On June 18, 2025, Nobitex – Iran’s largest cryptocurrency exchange – was breached in a high-profile hack that drained roughly $90 million in digital assets. Security analysts report that attackers emptied Nobitex hot wallets, moving cryptocurrencies such as Bitcoin, Ethereum, Dogecoin, XRP, and others into addresses emblazoned with anti-government slogans. Nobitex confirmed it detected “unauthorized access” to some hot wallets and immediately took its app and website offline for investigation. The stolen funds have since been held in “burner” addresses for which no private keys exist, effectively rendering them irretrievable. Blockchain forensics firm Elliptic noted that the attackers’ use of so-called vanity addresses (public keys containing phrases like “F*ckIRGCterrorists”) shows the hack was likely a political statement rather than a profit-driven theft.
How the Attack Occurred?
Although full technical details have not been released, analysts say the Nobitex attack involved a breach of the platform’s internal systems and hot wallet infrastructure. Nobitex officials acknowledged that unauthorized actors gained access to part of its system, prompting the shutdown of online services. Blockchain security experts point to a “critical failure in access controls” as the likely root cause, allowing attackers to infiltrate Nobitex’s back-end and systematically drain its hot wallets across multiple blockchain networks. In a media interview, a Cyvers security researcher explained that the exploit “stemmed from a critical failure in access controls, allowing attackers to infiltrate internal systems and drain hot wallets across multiple blockchains”. After the incident, Nobitex moved large sums of cryptocurrency from remaining online wallets into new cold-storage vaults to prevent further loss.
Suspected Hackers
The cyberattack was claimed by a group calling itself Gonjeshke Darande, Persian for “Predatory Sparrow.” This hacktivist crew – widely reported to have links to Israeli intelligence – announced on social media that it targeted Nobitex due to its alleged role in financing Iran’s military and sanction evasion. Gonjeshke Darande is known for past attacks on Iranian infrastructure: it struck the state-owned Bank Sepah just one day earlier and in previous years targeted gas stations and even a steel mill in Iran. While neither Iran nor Israel has officially claimed responsibility, many cybersecurity experts say the group’s methods and motives bear the hallmarks of a state-sponsored operation. A Sophos threat intelligence director observed that Predatory Sparrow’s activities “bear all the hallmarks of a false persona used by a government-sponsored group,” noting the strikes align closely with Israel’s strategic interests. In public statements, the group argued that Nobitex helps Iran “finance terror worldwide” and urged the exchange’s users to withdraw funds before more attacks.
Fate of the Stolen Funds
Blockchain monitors quickly traced the stolen crypto to a set of “burner” wallets controlled by the hackers. Because these addresses were specially generated so the attackers do not possess the keys, all $90 million in stolen cryptocurrency is effectively locked and unrecoverable. For example, Elliptic reported that the funds were sent to vanity addresses and “effectively burned … in order to send Nobitex a political message”. The hackers themselves later confirmed that eight burner addresses together “burned $90M” from Nobitex’s wallets. With the tokens gone, the only potential recourse would be if stablecoin issuers (like Tether) chose to re-mint the equivalent value, but no such recovery is guaranteed. In short, experts conclude the exchange’s user assets are lost to the hackers’ message campaign, not any normal financial heist.
Nobitex’s Role in Iran’s Crypto Landscape
Nobitex has long been the dominant crypto platform in Iran. It claims over 7 million users domestically and routinely handles far more volume than any other Iranian exchange. Over the past year, Nobitex’s total crypto inflows exceeded $11 billion, compared to roughly $7.5 billion for the next ten largest Iranian exchanges combined. As Iran’s go-to gateway to global cryptocurrency markets, Nobitex is seen as a key tool for Iranians to move money across borders despite international sanctions. Open-source investigations have also linked the platform to Iran’s Revolutionary Guard Corps (IRGC) and other regime-affiliated entities. U.S. officials have warned that Nobitex is used to skirt sanctions; in 2024, Senators Elizabeth Warren and Angus King specifically cited the exchange in a letter expressing concern about crypto-enabled evasion. In short, Nobitex was not just a popular exchange for Iranian traders, but a government-favored channel for regime-related finance.
