Iran’s largest cryptocurrency exchange, Nobitex, has confirmed a significant cybersecurity breach that resulted in the loss of over $90 million in digital assets from its hot wallet infrastructure.
Highlights
- Massive Loss Confirmed: Over $90 million in crypto assets stolen from Nobitex’s hot wallets in a major cybersecurity breach.
- Exchange Goes Dark: Both the website and app were taken offline as the company investigates and secures its infrastructure.
- Stolen Crypto Burned: The attackers transferred funds to irretrievable “burn” wallets with vanity addresses, making recovery impossible.
- Attack Claimed by Predatory Sparrow: A pro-Israel hacking group took credit, citing political motives and accusing Nobitex of aiding sanctioned entities.
- Part of a Coordinated Cyber Offensive: The breach came just one day after the same group reportedly attacked Iran’s Bank Sepah, causing nationwide ATM failures.
- More Threats Loom: Predatory Sparrow has threatened to release internal data and source code from Nobitex within 24 hours.
- Geopolitical Undercurrent: Iran’s state media calls it part of a “massive cyber war,” underscoring rising tensions between digital infrastructure and state-level conflicts.
The company has since taken down both its website and app while investigations and security assessments are underway.
Scope and Impact of the Breach
In a public statement—translated by TechCrunch—Nobitex acknowledged the attack, stating that it is actively evaluating the full extent of the breach and working to secure the remaining portions of its infrastructure.
Nobitex, reportedly serving over 10 million users, is regarded as Iran’s most widely used crypto trading platform, according to archived website records.
Stolen Funds Irretrievably Destroyed
Blockchain analytics firm Elliptic has confirmed that the attackers transferred the stolen crypto assets into irretrievable wallets—a practice commonly known as “burning.”
These transactions were directed to vanity addresses (some reportedly containing anti-Iran messages), ensuring that the digital assets can no longer be accessed, traced, or recovered.
Attack Claimed by Pro-Israel Hacking Group
Responsibility for the incident has been claimed by Predatory Sparrow (Gonjeshke Darande in Farsi), a hacking group previously linked to politically motivated cyberattacks on Iranian infrastructure.
In a post on X, the group accused Nobitex of facilitating illicit financial activities, including alleged support for sanctioned entities.
The group also claimed responsibility for a separate attack just one day earlier on Bank Sepah, which reportedly caused widespread ATM outages in Iran.
The back-to-back nature of these attacks suggests a coordinated effort and possibly signals escalating cyber tensions amid broader geopolitical dynamics.
Additional Threats and Possible Escalation
Following the Nobitex breach, Predatory Sparrow issued a warning via social media, stating they intend to release the exchange’s internal data and source code within 24 hours. If carried out, this could further expose sensitive company operations and infrastructure details.
Iran’s state broadcaster IRIB has recently reported what it describes as a “massive cyber war” allegedly waged by Israel against Iranian digital systems. While the exact affiliations of Predatory Sparrow remain unconfirmed, their activity aligns with prior attacks attributed to pro-Israeli interests.
