Iran’s largest cryptocurrency exchange, Nobitex, suffered a significant cyberattack on June 18, with blockchain analytics firm Elliptic so far identifying over $90 million in funds transferred from Nobitex wallets to hacker-controlled addresses. This major breach follows a stark warning issued by the pro-Israel hacker group Gonjeshke Darande, or “Predatory Sparrow,” which claimed responsibility for cyberattacks against Nobitex and pledged to release its source code on the same day. As of this report, Nobitex’s website remains inaccessible, indicating the severe impact of the security incident and marking a new escalation in the ongoing digital conflict.
The Breach Unveiled: Millions Stolen
On June 18, Nobitex, known as Iran’s largest cryptocurrency exchange, was hit by a major hack that resulted in the reported theft of over $90 million in digital assets. Blockchain analytics firm Elliptic confirmed that these funds were traced from Nobitex wallets directly to addresses controlled by the perpetrators. The sheer volume of the pilfered cryptocurrency highlights the significant scale of the security breach and its profound financial implications for the Iranian exchange and its users.
“Predatory Sparrow” Claims Responsibility
The pro-Israel hacker group Gonjeshke Darande, meaning “Predatory Sparrow,” swiftly claimed responsibility for the cyberattack, issuing a public warning beforehand. This group, which also asserted responsibility for a hack targeting the state-owned Iranian bank Bank Sepah just a day earlier, followed through on its pledge to publish Nobitex’s source code on June 18. The group’s immediate and public acknowledgement of the attack underscores its intention to leverage cyber capabilities for geopolitical messaging.
Political Motivation, Not Profit
While no definitive confirmation exists that “Predatory Sparrow” directly moved the stolen funds, the hack appears overwhelmingly motivated by the recent escalation of tensions between Israel and Iran, rather than financial gain. A key indicator of this intent is that most of the addresses holding the hacked funds are “vanity addresses,” conspicuously containing variations of the term “F*ckIRGCterrorists” within their public keys. The computational infeasibility of generating such long, text-embedded vanity addresses suggests the hackers effectively “burned the funds” by sending them to addresses for which they would not have the private keys, thereby using the act as a potent political message to Nobitex.
The IRGC Connection to Nobitex
Nobitex, as Iran’s primary crypto exchange claiming over 7 million users, has been previously linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and other Iranian government figures through open-source investigations. These probes have identified relatives of Supreme Leader Ali Khamenei and IRGC-linked business partners as having connections to the exchange. Furthermore, Elliptic has specifically identified instances of sanctioned IRGC operatives, including Ahmad Khatibi Aghada and Amir Hossein Niakeen Ravari, who are accused of ransomware operations and targeting critical infrastructure, sending Bitcoin to Nobitex accounts, thereby suggesting its role in illicit financial activities.
Sanctions Evasion Allegations
The US Treasury Department‘s press release from September 2022, accompanying sanctions against IRGC-affiliated individuals, accused them of engaging in malicious cyber activities and ransomware operations, highlighting a pattern of exploiting vulnerabilities to finance illicit activities. The IRGC, which answers solely to Iran’s Supreme Leader and not the President, exerts significant control over various sectors of the country’s economy, including the oil trade, enabling it to systematically evade international sanctions and finance proxy groups like Hamas, Palestinian Islamic Jihad, and the Houthis. Elliptic’s Investigator tool has graphically shown non-exhaustive on-chain interactions between Nobitex and wallets associated with these sanctioned entities, strongly implicating the exchange in facilitating such illicit financial flows.
Elliptic’s Role in Sanctions Compliance
Blockchain analytics firm Elliptic has played a crucial role in monitoring these illicit activities, ensuring that its tools provide comprehensive coverage of Nobitex and other Iranian-linked exchanges to facilitate virtual asset compliance with sanctions targeting the Iranian government. Elliptic’s Research and Investigations Team continuously monitors developments regarding the situation in the Middle East, swiftly reflecting any new or emerging sanctions or terrorist financing risks in their solutions. Moreover, despite the unlikelihood of onward activity, Elliptic has taken the proactive step of labeling the addresses involved in this hack within its solutions, providing critical data for ongoing compliance efforts.
Immediate Aftermath and Website Inaccessibility
In the immediate aftermath of the hack, Nobitex’s website became entirely inaccessible, mirroring the rapid confirmation of the breach by Elliptic. This sustained downtime is a clear indicator of the severe operational disruption caused by the cyberattack, potentially affecting millions of users and their access to digital assets. The inaccessibility of the platform underscores the critical security vulnerabilities that exchanges face, particularly when targeted by politically motivated and highly sophisticated hacking groups.
A New Front in Cyber Warfare
The hack on Nobitex represents a chilling evolution in the landscape of geopolitical conflict, signaling the emergence of a new front in cyber warfare where digital assets become instruments of political messaging and disruption. This incident underscores the increasing sophistication of state-linked or state-sponsored cyber actors who are willing to “burn” substantial amounts of capital not for financial gain, but to deliver a potent political statement. The attack highlights the profound vulnerabilities within cryptocurrency infrastructure, urging a re-evaluation of security measures and regulatory oversight in the face of escalating, non-traditional threats that blur the lines between cybercrime and political sabotage.
