On June 18, 2025, Nobitex, Iran’s largest cryptocurrency exchange, fell victim to a devastating cyberattack that resulted in the loss of approximately $90 million in digital assets, with some estimates suggesting losses as high as $100 million.
The breach, which targeted the exchange’s hot wallets, marks one of the most significant crypto heists in recent history and highlights the growing intersection of cybersecurity and geopolitics.
The pro-Israel hacking group Predatory Sparrow, also known as Gonjeshke Darande, claimed responsibility, framing the attack as a politically motivated strike against Iran’s financial infrastructure.
The incident, detailed in an analysis by blockchain security firm SlowMist, has sparked concern about the vulnerabilities of centralized exchanges and their role in geopolitically sensitive regions.
The attack was first flagged by on-chain investigator ZachXBT, who detected suspicious large-scale asset transfers across multiple blockchains, including TRON, Ethereum Virtual Machine (EVM)-compatible networks, and Bitcoin.
SlowMist’s analysis confirmed that the hackers siphoned funds from Nobitex’s hot wallets, which are used for daily liquidity operations and are more vulnerable due to their online connectivity.
Preliminary estimates place the losses at approximately $81.7 million, though some reports, including blockchain analytics firm Elliptic, suggest the figure could be closer to $90 million or more.
In an unprecedented move, the hackers did not attempt to launder or profit from the stolen assets.
Instead, they transferred the funds to custom “burn addresses” with politically charged labels, such as “TKFuckiRGCTerroristsNoBiTEXy2r7mNX” and “0xffFFfFFffFFffFfFffFFfFfFFFFDead,” rendering the funds inaccessible and effectively destroying nearly $100 million in cryptocurrency.
Predatory Sparrow, a group with suspected ties to Israeli intelligence, claimed the attack was a response to Nobitex’s alleged role in helping the Iranian regime evade international sanctions and finance terrorism.
The hackers accused the exchange of being a “key regime tool” and even claimed that employment at Nobitex is considered equivalent to military service due to its strategic importance to Iran’s financial operations.
The group further escalated the situation by threatening to leak Nobitex’s source code and internal data within 24 hours, a threat they followed through on June 19, 2025, by posting what they claimed was the exchange’s full source code on X.
This move not only disrupted Nobitex’s operations but also exposed its internal systems to further scrutiny and potential exploitation.
Nobitex responded swiftly, suspending its website and mobile app to conduct a security audit.
In a series of statements posted on X, the exchange confirmed unauthorized access to its internal communication systems and a portion of its hot wallets but emphasized that the majority of user funds, stored in secure cold wallets, remained unaffected.
The company pledged to compensate all losses through its insurance fund and internal resources, assuring its estimated 10 to 11 million users that their assets were safe.
However, the breach’s complexity, as noted in Nobitex’s fifth update on June 19, suggests that the full extent of the damage may exceed initial estimates.
The Nobitex hack underscores the dual-use nature of cryptocurrency exchanges in sanctioned economies like Iran.
While Nobitex serves as a critical lifeline for ordinary Iranians navigating economic isolation and inflation, it has also been linked to illicit activities.
Blockchain analysis by Elliptic and Chainalysis revealed that Nobitex has facilitated transactions with sanctioned entities, including IRGC-affiliated ransomware operators and groups like Hamas and the Houthis.
U.S. Senators Elizabeth Warren and Angus King had previously raised concerns about Nobitex’s role in sanctions evasion, citing a 2022 Reuters report that uncovered $8 billion in transactions between Nobitex and Binance from 2018 to 2022.
The incident has broader implications for the crypto industry, particularly for exchanges operating in high-risk environments.
SlowMist recommends that platforms like Nobitex implement stricter access controls, conduct regular audits, and deploy real-time threat monitoring systems to prevent similar breaches.
The attack also highlights the evolving nature of cyber warfare, where digital assets are increasingly targeted not for financial gain but to send political messages.
As geopolitical tensions between Israel and Iran escalate, the Nobitex hack serves as a reminder of the vulnerabilities inherent in centralized crypto platforms and the growing role of digital infrastructure in global conflicts.