Iranian crypto exchange Nobitex found itself in digital shambles on June 18, 2025, when pro-Israel hacking group Gonjeshke Darande (“Predatory Sparrow”) orchestrated a devastating $90 million attack against the platform.
Unlike typical crypto heists where thieves make off with the digital loot, this attack was purely political—the hackers weren’t after profit but aimed to destroy assets as a message amid escalating Israel-Iran tensions.
The attack targeted only Nobitex’s “hot wallets”—the online-connected crypto storage—while offline “cold storage” assets remained untouched. This targeting pattern aligns with established security measures that most centralized exchanges employ to protect the majority of user funds.
What made this hack particularly fascinating was the attackers’ technique: they sent stolen funds to specially crafted “vanity addresses” containing anti-IRGC slogans.
Think of these addresses as impossibly complex digital safes where the combination was deliberately forgotten after locking.
“Brute forcing” these vanity addresses is like trying to find a specific grain of sand on all Earth’s beaches—technically possible but practically impossible.
Once funds went in, they were effectively burned forever, rendering over $90 million in various cryptocurrencies, including Bitcoin and Dogecoin, permanently inaccessible.
Nobitex, serving approximately 7 million users as Iran’s largest exchange, quickly suspended their website and app access following the breach.
The company has publicly committed to compensating affected users through insurance and reserve funds, emphasizing transparency throughout the crisis.
Predatory Sparrow explicitly linked their attack to Iranian government activities, accusing Nobitex of facilitating regime financing and sanctions evasion.
The hack came just one day after the same group claimed responsibility for breaching Iran’s state-owned Bank Sepah, suggesting a coordinated campaign.
Cryptocurrency security experts agree this attack represents a new paradigm in politically motivated cyber warfare, where blockchain’s immutability becomes a weapon rather than a shield.
The investigation continues into how exactly the attackers gained access to Nobitex’s systems, but the message was clear: in modern digital conflict, sometimes destroying assets makes a louder statement than stealing them.
Blockchain analysis firm Elliptic has documented on-chain interactions between Nobitex and wallets associated with Hamas, Palestinian Islamic Jihad, and Houthis.
The hackers embedded specific phrases including “FiRGCTerrorists” into blockchain addresses as a powerful symbolic statement against the Iranian regime.
