On June 18, 2025, Nobitex, Iran’s largest cryptocurrency exchange, was targeted in a cyberattack resulting in the theft of a significant amount of digital assets.

While initial reports, including one cited by ZachXBT, estimated the stolen amount to be around $73 million, further analysis by blockchain intelligence firms like Elliptic and TRM Labs indicates the figure is closer to $90 million, with some sources even citing over $100 million.

The attack was claimed by a pro-Israel hacking group known as Gonjeshke Darande, also referred to as “Predatory Sparrow.” This group has a history of targeting Iranian infrastructure and had previously claimed responsibility for an attack on Bank Sepah, an Iranian state-owned bank. These cyberattacks are occurring amidst escalating tensions between Israel and Iran.

Nobitex, Iran’s largest cryptocurrency exchange, reportedly with over 7 million users. Nobitex has been linked to the Islamic Revolutionary Guard Corps (IRGC) and Iranian government figures, and has been identified by firms like Elliptic as being used by sanctioned IRGC operatives and organizations like Hamas, Palestinian Islamic Jihad, and the Houthis.

Gonjeshke Darande (Predatory Sparrow), a hacking group with reported links to Israel, stole approximately $90 million (some reports vary from $73 million to over $100 million) across multiple blockchains, including TRON, Ethereum, and Bitcoin.

The exploit began around 6:00 AM Iran Standard Time. The attackers utilized “vanity blockchain addresses” to route the stolen funds. These vanity addresses were uniquely crafted to contain anti-IRGC messaging, such as “F\ckIRGCterrorists” within their public keys. This sophisticated method of creating such long vanity addresses through brute force is computationally infeasible.

Blockchain analysis firms like Elliptic to conclude that the hackers may not possess the private keys to these wallets, effectively “burning” or rendering the funds inaccessible. This suggests the hack was primarily geopolitically motivated rather than financially driven.

The use of anti-IRGC vanity addresses strongly indicates a political message aimed at weakening Iran amidst the ongoing conflict. The hack disrupted Nobitex’s services, with its website becoming inaccessible.

Nobitex’s alleged role in helping Iran evade sanctions and finance geopolitical strategies likely made it a strategic target. The incident highlights how crypto exchanges are becoming strategic tools and targets in modern geopolitical conflicts.

Following the attacks, Iran has reportedly curbed internet access, which officials described as a measure to “maintain network stability” against alleged Israeli cyberattacks. As of now, the stolen funds have reportedly not moved from the original vanity wallets associated with the hack, reinforcing the theory of a non-financially motivated attack.