Nobitex Hacked: $48.6M Stolen in Geopolitical Crypto Heist

Written By DLTA Security Intelligence

On June 18, 2025, at 09:49 AM BST, Nobitex, Iran's largest cryptocurrency exchange, confirmed a significant security breach. This report provides a detailed analysis of the compromise.

Executive Summary

On June 18, 2025, Nobitex suffered a security breach resulting in the theft of approximately $48.6 million from its hot wallets, confirmed via an official X post.

The attack was claimed by Gonjeshke Darande (Predatory Sparrow), a hacker group with suspected Israeli ties, known for targeting Iranian infrastructure. The attackers used vanity addresses, with one address ("TKFuckiRGCTerroristsNoBiTEXy2r7mNX") containing an explicit anti-Iranian message, suggesting geopolitical motivations. Nobitex assured users that cold storage assets remain secure and promised full compensation through its insurance fund and internal resources. This incident underscores vulnerabilities in crypto exchanges, particularly in geopolitically sensitive regions.

Incident Overview

  • Date of Discovery: June 18, 2025, as confirmed in Nobitex's official statement.

  • Affected Entities: Nobitex, a leading Iranian crypto exchange, operational since 2017, offering trading in bitcoin, ethereum, and other assets, primarily serving the Iranian market under international sanctions.

  • Estimated Impact: $48.6 million stolen, primarily in Tether's USDT via the Tron network, based on on-chain investigator ZachXBT's analysis.

  • Threat Classification: Cyber criminal group with possible state sponsorship, claimed by Gonjeshke Darande, an Israeli-linked group with a history of targeting Iranian entities.

  • Confidence Level: MEDIUM, supported by multiple sources including Nobitex's official statement, on-chain data, and hacker group claims.

Technical Analysis

Attack Vector and Methodology

The attackers gained unauthorized access to Nobitex's hot wallets and reporting infrastructure, likely exploiting vulnerabilities in the exchange's systems. The stolen funds were transferred to vanity addresses on the Tron network, with one address ("TKFuckiRGCTerroristsNoBiTEXy2r7mNX") containing an explicit message targeting Nobitex and referencing the Islamic Revolutionary Guard Corps (IRGC), indicating a targeted attack motivated by geopolitical tensions. The exact method of initial access is not publicly disclosed, but such attacks typically involve Insider Threats, Phishing, Malware, Private Key compromise or exploiting software vulnerabilities. The use of vanity addresses suggests the attackers had control over the transaction initiation process, possibly by compromising private keys or the wallet management system, leveraging the Tron network's fast transaction speeds to quickly move funds.

Technical Indicators of Compromise (IOCs)

  • Wallet Addresses: TKFuckiRGCTerroristsNoBiTEXy2r7mNX, and other addresses involved in the transaction, identified by ZachXBT. (0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead, 1FuckiRGCTerroristsNoBiTEXXXaAovLX)

  • Contract Addresses: Not specified, as the attack focused on hot wallets rather than smart contracts.

  • Malware/Tools: Not specified, but likely involved sophisticated tools for system infiltration and transaction manipulation, given the group's history.

  • Other Technical Indicators: Suspicious outflows on the Tron network, unauthorized access to hot wallets and reporting infrastructure, detected by on-chain monitoring.

Threat Actor Analysis

Attribution Assessment

The attack was claimed by Gonjeshke Darande (Predatory Sparrow), a hacker group active since at least 2020, known for targeting Iranian critical infrastructure such as steel facilities, gas stations, and banks (CyberScoop Report). While the group claims independence, its sophisticated operations and focus on Iranian state entities suggest possible ties to Israeli military intelligence, with a LOW to MEDIUM confidence level based on historical patterns and geopolitical context.

Capability Assessment

Gonjeshke Darande has demonstrated advanced technical capabilities, including:

  • Compromising secure systems, as seen in previous attacks on Iranian steel facilities and gas stations.

  • Executing large-scale cryptocurrency thefts, as evidenced by the Nobitex attack.

  • Conducting disruptive attacks on critical infrastructure, with controlled measures to limit collateral damage.

  • Threatening to release source code and internal data, indicating deep system access and data exfiltration capabilities.

Intent Analysis

The attack appears motivated by ongoing geopolitical tensions between Israel and Iran, with Gonjeshke Darande accusing Nobitex of supporting the Iranian regime's financial operations and sanctions evasion, labeling it a "key regime tool for financing terrorism".

The use of a vanity address with an anti-Iranian message further supports this intent, aligning with their history of targeting entities perceived as part of Iranian military and financial infrastructure.

Impact Assessment

Immediate Financial Impact

  • Loss of $48.6 million from hot wallets, primarily in USDT on the Tron network but also including BTC, DOGE and other EVM-compatible chains.

Strategic Implications

  • The incident underscores the intersection of cybersecurity and geopolitics in the crypto space, with state-sponsored or state-aligned actors targeting financial infrastructure.

Appendices

Timeline of Events

  • June 18, 2025, Morning: Nobitex detects unauthorized access to hot wallets and reporting infrastructure, suspends all access, and initiates internal investigation.

  • June 18, 2025, Same Day: Gonjeshke Darande claims responsibility via X, threatening to release Nobitex's source code and internal data within 24 hours.

References and Sources

  • Multiple news articles and on-chain analyses provided detailed insights into the incident, with Nobitex's official statement confirming the breach and outlining response measures.

Key Citations

DLTA Security Intelligence