{"id":3577,"date":"2025-06-20T17:12:35","date_gmt":"2025-06-20T17:12:35","guid":{"rendered":"https:\/\/bitunikey.com\/news\/the-full-story-behind-the-90-million-nobitex-hack-that-shattered-irans-crypto-illusion\/"},"modified":"2025-06-20T17:12:37","modified_gmt":"2025-06-20T17:12:37","slug":"the-full-story-behind-the-90-million-nobitex-hack-that-shattered-irans-crypto-illusion","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/the-full-story-behind-the-90-million-nobitex-hack-that-shattered-irans-crypto-illusion\/","title":{"rendered":"The full story behind the $90 million Nobitex hack that shattered Iran\u2019s crypto illusion"},"content":{"rendered":"<div class=\"post-detail__content blocks\">\n<p class=\"is-style-lead\">How did Nobitex go from Iran\u2019s crypto lifeline to the center of a geopolitical breach, and what\u2019s next for users trapped between war and decentralization?<\/p>\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\">\n<p>Table of Contents<\/p>\n<nav>\n<ul>\n<li><a rel=\"nofollow\" target=\"_blank\" href=\"#nobitex-breach-marks-new-chapter-in-cyber-risk\">Nobitex breach marks new chapter in cyber risk<\/a><\/li>\n<li><a rel=\"nofollow\" target=\"_blank\" href=\"#new-crypto-curfew-reflects-crisis-mood\">New crypto curfew reflects crisis mood<\/a><\/li>\n<li><a rel=\"nofollow\" target=\"_blank\" href=\"#blockchain-forensics-reveal-troubling-patterns\">Blockchain forensics reveal troubling patterns<\/a><\/li>\n<li><a rel=\"nofollow\" target=\"_blank\" href=\"#is-iran-going-to-attack-the-u-s\">Is Iran going to attack the U.S.?<\/a><\/li>\n<li><a rel=\"nofollow\" target=\"_blank\" href=\"#experts-chime-in\">Experts chime in<\/a><\/li>\n<\/ul>\n<\/nav>\n<\/div>\n<h2 class=\"wp-block-heading\" id=\"nobitex-breach-marks-new-chapter-in-cyber-risk\">Nobitex breach marks new chapter in cyber risk<\/h2>\n<p>In the early hours of Jun. 18, Iran\u2019s largest crypto exchange, Nobitex, suffered a coordinated cyberattack that resulted in one of the most severe digital asset breaches in the country\u2019s history.<\/p>\n<p>The incident was confirmed by Nobitex\u2019s technical team and involved the compromise of multiple hot wallets. A wide range of assets was affected, including Bitcoin (BTC), Ethereum (ETH), Dogecoin (DOGE), Tether (USDT), Ripple (XRP), Solana (SOL), Tron (TRX), and Toncoin (TON).<\/p>\n<p>Estimates of the stolen funds vary. TRM Labs, Chainalysis, and Elliptic each placed the losses near $90 million, while independent analyst ZachXBT calculated at least $81.7 million lost across Ethereum and Tron-compatible networks.<\/p>\n<p>The breach was first identified after Nobitex detected unauthorized access to its internal reporting infrastructure, triggering an emergency response that led to the suspension of both its website and mobile application.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Official Statement<br \/>Nobitex Security Incident \u2014 June 18, 2025<\/p>\n<p>Earlier today, June 18, Nobitex identified unauthorized access to parts of its infrastructure, specifically affecting our internal communication systems and a portion of our hot wallet.<\/p>\n<p>Immediately upon detection, all\u2026<\/p>\n<p>\u2014 Nobitex | \u0646\u0648\u0628\u06cc\u062a\u06a9\u0633 (@nobitexmarket) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/nobitexmarket\/status\/1935244739575480472?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">June 18, 2025<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>Cyvers researcher Hakan Unal noted that the breach stemmed from a failure in segregating wallet credentials, which should have remained isolated from the systems that were compromised.<\/p>\n<p>However, unlike typical crypto hacks where funds are laundered for profit, the Nobitex case showed a different intent.\u00a0<\/p>\n<p>The stolen crypto was transferred to vanity addresses with politically charged labels, such as TKFuckiRGCTerroristsNoBiTEXy2r7mNX on Tron and 0xffFFfFFffFFffFfFffFFfFfFFFFDead on Ethereum, both computationally impossible to access, rendering the funds effectively \u201cburned.\u201d<\/p>\n<p>Shortly after the incident, the pro-Israel hacker group Gonjeshke Darande, also known as Predatory Sparrow, claimed responsibility via a post on X.\u00a0<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">After the IRGC\u2019s \u201cBank Sepah\u201d comes the turn of Nobitex<br \/>WARNING!<\/p>\n<p>In 24 hours, we will release Nobitex&#8217;s source code and internal information from their internal network.<br \/>Any assets that remain there after that point will be at risk!<\/p>\n<p>The Nobitex exchange is at the heart of the\u2026 <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/GFyBCPCFIE\" target=\"_blank\">pic.twitter.com\/GFyBCPCFIE<\/a><\/p>\n<p>\u2014 Gonjeshke Darande (@GonjeshkeDarand) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/GonjeshkeDarand\/status\/1935231018937536681?