Iranian Exchange Nobitex Hacked for $90M by Israel-Linked Group, Faces Threat of Source Code Leak
Iran’s largest crypto exchange, Nobitex, has fallen victim to a $90 million hack carried out by Gonjeshke Darande, an activist hacker group suspected of ties to Israel, according to a report from blockchain security firm Elliptic.
The breach came just a day after the same group claimed responsibility for a cyberattack on Iran’s state-owned Bank Sepah. In a post on social media platform X, Gonjeshke Darande declared:
“After Bank Sepah, it was Nobitex’s turn.”
The hackers threatened to release Nobitex’s internal data and source code within 24 hours and warned that any assets remaining on the platform were “at risk.”
The first signs of suspicious activity emerged when blockchain investigator ZachXBT flagged unusual outflows totaling $81.7 million across multiple tokens, including Tron’s TRX, bitcoin (BTC), and dogecoin (DOGE), sharing his findings in his Telegram channel on Wednesday.
The stolen funds were traced to a wallet featuring a provocative vanity address: TKFuckiRGCTerroristsNoBiTEXy2r7mNX. Subsequent investigations raised the estimated value of assets stolen to over $82 million, with funds siphoned from Bitcoin, Dogecoin, and EVM-compatible chains. Other addresses linked to the hack included:
0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead1FuckiRGCTerroristsNoBiTEXXXaAovLXDFuckiRGCTerroristsNoBiTEXXXWLW65t
Gonjeshke Darande labeled Nobitex as a “core part of the regime’s terror financing network,” accusing it of facilitating crypto-based payments that help Iran circumvent international sanctions.
While Nobitex confirmed the breach in a post on X, the exchange has yet to provide details about the extent of the financial losses.
Attack Driven by Politics, Not Profit
Despite the sizable sum involved, Elliptic believes the attack was politically motivated rather than financially driven.
The hackers transferred the funds to vanity addresses containing customized text strings—an operation that typically requires generating huge numbers of cryptographic key pairs to produce specific words or phrases.
“But creating vanity addresses with text strings as long as those used in this hack is computationally infeasible,” Elliptic explained. “This suggests Predatory Sparrow would not possess the private keys to these crypto addresses, meaning the funds have effectively been burned as a political statement.”
At present, the precise technique used by Gonjeshke Darande to penetrate Nobitex remains unknown.
The hack is part of a broader pattern of escalating cyber and physical attacks between Iran and Israel. Gonjeshke Darande—also known as Predatory Sparrow—has previously claimed responsibility for cyber assaults targeting Iranian infrastructure, including steel plants and gas stations.
As the threat of a source code leak looms, Nobitex faces not just financial fallout but a crisis of trust. The hacking group’s warnings suggest users who haven’t yet withdrawn funds could risk losing everything if further attacks occur.
