Nobitex is an Iranian cryptocurrency exchange platform that facilitates the trading of various digital assets. It is considered one of the largest cryptocurrency exchanges operating within Iran. ^{[1] [2]}

Overview

Nobitex serves the Iranian market, providing a platform for users to buy, sell, and trade cryptocurrencies. The exchange operates within the regulatory environment of Iran, which has specific stances on digital assets and their use, particularly in the context of international sanctions. The platform's operations and user base make it a significant entity in Iran's digital asset landscape. ^[2]

The exchange gained international attention in June 2025 following a major security breach. The incident involved the unauthorized access and draining of a substantial amount of digital assets from the exchange's hot wallets. The attack was publicly claimed by a group identifying themselves as "Gonjeshke Darande," who stated political motivations related to the ongoing conflict between Israel and Iran and allegations regarding Nobitex's role in sanctions evasion. ^{[2] [3]}

The June 2025 Hack

On June 18, 2025, the Iranian cryptocurrency exchange Nobitex experienced a significant security breach resulting in the loss of digital assets.

Discovery & Initial Assessment

The exploit was initially reported by onchain investigator ZachXBT, who disclosed the incident via a Telegram post. Initial estimates placed the value of the drained assets at over $81 million. Later reports from various sources cited figures ranging from $81 million to $100 million ^{[1] [2] [3]}.

Method of Attack

The attackers reportedly used "vanity addresses" during the exploitation process, which were observed receiving suspicious outflows from multiple wallets linked to Nobitex. A vanity address is a cryptocurrency wallet address with a customized, user-defined sequence of characters at the beginning. One such address used in the attack was "TKFuckiRGCTerroristsNoBiTEXy2r7mNX" ^[1].

According to Hakan Unal, senior security operations lead at blockchain security firm Cyvers, the exploit appeared to stem from a "critical failure in access controls," allowing attackers to infiltrate internal systems and drain hot wallets across multiple blockchains ^[1].

Claim of Responsibility

A group identifying itself as "Gonjeshke Darande," which translates to "Predatory Sparrow" in Farsi, claimed responsibility for the hack ^{[1] [2] [3]}.

The group is described as a pro-Israel hacking entity ^{[2] [3]}.

Gonjeshke Darande stated that they targeted Nobitex because they alleged the exchange had ties to the Iranian government and was used to finance terrorism and violate international sanctions. They claimed that working at Nobitex was considered valid military service due to its perceived importance to the Iranian government's efforts. Blockchain analytics firm Elliptic also shared evidence suggesting the exchange had sent and received funds from cryptocurrency wallets controlled by Iranian allies, including Yemen’s Houthis and Hamas ^[1][ ^[2][3]](#cite-id-4BmyyhmB0G).

Impact & Response

Nobitex confirmed that a portion of its hot wallets showed signs of "unauthorized access" and were immediately suspended upon detection. The exchange stated that user assets held in cold storage were secure and that all damages would be compensated through its insurance fund and resources ^[1].

Data from blockchain analytics platform Arkham showed a significant drop in the total value held in Nobitex-labelled wallets, falling from over $1.8 billion on June 16 to $96 million by June 18 ^[1].

However, Cyvers' Hakan Unal noted that Nobitex routinely migrates hot wallets, suggesting this data might not fully reflect the extent of losses ^[1].

Nobitex stated on June 19 that no additional financial losses had occurred since the initial incident and that it expected to restore services within five days, although internet disruptions in Iran were slowing progress ^[4].

Stolen Funds & Burning

Initial reports indicated that at least $81.7 million was drained. Later reports cited figures around $90 million and up to $100 million ^[4]. The theft involved a range of cryptocurrencies across the Tron network and Ethereum Virtual Machine (EVM)-compatible blockchains ^{[1] [3]}.

Gonjeshke Darande claimed that the majority of the stolen funds were "burned" or permanently removed from circulation. They stated that $90 million was burned across eight burn addresses ^[4].

A "burner address" is a wallet address where funds are sent to make them irrecoverable, effectively taking them out of circulation. Cybersecurity experts noted that transferring funds to such addresses effectively throws the crypto away ^[2].

Yehor Rudytsia, a security researcher at Hacken, commented that the assets on EVM chains were sent to "clean burner addresses" across more than 20 tokens. He suggested that a potential partial recovery might be possible if USDT reissues the $55 million worth of stolen stablecoins ^{[1] [4]}.

Source Code Leak

Following the hack, Gonjeshke Darande leaked what they claimed was the full source code and internal files of the Nobitex exchange. The group posted details on X (formerly Twitter) that included alleged security measures, privacy settings, blockchain cold scripts, a list of servers, and a zip file containing the source code ^[4]. They warned that any remaining assets on the platform were at risk due to the leak ^{[4] [3]}.

Context & Motivation

The hack occurred amid renewed conflict between Israel and Iran, which involved strategic missile strikes between the two countries. Security researchers suggested the exploit appeared to be a "political statement rather than a typical financially motivated theft" ^{[1] [2][4]}.

Yehor Rudytsia stated:

“On EVM, the assets across more than 20 tokens were sent to clean burner addresses. The only potential partial recovery might come if USDT reissues the $55 million worth of stolen stablecoins.” ^[1]

Hamid Kashfi, a cybersecurity expert, noted that the hack could affect ordinary Iranians who rely on crypto due to shrinking access to financial resources ^[2].

Gonjeshke Darande has previously claimed responsibility for other cyberattacks against Iranian infrastructure, including disruptions to gas stations and a steel mill ^{[2] [3]}.

Regulatory Response

In response to the hack, the central bank of Iran reportedly imposed a curfew on domestic crypto exchanges, limiting their operating hours ^{[4] [3]}.

Nobitex Operations

Nobitex is described as Iran's largest cryptocurrency exchange ^{[2] [3]}. It supports trading in a variety of cryptocurrencies, including Bitcoin, Ethereum, and Dogecoin ^[3].

Security Measures

Following the hack, Nobitex stated that user assets in cold storage were secure and that only a portion of assets in hot wallets were affected ^[1]. The exchange committed to compensating all damages using its insurance fund and internal resources ^[1].

Controversies & Allegations

Gonjeshke Darande and blockchain analytics firms like Elliptic and Chainalysis have alleged that Nobitex has ties to the Iranian government and has been used to evade international sanctions and facilitate financial transactions for entities like the Islamic Revolutionary Guard Corps (IRGC), Yemen's Houthis, and Hamas. These allegations formed the stated motivation for the June 2025 cyberattack. ^{[1] [2] [3]}