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">June 18, 2025<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>The group, previously linked to Israeli interests by Reuters and The Times of Israel, though without official confirmation, threatened to release Nobitex\u2019s source code and internal data within 24 hours unless users withdrew funds, warning that remaining assets were at risk.\u00a0<\/p>\n<p>On Jun. 19, the group acted on the threat. In another X post, Predatory Sparrow shared what they claimed to be the full source code of Nobitex. The post read, \u201cTime\u2019s up \u2014 full source code linked below. ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN.\u201d<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"und\" dir=\"ltr\">Time&#8217;s up \u2013 full source code linked below.<\/p>\n<p>ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN.<br \/>\u0628\u0627\u0632\u0645\u0627\u0646\u062f\u0647 \u062f\u0627\u0631\u0627\u06cc\u06cc \u0647\u0627\u06cc \u0634\u0645\u0627 \u062f\u0631 \u0646\u0648\u0628\u06cc\u062a\u06a9\u0633 \u0647\u0645 \u0627\u06a9\u0646\u0648\u0646 \u062f\u0631 \u0645\u0639\u0631\u0636 \u062f\u06cc\u062f \u0648 \u062e\u0637\u0631 \u0647\u0633\u062a\u0646\u062f<\/p>\n<p>But before that, lets meet Nobitex from the inside:<\/p>\n<p>Exchange Deployment (1\/8) <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/jiMfBpNXwd\" target=\"_blank\">pic.twitter.com\/jiMfBpNXwd<\/a><\/p>\n<p>\u2014 Gonjeshke Darande (@GonjeshkeDarand) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/GonjeshkeDarand\/status\/1935593397156270534?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">June 19, 2025<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>An eight-part thread followed, revealing confidential technical documentation, including server configurations, privacy tools, deployment procedures, and backend infrastructure.<\/p>\n<p>The Nobitex attack came just one day after a similar breach by the same group. On Jun. 17, Predatory Sparrow targeted Iran\u2019s state-owned Bank Sepah, disrupting ATM services nationwide.<\/p>\n<p>Together, the incidents suggest that the Nobitex breach may form part of a broader cyber campaign linked to escalating tensions. The attack followed Israeli military strikes on Iran, launched on Jun. 13 amid growing concerns over Iran\u2019s nuclear program.<\/p>\n<h2 class=\"wp-block-heading\" id=\"new-crypto-curfew-reflects-crisis-mood\">New crypto curfew reflects crisis mood<\/h2>\n<p>Following the Nobitex breach, Iranian authorities moved swiftly to tighten oversight of the country\u2019s digital asset infrastructure.<\/p>\n<p>On Jun. 19, the Central Bank of Iran imposed a curfew limiting operating hours for all domestic crypto exchanges to between 10 AM and 8 PM daily.\u00a0<\/p>\n<p>The measure coincided with rising military tensions between Iran and Israel. As of Jun. 18, official reports listed 224 deaths in Iran and 24 in Israel following a series of missile strikes. Actual figures may be significantly higher.<\/p>\n<p>Analysts at Chainalysis noted that the curfew may also be intended to limit capital flight and increase financial surveillance during the crisis.\u00a0<\/p>\n<p>Meanwhile, in direct response to the hack, Nobitex activated emergency protocols to secure remaining reserves. Large amounts of Bitcoin were moved into new cold storage wallets, a step confirmed by Chainalysis as part of the platform\u2019s containment strategy.<\/p>\n<p>The exchange issued a public statement assuring users that the majority of customer assets held in cold wallets remained secure. Nobitex also pledged to use its reserve and insurance fund to fully reimburse affected clients.<\/p>\n<p>Despite these reassurances, user access to Nobitex would remain suspended in the upcoming days. Users have expressed growing anxiety over frozen funds, limited access, and broader trust issues.<\/p>\n<p>The situation was further complicated by a nationwide internet blackout. Data from Cloudflare showed a 90% decline in traffic volumes compared to the previous week.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/hashtag\/Internet?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">#Internet<\/a> connectivity has once again become unavailable across <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/hashtag\/Iran?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">#Iran<\/a>, with traffic down ~90% after initially falling at 12:50 UTC (16:20 local time).<a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/9mmRkVO86Y\" target=\"_blank\">https:\/\/t.co\/9mmRkVO86Y<\/a> <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/orqqmu0hhN\" target=\"_blank\">pic.twitter.com\/orqqmu0hhN<\/a><\/p>\n<p>\u2014 Cloudflare Radar (@CloudflareRadar) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/CloudflareRadar\/status\/1935331383817253191?