Iranian Crypto Exchange Nobitex Hacked for $90M by Suspected Israeli Group

Iranian crypto exchange Nobitex has been hacked for $90 million by Israel-linked hacking activist group Gonjeshke Darande, according to a blog post from blockchain security firm Elliptic.

The group said in an X post: “After Bank Sepah, it was Nobitex's turn,” referencing their Tuesday cyberattack on Iran’s state-owned lender. They warned that Nobitex’s internal data and source code would be released within a day, and any assets left on the exchange would be “at risk.”

On-chain sleuth ZachXBT first flagged suspicious outflows totaling $81.7 million in Tron's TRX TRX$0.2833, bitcoin BTC$86,944.52, dogecoin DOGE$0.1274 and other tokens in his Telegram channel on Wednesday.

The stolen funds were traced to a wallet using a provocative vanity address: TKFuckiRGCTerroristsNoBiTEXy2r7mNX.

Estimates of funds stolen was later updated to over $82 million, with funds stolen across Bitcoin, Dogecoin and EVM chains from addresses including
"0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead," "1FuckiRGCTerroristsNoBiTEXXXaAovLX," and "DFuckiRGCTerroristsNoBiTEXXXWLW65t."

The group called Nobitex a “core part of the regime’s terror financing network,” accusing it of helping Iran evade international sanctions by enabling crypto-based payments.

Nobitex, Iran’s largest exchange, confirmed the attack in an X post but did not mention or confirm stolen funds.

Hack not financially motivated

The hack also does not appear to be financially motivated, Elliptic said.

The funds were sent to vanity addresses created through "brute force" methods - involving the creation of large numbers of cryptographic key pairs until one contains the desired text.

"But creating vanity addresses with text strings as long as those used in this hack is computationally infeasible. This means that Predatory Sparrow would not have the private keys for the crypto addresses they sent the Nobitex funds to, and have effectively burned the funds in order to send Nobitex a political message," Elliptic said.

At the time of writing, it is unclear what attack method was used by Gonjeshke Darande to conduct the exploit.

The hack comes amid a flurry of cyber and physical attacks between Iran and Israel.

Gonjeshke Darande, believed by cybersecurity analysts to have ties to Israeli intelligence, has previously claimed responsibility for coordinated infrastructure attacks on Iranian steel factories and gas stations.

With the source code leak looming, Nobitex now faces not only financial loss but a full-blown credibility crisis — and users who haven’t yet moved funds may stand to lose everything, per the hacking group’s followup threats.

UPDATE (Jun. 18, 08:34 UTC): Updates headline and text with new information.

UPDATE (Jun. 18, 11:56 UTC): Adds details from the Elliptic blog.