Nobitex Hot Wallet Funds Burned In Politically Motivated Attack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 17:24, 18 July 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/nobitexhotwalletfundsburnedinpoliticallymotivatedattack.php}} {{Unattributed Sources}} thumb|Nobitex Logo/HomepageNobitex, Iran’s largest centralized crypto exchange, suffered a major hack. Attackers—allegedly a pro-Israel hacker group called “Gonjeshke Darande”—drained approximately $81.7 million in assets from its hot wallets across multiple blockchains...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Nobitex Logo/Homepage

Nobitex, Iran’s largest centralized crypto exchange, suffered a major hack. Attackers—allegedly a pro-Israel hacker group called “Gonjeshke Darande”—drained approximately $81.7 million in assets from its hot wallets across multiple blockchains due to critical access control failures. The incident drew renewed scrutiny of Nobitex’s role in facilitating sanctions evasion and alleged ties to sanctioned groups like the IRGC and Hamas. Despite speculation around a sudden drop in wallet balances from $1.8 billion to $96 million, security experts noted that Nobitex routinely migrates wallets, and the data may not indicate further losses. Nobitex claimed user funds in cold storage were unaffected and promised full compensation via its insurance fund. The stolen tokens were largely sent to burn addresses, making recovery virtually impossible except potentially for centralized assets like USDT.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34]

About Nobitex

Nobitex is Iran’s largest centralized cryptocurrency exchange, founded in 2017 by graduates of Sharif University of Technology. It serves as the primary gateway for Iranians to convert Iranian rials into digital assets such as Bitcoin, Ethereum, Litecoin, and Tether, processing roughly 70–87% of all domestic crypto transactions—translating into billions of dollars in trading volume and around 6 million active users by late 2024. The platform prioritizes security, employing encrypted data transmission, cold wallets for asset storage, two-factor authentication, and offline private key management. It also offers value-added services like DeFi tools, margin trading aligned with Islamic law, and zero-knowledge proof–based proof-of-reserves systems.

About Gonjeshke Darande

Gonjeshke Darande (Persian for “Predatory Sparrow”) is a high-profile hacktivist group active since around 2021. They’ve gained notoriety for sophisticated cyberattacks targeting Iranian infrastructure, often timed as political retaliation—from disrupting gas stations, rail networks, and steel facilities to more recent financial targets.

Their early attacks include a December 2023 operation that disabled about 70% of Iran’s petrol stations by manipulating fuel payment systems—though they reportedly coordinated with emergency services to limit harm. In mid‑2022, they targeted steel mills linked to the IRGC, releasing internal documents and even allegedly sparking fires in production facilities. Observers note the group’s technical sophistication and its alignment with state‑level cyber capabilities, suggesting possible ties to Israeli intelligence—though no official attribution has been confirmed.

The Reality

Despite its prominence in Iran’s digital financial landscape, Nobitex has drawn scrutiny for its role in facilitating sanctions evasion. Open-source blockchain analysis firms—TRM Labs, Elliptic, and Chainalysis—have linked the exchange to transactions involving the IRGC, Hamas, the Houthis, and other sanctioned groups. Notably, in 2022, U.S. senators warned that the exchange may be assisting in the laundering of illicit funds for Iran’s regime. Additionally, Nobitex has openly encouraged users to use intermediary wallets and foreign platforms such as Binance—a strategy that, according to Reuters, effectively instructs users in methods of sanctions evasion.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Nobitex Hot Wallet Funds Burned In Politically Motivated Attack
Date Event Description
June 17th, 2025 10:56:52 AM MDT First Transaction Draining Bitcoin The first transaction starts draining from the Nobitex hot wallets.
June 18th, 2025 12:54:00 AM MDT ZachXBT Posts News On Telegram ZachXBT shares news/initial analysis of the attack on Telegram.
June 18th, 2025 1:00:00 AM MDT Gonjeshke Darande Takes Responsibility Gonjeshke Darande posts on Twitter/X that after targeting IRGC-linked Bank Sepah, they have launched cyberattacks against Nobitex, Iran’s largest crypto exchange. They accuse Nobitex of enabling terrorism financing and sanctions evasion for the regime, warning that in 24 hours they will leak its source code and internal data—putting all associated assets at risk. The group urges users to act quickly, emphasizing Nobitex’s deep ties to the regime, including its recognition as a form of military service.
June 18th, 2025 1:19:09 AM MDT First Transaction Draining Tron The first transaction on the Tron blockchain, which appears to be widely cited as draining the Nobitex USDT balance.
June 18th, 2025 1:54:00 AM MDT Nobitex Official Statement Release In ian official statement, Nobitex confirmed a security breach affecting internal communications and a portion of its hot wallet. The company promptly isolated the affected systems and launched a full investigation. Nobitex emphasized that all user funds are safe, with most assets stored in unaffected cold wallets, and any losses from the hot wallet will be fully covered by their insurance and reserves. As a precaution, platform access has been temporarily suspended during a comprehensive security audit.
June 18th, 2025 1:54:56 AM MDT CoinTelegraph Starts Coverage CoinTelegraph starts their coverage of the hacking incident on the Nobitex exchange.
June 18th, 2025 2:01:00 AM MDT CoinTelegraph Adds Gonjeshke Darande CoinTelegraph adds a section attributing the hacking theft to Gonjeshke Darande.
June 18th, 2025 2:49:00 AM MDT CoinTelegraph Adds Cyvers Quotes CoinTelgraph adds the latest figures and quotes from Cyvers.
June 18th, 2025 6:26:00 AM MDT CoinTelegraph Adds Wallet Holdings Nobitex adds wallet holding information and quotes from Hacken.
June 18th, 2025 12:32:00 PM MDT Update From Nobitex Platform Nobitex’s fourth official statement on the recent cyberattack confirms that the situation is now under control, with all external access to their servers blocked. The significant drop in hot wallet balances was a deliberate precaution by the Nobitex team to protect user assets. The attackers reportedly transferred around $100 million in crypto to vanity addresses designed to burn and destroy the funds, an act Nobitex claims was meant to harm the Iranian public under false pretenses. Despite the scale of the theft, Nobitex assures users that no personal assets were lost, as its reserve fund will cover damages. Ongoing internet disruptions in Iran have affected user support and system recovery times, but the platform is working to restore full functionality and will continue to update users.