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">June 18, 2025<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>No official link has been established between the cyberattack and the internet outage. However, the disruption severely impacted civilian access to online services, including financial platforms, messaging apps, and news portals.<\/p>\n<h2 class=\"wp-block-heading\" id=\"blockchain-forensics-reveal-troubling-patterns\">Blockchain forensics reveal troubling patterns<\/h2>\n<p>In a country facing international sanctions, limited access to global banking, and persistent currency devaluation, Nobitex has emerged as a critical financial gateway for Iranians.\u00a0<\/p>\n<p>Founded in 2017, the platform has grown into the most dominant player in Iran\u2019s crypto market. The platform has over 7 million registered users and accounts for the majority of the country\u2019s digital asset activity.<\/p>\n<p>According to Chainalysis, Nobitex has <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.chainalysis.com\/blog\/nobitex-iranian-exchange-exploit-june-2025\/\" target=\"_blank\" rel=\"nofollow\">received<\/a> more than $11 billion in total inflows, exceeding the combined total of Iran\u2019s next ten largest exchanges.<\/p>\n<figure class=\"wp-block-image\"><figcaption class=\"wp-element-caption\">Total inflows of Iranian crypto exchanges | Source: Chainalysis<\/figcaption><\/figure>\n<p>Nobitex enables users to trade crypto assets using Iranian Rials, offering a way to store value, participate in global markets, and sidestep the limitations of Iran\u2019s restricted financial infrastructure.<\/p>\n<p>While Nobitex has served an important role for civilians grappling with economic uncertainty, it has been accused of facilitating not only everyday transactions but also financial activity linked to the Iranian state.<\/p>\n<p>Following the June 2025 breach, hacker group Predatory Sparrow claimed Nobitex was targeted for allegedly aiding the Iranian government in evading sanctions and funding illicit operations.<\/p>\n<p>Blockchain analytics firms including Elliptic and Chainalysis have traced the platform\u2019s activity to individuals and groups under U.S. sanctions.\u00a0<\/p>\n<p>Among them are Ahmad Khatibi Aghada and Amir Hossein Niakeen Ravari, both designated by the U.S. Office of Foreign Assets Control in 2022 for their involvement in ransomware operations.<\/p>\n<p>Further blockchain analysis has linked wallets on Nobitex to groups such as Hamas, Palestinian Islamic Jihad, the Houthis, and accounts promoting al-Qaeda-affiliated content.<\/p>\n<p>U.S. lawmakers have <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.warren.senate.gov\/imo\/media\/doc\/2024.05.01%20Letter%20to%20Treasury,%20White%20House,%20DoD%20on%20Iran%20Cryptomining.pdf\" target=\"_blank\" rel=\"nofollow\">raised<\/a> repeated concerns over Nobitex\u2019s role in potential sanctions evasion. In May 2024, Senators Elizabeth Warren and Angus King sent a letter referencing a Reuters investigation from 2022 that uncovered nearly $8 billion in transactions between Nobitex and Binance between 2018 and 2022.\u00a0<\/p>\n<p>The letter questioned whether such flows might reflect systemic gaps in global enforcement.<\/p>\n<p>Nobitex\u2019s internal policies have also drawn attention. Public reports indicate the platform previously issued user guidance on bypassing financial restrictions, prompting concern from regulatory authorities and international watchdogs.<\/p>\n<p>Predatory Sparrow has gone so far as to claim that employment at Nobitex is considered equivalent to military service within Iran, due to the platform\u2019s perceived strategic value to the regime\u2019s financial operations.<\/p>\n<h2 class=\"wp-block-heading\" id=\"is-iran-going-to-attack-the-u-s\">Is Iran going to attack the U.S.?<\/h2>\n<p>As tensions between Iran and Israel escalate, prediction markets have seen a rise in activity focused on conflict-related outcomes.<\/p>\n<p>On Polymarket, users are <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/polymarket.com\/\" target=\"_blank\" rel=\"nofollow\">trading<\/a> on the likelihood of various geopolitical events, including military actions, cyberattacks, leadership changes, and diplomatic negotiations.\u00a0<\/p>\n<p>The combined volume across these contracts now exceeds $70 million, offering a glimpse into how speculative behavior continues even in high-risk, politically sensitive contexts.<\/p>\n<p>One of the most active markets centers on the possibility of U.S. military action against Iran before July. The contract has recorded more than $19 million in volume, with current odds reflecting a 45% probability.