In a politically motivated cyberattack, Iran’s largest crypto exchange Nobitex lost more than $81.7–82 million in digital assets. The pro-Israel hacker collective “Predatory Sparrow” (Gonjeshke Darande) has claimed responsibility in order to target what they are asserting are funding of the IRGC and evasion of sanctions.
Suspicious Outflows Trigger Alarms
On June 18, blockchain sleuth ZachXBT spotted unusual token transfers from Nobitex-linked hot wallets. In a Telegram alert, he revealed “suspicious outflows” totaling about $81.7 million, spread across Tron, Bitcoin, Dogecoin and Ethereum-compatible networks.
The attackers used customized (vanity) wallet addresses echoing political messaging — one labeled “TKFuckiRGCTerroristsNoBiTEXy2r7mNX” siphoned nearly $49 million on Tron, while a second address, “0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead”, was linked to EVM chains.
Predatory Sparrow Claims Responsibility
Shortly after the breach, the hacking group Gonjeshke Darande—also calling themselves Predatory Sparrow—publicly claimed credit via X. They described Nobitex as “at the heart of the regime’s efforts to finance terror worldwide” and a tool of sanctions circumvention.
“In 24 hours, we will release Nobitex’s source code and internal information… Any assets that remain there after that point will be at risk!”
Analysts suspect the hack is a deliberate political act. Elliptic noted that the vanity addresses were created via brute-force without private keys, effectively burning the funds—an anti-financial-motivation signal.
Nobitex Confirms Breach, Halts Operations
Nobitex has qualified “unauthorized access” to segments of its hot wallet infrastructure, has disabled all access and taken its app and website offline. The organization maintained that cold storage assets were unaffected and took “full responsibility,” stating that it would make clients “whole” through insurance and internal reserves.
Tactics Behind the Heist: Hot Wallet Compromise
Security firm Cyvers pointed to failures in access controls, letting attackers breach internal systems to drain hot wallets across multiple chains. Despite the sizable haul, stolen funds remain idle—off-chain addresses hold unmoved tokens.
Further investigation by Hudson Rock shows the group used infostealer malware targeting Nobitex employees to harvest credentials and gain system privileges, providing a possible entry path.
Geopolitical Context Escalates
The hack follows other politically motivated strikes in the Iran–Israel cyberfront. Earlier this week, Predatory Sparrow targeted Bank Sepah and also reportedly struck Iranian steel mills and gas stations.
Tensions have flared since Israeli airstrikes on Iran beginning June 13 and reciprocal missile exchanges. The timing of cyber attacks suggests growing strategic integration of geopolitics and crypto.
A Worsening Trend: Crypto Caught in Cyber Warfare
The Nobitex breach marks one of many high-value crypto attacks in 2025—over $2.1 billion has been stolen from centralized exchanges already this year, mostly via wallet compromise and poor security practices. What sets this apart is its clear geopolitical message rather than pure financial gain.
What’s Next for Nobitex Users
Nobitex’s future is now dependent on trust and transparency. Their promise to cover losses and do an internal review is encouraging, however, the upcoming release of the source code and internal data, may reveal more weakness in the systems.
Iranian authorities are already limiting user access to the Internet as a blanket response to cyber strikes, making their investigation and recovery response even harder to quickly. For users this will mean waiting with tension for refunds and credibility restoration.
Final Word
What began as a theft has become a symbolic digital strike. Using vanity addresses, a high-value seizure, and looming data leaks, Predatory Sparrow has sent a crisp geopolitical message across the blockchain.
This incident underscores how centralized exchanges face greater risk in geopolitical conflict zones—and shows that cryptocurrency infrastructure itself is now a contested battlefield.