Technical Details

The Nobitex exploit “appears to stem from a critical failure in access controls, allowing attackers to infiltrate internal systems and drain hot wallets across multiple blockchains,” according to Hakan Unal, senior security operations lead at blockchain security firm Cyvers, quoted in CoinTelegraph.

"Some of the wallets Bitcoin - 1FuckiRGCTerroristsNoBiTEXXXaAovLX Tron - TKFuckiRGCTerroristsNoBiTEXy2r7mNX Dogecoin - DFuckiRGCTerroristsNoBiTEXXXWLW65t Ethereum - 0xffffffffffffffffffffffffffffffffffffdead Ton - UQABFuckIRGCTerroristsNOBITEX1111111111111111_jT Solana - FuckiRGCTerroristsNoBiTEXXXXXXXXXXXXXXXXXXX Harmony - one19fuckterr0rfuckterr0rfuckterr0rxn7kj7u Ripple - rFuckiRGCTerroristsNoBiTEXypBrmUM"

Total Amount Lost

"approximately $90 million in crypto holdings" "According to @zachxbt, around $81.7M was drained from Nobitex across Tron, EVM and BTC chains."

The total amount lost has been estimated at $81,700,000 USD.

Immediate Reactions

“Users’ assets are completely secure according to cold storage standards, and the above incident only affected a portion of the assets in hot wallets,” Nobitex said in an X post, adding that “all damages will be compensated through the insurance fund and Nobitex resources.”


Ultimate Outcome

A pro-Israel hacker group calling itself “Gonjeshke Darande” claimed responsibility for the Nobitex hack.

"After the IRGC’s “Bank Sepah” comes the turn of Nobitex WARNING!

In 24 hours, we will release Nobitex's source code and internal information from their internal network. Any assets that remain there after that point will be at risk!

The Nobitex exchange is at the heart of the regime’s efforts to finance terror worldwide, as well as being the regime’s favorite sanctions violation tool.

We, “Gonjeshke Darande”, conducted cyberattacks against Nobitex.

Nobitex doesn’t even pretend to abide by sanctions. In fact, it publicly instructs users on how to use its infrastructure to bypass sanctions.

The regime's dependence on Nobitex is evident from the fact that working at Nobitex is considered valid military service, as it is considered vital to the regime's efforts.

These cyberattacks are the result of Nobitex being a key regime tool for financing terrorism and violating sanctions. Associating with regime terror financing and sanction violation infrastructure puts your assets at risk.

Take action before it's too late!"

Total Amount Recovered

There is no conceivable way in which the tokens can be recovered, since they have been send to "burn" addresses. The only proposed possibility for recovery would be the centralized USDT stablecoin, which could be re-issued, however this seems unlikely.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

There is concern that "the total value held in the Nobitex-labelled wallet fell over 90%, from over $1.8 billion on June 16 to $96 million as of June 18". However, it's suspected that Nobitex may have simply relocated their wallets.

However, this does not signal more losses, as Nobitex “routinely migrate their hot wallets, sometimes weekly,” explained Cyvers’ Unal, adding that this “data may not reflect the full picture accurately.”

