Iran’s largest cryptocurrency exchange, Nobitex, confirmed on June 18 that it had suffered a security breach resulting in the unauthorized withdrawal of tens of millions of dollars in digital assets. The company reported that the incident affected a portion of its hot wallets and internal infrastructure.
While Nobitex has not publicly disclosed the total amount lost, blockchain analyst ZachXBT traced suspicious outflows across the Tron blockchain and EVM-compatible chains, estimating total losses at approximately $81.7 million. According to the company, assets stored in cold wallets remain secure, and all affected user funds will be reimbursed through its insurance fund and internal reserves.
Following the incident, Nobitex suspended all access to its website and mobile app. Its technical team is conducting an internal investigation, and customer support channels have also been temporarily disabled.
Table of Contents
Timeline and Technical Details
According to a statement issued by Nobitex, its team detected signs of unauthorized access to some of its infrastructure and hot wallets on the morning of June 18. Access permissions were immediately revoked, and the affected systems were taken offline.
Initial analysis by blockchain security firms suggests that the attackers executed the exploit by targeting wallet permissions and infrastructure connected to hot wallets used for routine transactions. The first wave of transfers totaled around $48.65 million in USDT on the Tron network. Subsequent reviews increased the estimate to over $81 million, with activity detected on both Tron and EVM-compatible chains.
Nobitex has emphasized that its cold storage systems – where the majority of user funds are kept – were not affected by the breach. The company also reiterated its commitment to fully compensating users.
Hacker Group Gonjeshke Darande Claims Responsibility
A hacker group calling itself Gonjeshke Darande – translated as “Predatory Sparrow” – has claimed responsibility for the cyberattack. In a statement posted online, the group alleged that the attack was carried out due to Nobitex’s alleged role in bypassing international sanctions and facilitating transactions linked to the Iranian regime.
The group stated that it would publish the exchange’s internal data and source code within 24 hours and warned that any assets still held on the platform could be at risk.
Blockchain data shows that one of the wallet addresses used in the exploit included the phrase “TKFuckiRGCTerroristsNoBiTEXy2r7mNX”, referencing the IRGC (Islamic Revolutionary Guard Corps), a branch of Iran’s armed forces. The attackers reportedly used several wallet addresses with similarly provocative identifiers.
Background and Potential Motives
Gonjeshke Darande is widely believed to be linked to Israeli intelligence operations, though no government has officially confirmed this connection. The group has previously claimed responsibility for cyberattacks on Iranian institutions, including fuel infrastructure, banking systems, and steel production facilities. Its operations have historically aligned with periods of heightened political and military tension between Iran and Israel.
This cyberattack on Nobitex occurred during a period of renewed conflict between the two countries. Just days earlier, the same group claimed responsibility for disrupting Iran’s Bank Sepah. The group has stated that its targets are selected based on their ties to sanctioned entities and regional security activities.
Update: Source Code Released
Twenty-four hours after their initial announcement, the group Gonjeshke Darande released what it claims is Nobitex’s full source code and internal documentation. The files were published on a publicly accessible X channel.
