Unknown Hackers Supporting Israel Swipe $90 Million from Iranian Crypto Platform Nobitex
In a shocking turn of events, a pro-Israeli hacker group known as Gonjeshke Darande, or Predatory Sparrow, has stolen approximately $90 million from Nobitex, Iran's largest cryptocurrency exchange. The cyberattack, which took place on June 18, 2025, targeted Nobitex's hot wallet and infrastructure.
Nobitex detected unauthorised access to its hot wallet, a portion of the exchange's cryptocurrency storage used for active trading, and multiple unauthorised transactions drained the funds over several operations. The hackers claimed responsibility for the attack on social media, accusing Nobitex of financing terrorism for the Iranian regime and helping evade international sanctions.
The stolen funds were sent to crypto addresses known as vanity addresses, which included anti-regime slogans such as variations of "F*ckIRGCterrorists" embedded in their public keys. These addresses were generated by brute force methods to include these political messages, implying a symbolic, politically motivated attack rather than theft for personal financial gain.
Because creating such vanity addresses with long text strings is computationally infeasible, the hackers almost certainly do not have the private keys to these addresses, meaning the stolen assets were effectively sent to inaccessible wallets. This action "burned" the funds, taking them out of circulation permanently and preventing recovery by the exchange or any other party.
In addition to the fund theft, the group also leaked Nobitex's entire source code and infrastructure documentation, revealing the inner workings of an exchange operating under heavy sanctions and surveillance. Nobitex's website and app became unavailable for an extended period following the attack.
Nobitex has assured users that the majority of their funds are stored in cold wallets, which are offline and less vulnerable to cyberattacks. The exchange also stated that all potential user losses will be fully covered through their insurance fund and internal reserves.
This incident reflects the ongoing cyber conflict between Israel-aligned groups and Iran, with the hack intended as a political statement against Iran's regime rather than a conventional financial theft. The hackers used politically charged usernames on the Tron network and EVM-compatible chains.
The stolen assets included $49.3 million on Tron, $24.3 million on EVM-compatible chains, $2 million in Bitcoin, and $6.7 million in Dogecoin. The breach did not affect all of Nobitex's funds, only a portion of the hot wallet.
The hacker group, Gonjeshke Darande or Predatory Sparrow, has threatened to release Nobitex's source code and internal information from their internal network. They have also warned of further attacks and stated that any assets that remain on Nobitex exchange after their deadline will be at risk.
The breach was confirmed by Nobitex in an official statement on the X platform. The exchange is taking measures to cover any potential losses resulting from the breach. This incident serves as a reminder of the importance of robust cybersecurity measures in the rapidly evolving world of cryptocurrency.
- The stolen cryptocurrencies from Nobitex's hot wallet, amounting to approximately $90 million, were sent to vanity addresses that included political messages, suggesting a cyberattack with a political motive rather than one aimed at personal financial gain.
- Apart from stealing cryptocurrencies, the hacker group, Gonjeshke Darande or Predatory Sparrow, leaked Nobitex's entire source code and infrastructure documentation, causing an extended period of unavailability of the exchange's website and app.
- Despite the breach, Nobitex has assured users that the majority of their funds are stored in cold wallets, which are less vulnerable to cyberattacks, and all potential user losses will be covered through insurance fund and internal reserves. However, the hacker group has threatened to release more internal information and warned of further attacks, suggesting the incident could have broader implications for the cryptocurrency sector.