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist - "The Iranian crypto exchange @nobitexmarket has detected signs of unauthorized access to some of its information infrastructure and hot wallets. According to @zachxbt, around $81.7M was drained from Nobitex across Tron, EVM and BTC chains." - Twitter/X (Accessed Jun 18, 2025)
  2. Iranian exchange Nobitex hacked for over $81M by Israel-linked hackers - CoinTelegraph (Accessed Jun 18, 2025)
  3. ZachXBT Post On Telegram (Accessed Jun 18, 2025)
  4. https://tronscan.org/#/address/TKFuckiRGCTerroristsNoBiTEXy2r7mNX (Accessed Jun 18, 2025)
  5. Gonjeshke Darand - "12 hours ago 8 burn addresses burned $90M from the wallets of the regime's favorite sanctions violation tool, Nobitex." - Twitter/X (Accessed Jun 18, 2025)
  6. Gonjeshke Darand - "After the IRGC’s “Bank Sepah” comes the turn of Nobitex WARNING! In 24 hours, we will release Nobitex's source code and internal information from their internal network. Any assets that remain there after that point will be at risk! The Nobitex exchange is at the heart of the regime’s efforts to finance terror worldwide, as well as being the regime’s favorite sanctions violation tool." - Twitter/X (Accessed Jun 18, 2025)
  7. First Transaction Draining Bitcoin - Blockchain.com (Accessed Jun 18, 2025)
  8. Onchain Lens - "According to (Accessed Jun 18, 2025)
  9. [@zachxbt, the Iranian exchange "Nobitex" (@nobitexmarket) was exploited for $48.65M in $USDT on #Tron Network." - Twitter/X @zachxbt, the Iranian exchange "Nobitex" (@nobitexmarket) was exploited for $48.65M in $USDT on #Tron Network." - Twitter/X] (Accessed Jun 18, 2025)
  10. Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran’s Financial System (Accessed Jun 18, 2025)
  11. Israel-linked group hacks Iranian cryptocurrency exchange in $90m heist (Accessed Jun 18, 2025)
  12. Nobitex - "Earlier today, June 18, Nobitex identified unauthorized access to parts of its infrastructure, specifically affecting our internal communication systems and a portion of our hot wallet. Immediately upon detection, all affected systems were isolated, and our internal incident response teams initiated a comprehensive investigation in accordance with industry best practices." - Twitter/X (Accessed Jun 18, 2025)
  13. Nobitex Fourth Official Statement - Twitter/X (Accessed Jun 18, 2025)
  14. Iranian crypto exchange Nobitex hacked for over $90 million by pro-Israel group - Elliptic.co (Accessed Jun 18, 2025)
  15. Suspected Israeli Group Hacks Iran’s Nobitex Crypto Exchange, $82M Stolen - The Crypto Times (Accessed Jun 18, 2025)
  16. Nobitex Logo - Wikimedia Commons (Accessed Jun 18, 2025)
  17. Exclusive-Crypto exchange Binance helped Iranian firms trade $8 billion despite sanctions (Accessed Jun 18, 2025)
  18. Binance helped Iranian firms trade $8B in crypto despite sanctions (Accessed Jun 18, 2025)
  19. Exclusive-Crypto exchange Binance helped Iranian firms trade $8 billion despite sanctions (Accessed Jun 18, 2025)
  20. Crypto exchange Binance helped Iranian firms trade $8 billion despite sanctions - Markets - Business Recorder (Accessed Jun 18, 2025)
  21. https://en.shanbemag.com/2793-crypto-boom-in-iran-nobitex-hits-10m-users-seven-years-strong/ (Accessed Jun 18, 2025)
  22. Nobitex and the Rise of Autonomous Finance: Leveraging AI for a Decentralized Future - Cash Platform (Accessed Jun 18, 2025)
  23. https://www.irantalent.com/en/company/nobitex/90f98983-22a1-43c7-a86b-04151e2f8136/overview (Accessed Jun 18, 2025)
  24. https://ideannotation.com/nobitex-exchange-intoruction/ (Accessed Jun 18, 2025)
  25. https://www.reddit.com/r/Wallstreetsilver/comments/yteqbg (Accessed Jun 18, 2025)
  26. https://apidocs.nobitex.ir/en// (Accessed Jun 18, 2025)
  27. https://www.reddit.com/r/iran/comments/1gg1dty (Accessed Jun 18, 2025)
  28. https://www.reuters.com/world/middle-east/iran-crypto-exchange-hit-by-hackers-90-million-destroyed-2025-06-18/ (Accessed Jun 18, 2025)
  29. Current Status of Irans Local Cryptocurrency Exchanges Tens of Millions of Users And Severe Us (Accessed Jun 18, 2025)
  30. Nobitex is first decentralized exchange built and launched in Iran (Accessed Jun 18, 2025)
  31. https://www.wsj.com/livecoverage/israel-iran-conflict-news/card/iranian-crypto-exchange-hacked-more-than-90-million-taken-WsddW70Z3ENCr4phTBY7 (Accessed Jun 18, 2025)
  32. Virtual currency law in Iran - Wikipedia (Accessed Jun 18, 2025)
  33. https://www.reddit.com/r/iran/comments/1aupqhg (Accessed Jun 18, 2025)
  34. Nobitex Twitter/X (Accessed Jun 18, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Nobitex_Hot_Wallet_Funds_Burned_In_Politically_Motivated_Attack&oldid=6805"