Iran’s largest cryptocurrency exchange, Nobitex, lost over $90 million in a coordinated cyberattack this week. A hacktivist group named Gonjeshke Darande (Predatory Sparrow), linked to Israel, claimed responsibility. Unlike typical thefts, the attackers burned the funds—making them irrecoverable—and leaked Nobitex’s internal source code.
What Happened?
On June 18, blockchain analysts detected abnormal outflows from Nobitex wallets across Bitcoin, Ethereum, Tron, and Dogecoin networks. The stolen funds—totaling $81.7M–$90M—were sent to “vanity addresses” with explicit anti-Iranian messages like:
TKFuckIRGCTerroristsNoBITExy27r7mNX
1FuckIRGCTerroristsNoBITExxAaAvvLXSecurity firm ZenGo confirmed these were “burner addresses.” The private keys don’t exist, meaning the funds are permanently locked. “This wasn’t theft. It was a political statement,” said Elliptic in a report.
The Hackers’ Motive
Predatory Sparrow announced the hack on social media, accusing Nobitex of aiding Iran’s Revolutionary Guard Corps (IRGC) in evading sanctions and funding terrorism. They warned:
Assets left in Nobitex are now entirely exposed. We released its source code and internal data. Withdraw now or risk losing everything.
Hours later, they published Nobitex’s source code online.
Human Impact
Ordinary users suffered devastating losses
@akohassan tweeted: “$37,000 stolen from me—my 17-year savings. I’m not affiliated with the regime. Please refund this.”
@mememanneman condemned the hackers: “You’re stealing from private citizens, not the government. Nobitex employs 1,000 people.”
Nobitex co-founder Amir Rad appealed for help: “We’re under military aggression and internet blackouts. If you’re a security researcher, we need support.”
Geopolitical Backdrop
The hack followed Israel’s airstrikes on Iranian nuclear sites days earlier. Predatory Sparrow also attacked Bank Sepah—an IRGC-linked bank—disrupting services nationwide.
What did Iran authorities do?
- Nobitex shut down its website and app immediately to close a potential backdoor while they investigated what happened nypost.com.
- On June 19, Iran’s Central Bank announced new limits: all domestic crypto platforms must operate only between 10 AM and 8 PM Iran time—a kind of “crypto curfew” meant to reduce risk crypto.news.
- Iran also faced a major internet slowdown, with connectivity dipping by 90% during the crisis—likely efforts to limit the damage and restrict communications.