Impact on Iran’s Economy and Public Trust
The Nobitex hack sent shockwaves through Iran’s already fragile crypto ecosystem. Experts noted that stealing $90 million is especially significant given the relatively modest scale of Iran’s crypto market – it represents a substantial hit to confidence in digital finance options. Many Iranians turned to cryptocurrency to hedge against inflation and sanctions, but this breach may shake trust. The timing also amplified tensions: the attack occurred amid an escalated Israel-Iran confrontation, raising fears that geopolitical cyberwarfare could directly harm ordinary Iranian users. On the economic front, the hack’s $90 million loss (and disruption of Nobitex services) is a blow to any businesses relying on crypto for trade or remittances.
In response to the crisis, Iranian authorities moved quickly to tighten control. Within a day of the hack, the Central Bank of Iran ordered all domestic crypto exchanges to operate only between 10 a.m. and 8 p.m. local time, effectively instituting a nightly crypto curfew. Chainalysis analysts observe that this likely aims to make future incidents easier to monitor and “to manage systemic risk in a market” heavily used for sanction avoidance. The curfew echoes a previous measure from late 2024, when Tehran briefly shut down exchanges to prop up the falling rial. Meanwhile, Iran also saw a near-total internet blackout during this period (officially to maintain network stability), illustrating how the regime is prepared to restrict connectivity amid cyber threats.
Public reaction inside Iran has been mixed. Some commentators view the hack as a justified strike against illicit government financing, while others warn it endangers ordinary savers. Iranians who rely on crypto for daily business or savings are now on edge; many are wondering if exchange platforms can still be trusted. The exchange itself has pledged to reimburse any losses from its insurance fund and is working to secure user assets. Still, the incident has underscored both the vulnerability of online wallets and the political risks of cryptocurrency in Iran’s environment.
Lessons for Crypto Security
The Nobitex incident offers stark reminders for all cryptocurrency users about safeguarding digital assets, especially in high-risk or volatile environments. Experts advise the following best practices:
- Use cold storage for long-term holdings. Whenever possible, store the bulk of your cryptocurrency offline in a hardware or paper wallet. Cold (offline) wallets are not accessible via the internet and are far less vulnerable to hacking than online “hot” wallets. Treat hot exchange wallets as transient, keeping only small amounts on them for active trading. Once a transaction is complete, transfer the remaining funds back to cold storage.
- Enable strong authentication and encryption. Always use platforms and wallets that offer multi-factor authentication (2FA or biometric locks). Require a second verification step (such as a phone app or hardware key) whenever logging in or sending funds. Also, encrypt any devices or backup drives holding crypto keys. These measures add extra barriers against unauthorized access.
- Minimize exposure on exchanges. Keep only what you need for immediate use in any custodial exchange account. Large balances should not sit on an exchange longer than necessary. Following the Nobitex hack, remember that even major platforms can be compromised. Diversify holdings across wallets and exchanges to avoid a single point of failure.
- Beware of phishing and do due diligence. Hackers often exploit human error. Double-check URLs and email senders before entering login credentials. Use strong, unique passwords and never reuse them across sites. Do your own research on any exchange or wallet provider: read security reviews, verify official channels, and be cautious of platforms with opaque ownership or ties to political regimes.
By following these steps – essentially treating your cryptocurrency as you would any high-value asset – users can reduce the risk of theft or loss. The Nobitex breach is a cautionary example that reinforces the crypto adage: “Not your keys, not your coins.” Holding private keys securely and minimizing reliance on third-party platforms are critical, especially in environments where technology may be weaponized by state actors.
.jpg)
.jpg)
