Iranian Nobitex Hacked: $85M Lost in Pro-Israel Cyberattack

Nobitex, the largest Iranian crypto exchange, has lost more than $85 million to a coordinated cyberattack allegedly carried out by a pro-Israel hacker group. 

The attackers, who call themselves Gonjeshke Darande, translated as Predatory Sparrow, claim the move was not for financial gain but to send a defiant political message amid rising tensions between Iran and Israel.

The funds, instead of being siphoned off for personal use, were sent to so-called “burner” addresses, rendering them unusable.

Nobitex Confirms Breach of Hot Wallets

Nobitex, which dominates Iran’s cryptocurrency trading scene, confirmed through a post on X (formerly Twitter) that a portion of its hot wallets had experienced unauthorized access. According to the exchange, the majority of user funds, stored in cold wallets, remained secure. 

The company reassured its users that the damage is limited and will be covered through its insurance fund and internal reserves.

Despite the quick containment response, blockchain analysts estimate that more than $85 million worth of assets, including Bitcoin, Dogecoin, Tether (USDT), and over 100 other cryptocurrencies, were irretrievably lost. 

The majority of the stolen funds were transferred to blockchain wallet addresses with inflammatory phrases targeting the Iranian military, particularly the Islamic Revolutionary Guard Corps (IRGC).

Read also: Polyhedra Claims New Liquidity Attack! Is This Another Hack?

Attack Linked to Pro-Israel Hacker Group

The cyberattack has been claimed by Predatory Sparrow, a group that has previously taken responsibility for disrupting Iranian steel mills, gas stations, and public transit systems. 

In their public statement, the group accused Nobitex of aiding Iran’s military and helping the regime bypass international sanctions.

“This cyberattack is the result of Nobitex being a key regime tool for financing terrorism and violating sanctions,” the group posted on social media, promising to release the platform’s source code and internal files within 24 hours. They also warned users that any remaining funds on the exchange could be at risk.

Vanity Addresses Used as a Political Statement

Investigators noted the attackers used vanity addresses, public wallet addresses that include custom phrases, as part of the operation. Examples include addresses with derogatory phrases aimed at the IRGC, such as “TKFuckiRGCTerroristsNoBiTEXy2r7mNX” and “0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead.” 

The use of such specific character strings indicates that the attack was meticulously planned and intended to make a public statement, not to profit from the theft.

“This is not a typical financially motivated crypto hack,” said Arda Akartuna, a lead threat analyst at Elliptic. 

“Creating vanity addresses of this kind would have required extreme computational resources, suggesting the attackers never intended to access the funds again.”

Read also: Cetus Protocol Hack 2025: Crucial Lessons You Can’t Miss

Rising Geopolitical Tensions Behind the Attack

The attack comes amid growing geopolitical friction between Iran and Israel. Over the past week, the two nations have exchanged direct missile strikes following international reports accusing Iran of advancing its nuclear program. 

The cyberattack on Nobitex follows another breach just a day earlier, in which Bank Sepah, a major Iranian state-owned bank, was targeted by the same hacker group.

According to blockchain security firm Hacken, the Nobitex hack impacted multiple blockchains, particularly Ethereum Virtual Machine (EVM)-compatible chains and the Tron network. 

Research by ZachXBT, an on-chain investigator, identified “suspicious outflows” totaling over $81 million. Though early estimates varied, Elliptic later confirmed the full loss exceeded $90 million.

Iran’s Digital Finance Faces Mounting Pressure

The Iranian financial sector, already under strain from sanctions and a weakened economy, now faces renewed challenges in securing its digital infrastructure. Iran had turned to cryptocurrency exchanges like Nobitex as part of a broader strategy to facilitate cross-border transactions and circumvent sanctions. 

The breach not only endangers that strategy but also shakes public trust in the security of digital platforms.

According to Tom Robinson, chief scientist at Elliptic, “Nobitex plays a crucial role in Iran’s efforts to utilize crypto as a tool for economic survival. A loss of this scale sends a strong signal and could have a chilling effect.”

Read also: KiloEX Suffers $7M Loss from Hack! Here's What Happened

Potential for Recovery and Damage Control

While some stablecoins such as USDT were part of the stolen assets, experts suggest that recovery is only possible if token issuers like Tether decide to freeze or reissue the stolen tokens. So far, there has been no official statement from Tether regarding this incident.

Data from blockchain analytics firm Arkham showed that Nobitex’s total wallet holdings plunged from over $1.8 billion to less than $100 million shortly after the attack. 

However, analysts caution that this may not reflect actual losses, as the platform frequently rotates its hot wallet addresses.

Find other interesting articles on Bitrue blog! You can also directly buy selected assets on Bitrue by registering here! 

Frequently Asked Questions (FAQ)

What is Nobitex?

Nobitex is the largest cryptocurrency exchange in Iran, offering trading services primarily to Iranian users.

How much was stolen in the cyberattack?

The attackers drained over $85 million from Nobitex’s hot wallets, affecting various cryptocurrencies across multiple blockchains.

Who is responsible for the attack?

A pro-Israel hacker group named Predatory Sparrow has claimed responsibility. The group cited political motives, not financial ones.

Were user funds affected?

Nobitex stated that the majority of user funds stored in cold wallets remain secure and that the stolen amount will be reimbursed using its insurance fund and internal resources.

Why were vanity addresses used in the attack?

The hackers used vanity addresses with politically charged phrases to make a symbolic statement. These addresses effectively burned the funds, making them unusable.

Is there any chance the stolen funds can be recovered?

Recovery is unlikely unless token issuers, such as Tether for USDT, intervene. However, no recovery efforts have been confirmed as of now.

Is this the first time Nobitex has been targeted?

This is the most significant attack on Nobitex to date, and it is also among the largest crypto heists targeting an Iranian exchange.

How does this incident impact Iran’s use of crypto?

The attack undermines Iran’s use of cryptocurrency to bypass sanctions and could limit its future use of digital assets in state-level financial strategies.