Politically Charged Hack Destroys $100 Million on Iran’s Nobitex Exchange and Leaks Source Code

On June 19, the pro-Israel-aligned hacker group Gonjeshke Darande escalated its attack on Nobitex, Iran’s largest cryptocurrency exchange, by publicly releasing the platform’s full source code. The group, which claimed responsibility for an approximately $100 million exploit earlier this week, shared internal system details on social media, exposing sensitive asset information and warning users that remaining funds on Nobitex are now at “extreme risk.” The incident, marked by politically charged motives, has sent shockwaves through Iran’s crypto ecosystem, prompting regulatory action and raising concerns about user asset security.

A Politically Driven Cyberattack

The hack, first reported on June 18, saw Gonjeshke Darande siphon approximately $100 million in crypto assets from Nobitex wallets across multiple networks, including Bitcoin, Tron, and Dogecoin, according to Nobitex’s official security incident announcement.

Unlike typical crypto heists aimed at laundering funds for profit, the hackers appear to have transferred the stolen assets to so-called “black hole” addresses—wallets with no accessible private keys, effectively destroying the funds.

Blockchain analyst @evilcos noted on X that the group’s wallet addresses, such as “1FuckiRGCTerroristsNoBiTEXXXaAovLX” on Bitcoin, carry mocking political undertones, underscoring the attack’s ideological intent over financial gain.

Gonjeshke Darande, translating to “Predatory Sparrow,” had warned on June 18 that it would leak Nobitex’s source code and internal files within 24 hours if users did not withdraw their funds. True to its threat, the group posted links to the exchange’s deployment details on June 19, claiming, “Assets left in Nobitex are now entirely out in the open.” The leaked data reportedly includes critical infrastructure information, potentially exposing the exchange to further vulnerabilities.

Nobitex’s Response and Regulatory Fallout

Nobitex confirmed the breach in a security incident announcement, stating that its technical team had severed all external server access and proactively transferred hot wallet funds to protect user assets. The exchange claimed that the destroyed assets, valued at approximately $100 million, were covered by its reserve fund, ensuring no direct user losses. However, Nobitex cautioned that platform recovery and support services could face delays due to Iran’s ongoing internet disruptions and emergency measures.

In response to the hack, Iran’s central bank imposed a curfew on all domestic crypto exchanges, restricting trading hours to 10 a.m. to 8 p.m. local time. The measure, reported by Cryptonews, aims to enhance oversight and mitigate risks during off-hours when cybersecurity responses may be slower. The regulation reflects heightened concerns about the vulnerability of Iran’s crypto infrastructure amid geopolitical tensions.

Context and Implications

Nobitex, founded in 2017, serves over 11 million users and is a cornerstone of Iran’s crypto market, which has grown as a hedge against economic sanctions and currency devaluation. The exchange’s prominence made it a high-profile target for Gonjeshke Darande, a group previously linked to cyberattacks on Iranian state infrastructure. Blockchain analytics firm TRM Labs noted that the hack aligns with the group’s pattern of state-aligned operations, blending cyberwarfare with political messaging.

The destruction of $100 million in assets, while significant, represents a fraction of Nobitex’s reported trading volume. However, the source code leak poses a longer-term threat, potentially enabling further exploits or copycat attacks. This could drive Iranian users to shift funds to decentralized exchanges to mitigate risks, dealing a significant blow to Iran’s centralized cryptocurrency exchanges and similar institutions.