Seems like Iran was a bit late to lockdown worldwide Internet access amidst the Israel/Iran/USA? was. Nobitex, Iran’s largest cryptocurrency exchange, was hacked on June 18, 2025, resulting in the theft of over $90 million in cryptocurrency assets. The cyberattack targeted the exchange’s “hot wallet” infrastructure, which is connected to the internet for quick transactions. The stolen funds included Bitcoin, Dogecoin, and more than 100 different cryptocurrencies across multiple blockchains including TRON, Ethereum, and Bitcoin.
The pro-Israel hacking group known as Gonjeshke Darande or “Predatory Sparrow” claimed responsibility for the attack. Rather than keeping the stolen funds, the hackers sent them to inaccessible blockchain addresses, effectively “burning” or destroying the cryptocurrency as a symbolic gesture. These addresses contained variations of the phrase “FuckiRGCTerrorists,” referring to Iran’s Islamic Revolutionary Guard Corps (IRGC).
Following the breach, Nobitex confirmed the security incident and temporarily suspended its website and app while conducting an internal investigation. The company stated that the majority of user assets were held in cold storage (offline wallets) and remained secure. Nobitex also pledged to compensate all damages through its insurance fund and internal resources.
Background and Context
Nobitex is a significant player in Iran’s financial ecosystem, claiming to have over 10 million customers according to recent data. The exchange has been linked to the IRGC and Iranian government figures in the past. Open-source investigations have identified relatives of Supreme Leader Ali Khamenei and IRGC-linked business partners as connected to Nobitex.
The attack on Nobitex came amid escalating tensions between Israel and Iran. Just one day earlier, the same hacking group claimed responsibility for a cyberattack on Iran’s Bank Sepah that disrupted ATM services across the country. These cyberattacks occurred during a period of military conflict between the two nations, with Israel targeting Iran’s military and nuclear sites on June 13, 2025.
Predatory Sparrow stated that they targeted Nobitex because it allegedly serves as “a key regime tool for financing terrorism and violating sanctions”. Blockchain analytics firm Elliptic has identified the use of Nobitex by sanctioned IRGC operatives accused of ransomware operations and targeting critical infrastructure. The firm has also documented on-chain interactions between Nobitex and wallets associated with groups like Hamas, the Palestinian Islamic Jihad, and the Houthis.
The cyberattack on Nobitex represents a significant escalation in the cyber warfare dimension of the Israel-Iran conflict, with Iranian state media reporting that Israel had “launched a massive cyber war against Iran’s digital infrastructure”.
