Why Pro-Israel Group's $90M Crypto Hack Could Be a Hammer Blow for Iran's Regime

Iranian cryptocurrency exchange Nobitex was hacked for around $90 million on Wednesday, on the surface of it an almost routine exploit in an industry that already dealt with a $223 million exchange exploit earlier this month.

Below the surface, it was anything but. Digging a little deeper reveals this was not simply a cash grab, in fact, not a cash grab at all, but a political message that could end up being a hammer blow to one of the primary combatants in the escalating conflict in the Middle East.

The hackers, the pro-Israel activist group Gonjeshke Darande, demonstrated their indifference to monetary gain by transferring the stolen funds to a series of inaccessible "vanity" wallets ladened with the words like "terrorist," essentially burning those tokens forever.

Politically motivated sabotage

"This appears to be an act of politically motivated sabotage rather than a financially motivated hack," Elliptic co-founder Tom Robinson said in an interview. "The use of vanity addresses seems to be motivated by wanting to send a message to Nobitex and the Islamic Revolutionary Guard Corps."

The group, whose Farsi name means Predatory Sparrow, the following day leaked the exchange's source code, leaving any remaining tokens on the platform vulnerable to theft.

"Bypassing sanctions doesn't pay." Gonjeshke Darande wrote on X alongside screenshots of the "vanity" wallets storing the stolen funds.

The regime has been under sanctions for years as due to international concerns over its human rights record and attempts to develop nuclear weapons. The European Union introduced sanctions in 2011 and has renewed them every year since, even strengthening them in the meantime. U.S. sanctions date back as far as 1979, to the Iranian Revolution.

Israel said Iran, which has has vowed to eliminate the Jewish state numerous times over the years, was on the verge of developing nuclear weapons. Iran says its program is purely peaceful. Last week, immediately before Israel's air strikes, the International Atomic Energy Agency (IAEA) had violated its non-proliferation commitments.

Gonjeshke Darande's tweet refers to allegations about Iran's use of cryptocurrency to evade the sanctions, echoing concerns Senators Elizabeth Warren and Angus King raised to former U.S. President Joe Biden in 2024.

Without Nobitex, Iran, a nation already hamstrung by oil and financial sanctions, may struggle to move capital around in a time of intense conflict. That could weaken its efforts to mobilize and launch attacks into Israel,.

The truth about vanity wallets

There has been some discussion about the vanity wallets. Does the group have access to the filched tokens, or have they been burned forever?

There is "practically zero chance attackers control these addresses," Yehor Rudytsia, a security researcher at Hacken, told CoinDesk.

Creating the vanity addresses with a private key to unlock them "is computationally trivial task and might be done in micro/milliseconds," Rudytsia said. But finding the 26-character private key would require as many as ~ 2¹⁵² trials. "It is practically infeasible to find the private key which maps to such a public address."

Which means the money has gone.