Iranian Exchange Nobitex Suffers $90 Million Loss in Coordinated Crypto Hack

On June 18, 2025, Nobitex, Iran's largest cryptocurrency exchange, suffered a major cyberattack, losing over $80-90 million USD worth of digital assets. The exploit affected multiple blockchain networks, including Tron, Bitcoin, Ethereum, Solana (SOL), and several other prominent networks. Responsibility for this incident was claimed by Gonjeshke Darande, an Israel-linked hacker group. Blockscope’s analysis revealed that the stolen assets were deposited into uniquely crafted vanity addresses, which appear to function as burner addresses, making all the stolen assets inaccessible to anyone.

This cyberattack is particularly notable due to its timing, coinciding with rising geopolitical tensions in the Middle East. Unlike typical financial cyber incidents, the primary motivation behind this attack seems distinctly political, marking a significant shift in the nature and intent of blockchain-based cyber operations.

Gonjeshke Darande taking responsibiltiy of Notibex hack

About Nobitex

Nobitex has established itself as a central cryptocurrency platform within Iran, serving over 11 million users and holding substantial assets across diverse digital currencies. Despite its prominence, Nobitex has faced scrutiny for allegations involving sanction evasion and the facilitation of transactions potentially linked to sanctioned entities. Following the hack, Nobitex confirmed unauthorized access to its hot wallets but reassured users that its cold storage holdings remain secure, promising full compensation from its insurance fund.

Nobitex’s Immediate Response

About Gonjeshke Darande

The hacker group Gonjeshke Darande, aka Predatory Sparrow, a pro-Israel hacker group, has claimed responsibility for several high-profile cyber operations targeting Iranian institutions and infrastructure. Notably, just on June 17, they reportedly disrupted Iranian Bank Sepah’s operations, destroying sensitive data. In the case of Nobitex, the group threatened to publicly release internal exchange codes, potentially placing remaining assets and infrastructure at risk.

Bank of Sepah's disruption's responsibiltiy being taken by Gonjeshke Darande

Blockscope's Analysis and Insights

In this attack, Blockscope observed the unusual use of vanity blockchain addresses, explicitly containing derogatory phrases aimed at the Islamic Revolutionary Guard Corps (IRGC), an entity designated as a terrorist organization by various jurisdictions, including the United States, Canada, the United Kingdom, and the European Union.

There were a total of 8 vanity addresses involved in this whole incident, which have successfully burned around $90 M worth of assets. The addresses found so far are:

  • TKFuckiRGCTerroristsNoBiTEXy2r7mNX (Tron)

  • 1FuckiRGCTerroristsNoBiTEXXXaAovLX (Bitcoin)

  • 0xffffffffffffffffffffffffffffffffffffdead (Ethereum and Layer-2s)

  • FuckiRGCTerroristsNoBiTEXXXXXXXXXXXXXXXXXXX (Solana)

  • rFuckiRGCTerroristsNoBiTEXypBrmUM (Ripple)

  • DFuckiRGCTerroristsNoBiTEXXXWLW65t (Dogecoin)

  • UQABFuckIRGCTerroristsNOBITEX1111111111111111_jT (TON)

  • one19fuckterr0rfuckterr0rfuckterr0rxn7kj7u (Harmony)

These addresses, most probably created through computational brute force, lack associated private keys, meaning the stolen funds sent to these addresses are essentially irretrievable, effectively "burning" the tokens.

Blockscope's analysis indicates that this cyberattack started around 2:30 AM UTC, which started on Tron and then spanned over a dozen blockchain networks, notably:

  • Tron: ~$49.45 million

  • Ethereum: ~$24.28 million (Including Arbitrum, Polygon and Avalanche)

  • Bitcoin: ~$1.9 million

  • Significant additional losses occurred on Solana, XRP, DOGE, TON, Harmony, and Ethereum Classic networks.

Using Blockscope's proprietary Tracer tools, we were able to meticulously track and analyze fund movements across these chains.

Blockscope’s Tracer tool visualizes multiple exploiter addresses draining funds from Nobitex.

The explicit use of vanity addresses underscores the non-financial motivation behind the attack, emphasizing a symbolic political statement rather than theft for profit, as all the addresses hold their funds. This reinforces the perception of the Nobitex hack as an act of geopolitical cyber aggression.

Tron exploiter address currently holds $49.45 million in USDT.

Links to Sanctioned Entities

Blockscope’s enriched on-chain data analysis also revealed historical interactions between Nobitex and several sanctioned entities, including organizations such as Hamas and Iranian nationals such as Ahmad Khatibi Aghada and Amir Hossein Niakeen Ravari. Both individuals are subject to secondary sanctions by the U.S. Office of Foreign Assets Control (OFAC) for their involvement in cyber-related activities and ransomware distribution.

Blockscope’s Tracer tool reveals Notibex exchange activity linked to sanctioned entities.

Post-Incident Developments

Nobitex has issued multiple announcements on X (formerly Twitter), providing timely updates to users in the wake of the incident. The exchange confirmed that the vast majority of user assets remain secure, as they were held in cold storage, unaffected by the breach.

Nobitex Takes Responsibility and Reassures Users

In a further escalation, the hacker group Gonjeshke Darande publicly released what they allege to be Nobitex’s source code and internal infrastructure documents. The materials were shared through their official X account in a thread consisting of eight posts.

Recent post from Gonjeshke Darande

Something to give a thought

While the stolen assets were transferred to unrecoverable vanity addresses—effectively burning the funds, over $50 million of the stolen value is in the form of USDT stablecoins. Although these tokens are now inaccessible, the fiat reserves backing them remain intact. This raises important questions about how Tether, the issuer of USDT, will respond in such a unique and politically sensitive scenario.

How Blockscope Can Help

Blockscope has been proactively monitoring the exploiter addresses associated with the Nobitex incident and continues to monitor for any new activity in the crypto ecosystem. Our data-enriched analytics platform offers advanced on-chain forensics, real-time monitoring, and robust compliance tooling. With millions of labeled entities and a powerful attribution engine, Blockscope enables businesses and exchanges to uphold stringent compliance standards while helping law enforcement and investigative teams trace illicit flows with speed and precision.

This incident underscores the growing need for proactive threat intelligence and compliance in the crypto ecosystem—capabilities that are central to Blockscope’s mission.

Written by: Tushar Tiwari, Forensics Analyst @ Blockscope

For more information, please reach out to us at [email protected]

Disclaimer: Best Effort Report

This article and its findings represent our best effort based on the information available at the time. However, please be aware of the following limitations:

  • The data used in this article may contain inaccuracies, omissions, or errors.

  • Information sources may be incomplete or subject to change.

  • New evidence may emerge that could alter the conclusions.

  • Analysis and interpretations are based on current understanding and may evolve.

We have made every reasonable attempt to ensure accuracy, but we cannot guarantee that all information is entirely correct or complete. This report should be considered a snapshot of our current knowledge and understanding, subject to revision as new information becomes available.

Last updated