Nobitex, Iran’s Leading Crypto Exchange, Suffers $90M Hack Allegedly Tied to Israeli Group

Nobitex Hit for $90M in Hack by Israel-Linked Group, Faces Threat of Source Code Leak

Iran’s largest crypto exchange, Nobitex, has been hacked for roughly $90 million by Gonjeshke Darande—a hacking collective with alleged ties to Israel—according to blockchain security firm Elliptic.

The attack follows Gonjeshke Darande’s cyberstrike against Iran’s state-owned Bank Sepah just a day earlier. In a post on X, the group declared:

“After Bank Sepah, it was Nobitex’s turn.”

The hackers warned they plan to release Nobitex’s internal data and source code within 24 hours and threatened that any funds left on the platform remain “at risk.”

The first clues of the breach emerged when on-chain analyst ZachXBT spotted suspicious outflows totaling $81.7 million across Tron’s TRX, bitcoin (BTC), dogecoin (DOGE), and other tokens, reporting the activity to his Telegram channel on Wednesday.

Blockchain traces revealed that the stolen funds were sent to a wallet with the inflammatory vanity address “TKFuckiRGCTerroristsNoBiTEXy2r7mNX.” Elliptic later revised the estimated stolen amount to over $82 million, involving assets on Bitcoin, Dogecoin, and EVM-compatible chains. Other flagged wallet addresses included:

0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
1FuckiRGCTerroristsNoBiTEXXXaAovLX
DFuckiRGCTerroristsNoBiTEXXXWLW65t

In their statement, Gonjeshke Darande labeled Nobitex as a “core part of the regime’s terror financing network,” accusing it of aiding Iran’s efforts to sidestep international sanctions through cryptocurrency channels.

Nobitex confirmed the attack via a brief post on X but has not disclosed the exact scale of the financial damage.

Hack Seen as Politically, Not Financially, Driven

Elliptic noted that despite the significant sums involved, the hackers were likely not financially motivated. Instead, the group appears to have burned the stolen funds to send a political message.

Creating vanity crypto addresses with lengthy customized text strings like those used in the attack is computationally prohibitive, Elliptic explained. That makes it virtually impossible for the hackers to possess the private keys necessary to retrieve the transferred funds.

“Predatory Sparrow would not have the private keys for the crypto addresses they sent the Nobitex funds to,” Elliptic wrote. “They have effectively burned the funds as a political statement.”

As of now, it remains unclear exactly how Gonjeshke Darande managed to breach Nobitex’s systems.

The cyberattack underscores the escalating tit-for-tat between Iran and Israel, involving both digital and physical infrastructure strikes. Gonjeshke Darande, known in English as Predatory Sparrow, has previously claimed responsibility for cyberattacks targeting Iranian steel plants and gas stations.

With the looming threat of a leaked source code, Nobitex faces not just financial repercussions but a significant crisis of trust—and users who haven’t yet withdrawn funds may be at risk of losing everything if further exploits occur.