<\/p>\n<p>A related contract measuring the likelihood of a major cyberattack on Iran during June has surged to 95%. The shift follows recent breaches at Nobitex and Bank Sepah, reinforcing expectations of ongoing digital escalation.<\/p>\n<p>Markets predicting Israeli airstrikes on Iran within specific June timeframes are also heavily traded. The contract for a strike on June 20 is priced at 99%, while neighboring dates hover just below that threshold.<\/p>\n<p>Leadership-related scenarios have drawn increased attention as well. A contract forecasting that Iran\u2019s Supreme Leader Ayatollah Khamenei will leave office before July is trading at 60% probability, with over $2 million in trade volume.<\/p>\n<p>Contracts covering broader regime change, direct invasions by the U.S. or Israel, or formal declarations of war remain priced far lower, with probabilities ranging from 1% to 5%.<\/p>\n<p>At the same time, markets are also speculating on diplomatic outcomes. Scenarios involving a U.S.-Iran nuclear deal or resumed negotiations are currently priced between 15% and 40%, reflecting uncertainty about the possibility of de-escalation in the near term.<\/p>\n<h2 class=\"wp-block-heading\" id=\"experts-chime-in\">Experts chime in<\/h2>\n<p>crypto.news spoke with Yehor Rudytsia and Oleksii Haponiuk from Hacken to explore how the Nobitex breach challenges traditional assumptions about crypto hacks in today\u2019s geopolitical environment.<\/p>\n<p>What set the incident apart was not just the scale of the breach but the fact that the stolen funds were deliberately burned. There was no attempt to launder, convert, or profit from the assets.\u00a0<\/p>\n<p>According to Rudytsia, that detail represents a monumental change in how threats to exchanges should be interpreted.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cWeb3 projects, especially centralized exchanges, are no longer just targets for financial theft. They can also become instruments for politically motivated cyberattacks. The Nobitex case shows that attackers may act with the intent to disrupt rather than gain.\u201d<\/p>\n<\/blockquote>\n<p>He stressed that centralized exchanges remain the primary access point for millions of users. A successful breach has consequences that can cascade through the broader ecosystem, affecting not just the platform but the public\u2019s confidence in crypto infrastructure.<\/p>\n<p>\u201cWe need to move past the idea that decentralization alone is the answer. Most users still rely on centralized exchanges, and securing them remains essential for web3 adoption.\u201d<\/p>\n<p>The attack also brought renewed focus to Nobitex\u2019s position within Iran\u2019s financial system and its potential role in sanctions evasion.\u00a0<\/p>\n<p>Haponiuk explained that while crypto offers pseudonymity, it does not guarantee anonymity, especially when transaction patterns are scrutinized over time.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cState-affiliated entities often rely on tools like mixers, chain hopping, or layered routing. But their behavior differs from that of regular users, who typically stay within predictable thresholds and transactional habits.\u201d<\/p>\n<\/blockquote>\n<p>He added that blockchain analytics has advanced to the point where clustering, attribution, and behavioral profiling can detect coordinated activity across wallets and chains.\u00a0<\/p>\n<p>Although not foolproof, these tools are now strong enough to yield actionable insights when supported by consistent signals.<\/p>\n<p>As blockchain infrastructure becomes more integrated into global finance. The Nobitex case offers a clear example of how crypto platforms operating in politically sensitive regions are increasingly exposed to conflict-driven risks.<\/p>\n<p>And as crypto continues to merge with real-world systems, the frequency and complexity of such attacks are likely to grow.<\/p>\n<\/p><\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How did Nobitex go from Iran\u2019s crypto lifeline to the center of a geopolitical breach, and what\u2019s next for users trapped between war and decentralization? Table of Contents Nobitex breach&hellip;<\/p>\n","protected":false},"author":1,"featured_media":3578,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3577","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/3577","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=3577"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/3577\/revisions"}],"predecessor-version":[{"id":3579,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/3577\/revisions\/3579"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/3578"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=3577"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=3577"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=3577"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}