Breaking Down the Nobitex Hack: Timeline, Impact, and Key Takeaways

Nobitex’s Role in Iran’s Crypto Ecosystem

Founded in 2017 by CEO Amirhosein Rad, Nobitex has grown into Iran’s largest cryptocurrency exchange. It serves as a critical hub for Iranian crypto users, handling the majority of the country’s digital asset trading activity. Nobitex claimed to process 70% of all Iranian crypto transactions by 2021 and reportedly serves millions of users (with over 7+ million registered, according to recent reports).  Operating under strict U.S. sanctions on Iran, the platform’s mission is to enable Iranians to access global crypto markets “despite the shadow of sanctions”. It has effectively become a “safe bridge” for ~3.5 million Iranians (by early 2022) into crypto finance. 

Due to the data, Nobitex’s inflows top $11 billion, exceeding the next ten Iranian exchanges combined, making it indispensable for Iranians locked out of traditional banking. Nobitex’s prominence has also drawn scrutiny due to links with illicit actors. Past blockchain analyses show Nobitex accounts transacting with wallets tied to Iran’s Revolutionary Guard (IRGC), militant groups like Hamas and Yemen’s Houthis, and even sanctioned Russian exchanges. 

In sum, Nobitex isn’t just another local exchange. It is a linchpin of Iran’s crypto economy, providing a lifeline to global markets for users otherwise cut off by sanctions.

Chronology of the Nobitex Hack (June 2025)

June 17, 2025 (Tuesday): A hacking group calling itself Gonjeshke Darande (Persian for “Predatory Sparrow”) announced a cyberattack on Iran’s Bank Sepah, a state-owned bank. The group claimed to have destroyed Bank Sepah’s data, accusing the bank of financing Iran’s military. This was the first of a string of attacks amid surging Israel-Iran hostilities.

June 18, 2025 (Wednesday) – Early Morning: Attack on Nobitex. In the pre-dawn hours, unauthorized transactions began moving large sums of cryptocurrency out of Nobitex’s hot wallets. Around $90–100 million worth of various crypto assets (including Bitcoin, Ether, Dogecoin, XRP, Solana, Tron, and others) were siphoned to attacker-controlled addresses. 

June 18, 2025 – Morning: Hackers Claim Responsibility. Gonjeshke Darande publicly claimed responsibility for the Nobitex hack via its social media (X) channels. In a defiant post, the group accused Nobitex of aiding the Iranian regime’s sanction evasion and terrorist financing, calling the exchange “the regime’s favorite sanctions violation tool”. 

The hackers taunted that “8 burn addresses burned $90M from the wallets of Nobitex”, and threatened that within 12 hours, they would make Nobitex’s entire source code public. They accompanied this claim with a list of some stolen-fund wallet addresses (across Bitcoin, Tron, Dogecoin, Ethereum, Solana, Harmony, Ripple, etc.), each containing derogatory “FuckIRGCTerrorists” strings as a provocation. This coordinated messaging underscored the politically motivated nature of the attack, coming amid escalating military clashes between Israel and Iran.

This visual map, built with AMLBot Tracer, illustrates how over $90M in crypto assets were siphoned from Nobitex wallets and funneled into irretrievable vanity addresses across multiple blockchains . 

June 18, 2025, Late Morning: Nobitex Discloses the Breach. By midday, Nobitex officials confirmed that the exchange had suffered a severe “security incident.” The platform’s website and mobile app went offline as a precaution. 

Nobitex announced via its official X account that it had detected “unauthorized access” to its systems, specifically to some of its hot wallets (the online wallets used for day-to-day liquidity). All external access to servers was severed while the team investigated. Nobitex emphasized that funds in cold storage remained “completely secure” and only a hot wallet subset was affected. Nobitex fully accepted responsibility for the breach and pledged that “all losses will be compensated” using its insurance fund and own reserves.

June 18, 2025, Afternoon/Evening: Forensic Analysis Emerges. Cybersecurity and blockchain analytics firms began publishing early findings. 

By effectively burning the money, the attackers inflicted economic damage on Nobitex/Iran instead of enriching themselves. Late on the 18th, Iran’s internet connectivity plunged – network traffic was 98% below normal levels, indicating a near-total internet blackout across the country. 

June 19, 2025 (Thursday): Source Code Leak and Continued Fallout. Roughly a day after the breach, Predatory Sparrow made good on its threat: the group dumped Nobitex’s entire source code and internal files online. 

“Time’s up – full source code linked below. Assets left in Nobitex are now entirely out in the open,” the hackers announced via an X post, sharing a repository of the exchange’s codebase. 

The leaked data reportedly included Nobitex’s backend code, server lists, configuration details, and other sensitive internal documentation. This escalation meant that any remaining operational secrets of Nobitex were exposed, potentially putting any unrecovered user assets at further risk. 

