- Hackers took over $81 million from Nobitex using custom wallet addresses on June 18.
- The attack was linked to Predatory Sparrow, a group with a history of Iran-based cyber hits.
- Nobitex said cold wallets are safe, and all hot wallet losses will be fully compensated.
Iran’s largest crypto exchange, Nobitex, suffered a massive breach on June 18, losing over $81.7 million in digital assets as geopolitical tensions flare between Iran and Israel. Blockchain security firm Onchain Labs confirmed the incident, linking the hack to Gonjeshke Darande, a known hacker group. Most of the stolen funds were USDT, withdrawn via Ethereum Virtual Machine (EVM)-compatible blockchains and the Tron network. Cold wallets are safe, and the platform vows full user reimbursement.
How Did the Hack Happen?
Blockchain investigator ZachXBT reported that attackers exploited Nobitex using a “vanity address.” These are wallet addresses containing custom text chosen by users. The first known wallet used was “TKFuckiRGCTerroristsNoBiTEXy2r7mNX,” draining $49 million. Another address used was “0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead,” according to Tronscan.
Suspicious outflows were flagged from several Nobitex-associated wallets. Cyvers and Arkham Analytics confirmed that the attack targeted hot wallets. Arkham’s data showed Nobitex’s wallet value dropped sharply from $1.8 billion on June 16 to $97 million on June 18. However, Hakan Unal, senior security operations lead at Cyvers, explained that Nobitex often migrates hot wallets, so these figures may not show the full damage.
Who Is Behind It?
Gonjeshke Darande, also known as Predatory Sparrow, claimed responsibility for the breach. The group is linked to Israel and has a history of cyberattacks on Iranian infrastructure. Previously, it disabled 70% of the nation’s gas stations and hit Bank Sepah, a bank connected to Iran’s military.
According to the group, Iran has increasingly used exchanges like Nobitex to bypass Western sanctions tied to its nuclear and military activities. Nobitex is among the few platforms approved by Iran’s central bank to operate within the country.
Shortly after the incident, Nobitex shut down both its app and website. The company then confirmed that unauthorized access had affected a portion of its hot wallets.
Related: Cetus Protocol Relaunches After $223M Hack With Full Audits
What Comes Next for Nobitex?
Nobitex assured users in an X post that all customer funds remain safe in cold storage. The platform promised to cover all hot wallet losses through its insurance fund and company reserves. “All damages will be compensated through the insurance fund and Nobitex resources,” the firm stated.
Additionally, Cyvers said the stolen funds remain unmoved and unconverted. “Our system has detected multiple suspicious transactions across several networks,” Cyvers noted, urging continued monitoring.
With Israel launching its largest attack on Iran since the 1980s earlier this week, this cyber event adds another front to an already volatile conflict. Could cyberwarfare now become a new battleground between nation-states?
