day earlier, amid heightened Israel-Iran tensions following Israeli airstrikes on Tehran’s nuclear and military sites. Elliptic’s blockchain analysis linked Nobitex to IRGC operatives and sanctioned entities, including Hamas, Palestinian Islamic Jihad, and the Houthis, highlighting its role in Iran’s sanctions-evading crypto ecosystem.