In its communications on the 19th, Nobitex reiterated that no additional losses had occurred after the initial hack and that its “Reserve Fund” (insurance) would cover all assets lost. The team began migrating all remaining hot wallet funds into new cold storage addresses as an extra precaution against further exploits. By the end of June 19, Nobitex’s platform remained offline, with users anxiously awaiting a promised video statement from CEO Amirhosein Rad outlining the exchange’s recovery roadmap.

June 20, 2025: Ongoing Recovery and Investigations. As of June 20, Nobitex and Iranian authorities still grappled with the fallout. Users’ access to the platform was still suspended, although Nobitex insists all customer funds will be made whole from its reserves. The Iranian cyber police and central bank are reportedly investigating the incident, though no public, detailed findings have been released yet.  The Nobitex hack is one of Iran's most significant crypto exchange breaches, not only for the ~$90–100 million in losses, but for its destructive, rather than profit-driven nature.

According to forensic reports, the attackers gained deep access to Nobitex’s internal systems, specifically the infrastructure managing its hot wallets. Nobitex confirmed that the breach was limited to hot wallets (which hold readily accessible funds for quick withdrawals/trades), while the cold wallets (offline vaults) were untouched.

How the Hack Happened (Technically) 

The hack essentially exploited Nobitex’s internal network, likely via stolen employee credentials. Cybersecurity firm Hudson Rock revealed that two critical Nobitex IT employees had been compromised by infostealer malware months before the attack.

In data from infostealer logs, researchers found credentials and session cookies for Nobitex’s internal admin systems, email server, test networks, and project management portals. The hot wallets drained all liquid funds on the morning of June 18. 

One of the most symbolically charged elements of the hack was the attackers’ use of wallet addresses containing direct political messages, most notably phrases like FuckIRGCTerrorists. These addresses, which received tens of millions of dollars in stolen crypto, were widely described as “vanity addresses”, supposedly generated via brute-force methods to embed long, custom text strings directly into the address.

At first glance, that sounds like a technically advanced feat. The kind that would require not just deep cryptographic knowledge but also access to supercomputers or large-scale distributed computing power. In practice, generating a truly functional vanity address with a complex string like FuckIRGCTerrorists is nearly impossible. It would take: thousands of hours of brute-force computation, large GPU clusters or mining farms or hundreds of thousands of dollars in hardware and energy costs.

And that’s just for one address. The Nobitex hack involved multiple such addresses across different blockchain, making the brute-force theory even less plausible. What likely happened instead aligns with a known pattern in symbolic crypto “burn” attacks: The attackers created addresses that only looked real. Syntactically valid, correctly formatted, and carrying emotionally loaded messages, but without any private keys behind them. In other words: nobody, not even the hackers, can access those funds.

In blockchains like Ethereum or Tron, it’s relatively easy to script such addresses. In Bitcoin, the format includes checksums and specific encoding (like base58), but attackers can use partial injection techniques to make a phrase appear as if it's part of the address, even if it’s technically invalid or unreachable. These are sometimes called pseudo-burn addresses. They aren’t tied to any wallet or user. They simply exist on-chain as black holes, absorbing value that’s gone forever.

This distinction matters. The $90 million burned in the Nobitex hack wasn't the result of cryptographic heroics, it was a scripted operation, performed quickly, with one purpose: to make a statement. 

“The message wasn’t hidden in the transaction. It was the transaction. When an address becomes a weapon of narrative, you know this is no longer just about crypto. It’s infrastructure warfare.”  — Anmol Jain, VP of Investigations, AMLBot

Market Impact 

In the immediate aftermath, the hack contributed to market jitters in Iran’s crypto scene. Iran’s other exchanges (like Wallex and Excoino) saw a drop in liquidity and temporarily halted Tether-to-rial trading pairs during the crisis, likely on government orders. 

The global crypto market also reacted to the flaring Israel-Iran conflict: between June 12–15, overall crypto market sentiment dipped and Bitcoin’s price briefly pulled back ~4–6%, erasing $200B in value, before stabilizing. While this market move can’t be pinned solely on the Nobitex hack, the incident was part of a climate of uncertainty. Crypto market observers pointed out that, similar to early-2022 during the Russia-Ukraine war, Bitcoin initially slid on war news but then recovered as investors adjusted to the risks.

By late June, Bitcoin remained relatively stable around the $100K mark even as tensions persisted, suggesting the Nobitex hack did not have long-term price impact beyond Iran’s borders. However, for Iran’s crypto ecosystem, the hack’s impact is significant – if Nobitex’s outage were prolonged or confidence in its security shattered, Iranian users could lose a critical avenue for financial transactions under sanctions. Competitor exchanges in Iran are much smaller, and experts note they would struggle to absorb Nobitex’s volume if it fails. This is why the Iranian government is keen to get Nobitex functioning again and why Nobitex has promised to “come back stronger” with upgraded defenses.

At AMLBot, we remain committed to tracking the aftermath of the Nobitex hack and its broader impact on the crypto ecosystem, sanctions compliance, and regional financial stability. Our team continues to update risk profiles, monitor newly linked addresses, and analyze developments across multiple blockchains and jurisdictions. As the situation evolves, we’ll ensure our clients stay informed and protected.