- A pro-Israel hacking group has drained $90 million in crypto from Iran’s largest exchange, Nobitex
- The stolen funds have been sent to unusable wallets containing anti-IRGC slogans, rendering them permanently inaccessible
- The attack follows a similar cyber operation targeting Iran’s Bank Sepah and appears to be politically motivated
A pro-Israel hacktivist group has claimed responsibility for a major cyberattack on Nobitex, Iran’s largest cryptocurrency exchange, stealing over $90 million in digital assets and destroying access to the funds. The attackers transferred the cryptocurrency into specially crafted “vanity” wallets that contain politically charged messages, effectively removing the funds from circulation. The breach appears to be part of a broader cyber offensive against Iranian financial institutions believed to be linked to terrorism financing and comes as the two countries become more entrenched in war.
Politically Motivated Hack
The group, known as Predatory Sparrow, publicly announced the attack on social media, accusing Nobitex of collaborating with Iran’s Islamic Revolutionary Guard Corps (IRGC) to evade sanctions and launder money. Blockchain analysts confirmed the stolen assets, spanning Bitcoin, Ethereum, and various stablecoins, were sent to wallets with addresses spelling out phrases like “F-IRGCterrorists.” Because of the way these wallets were generated, accessing the funds is cryptographically impossible, indicating the group never intended to profit:
#PeckShieldAlert #ZachXBT has reported that #Nobitex, an Iranian exchange, appears to have been exploited, with ~48.6M in $USDT drained on #Tron pic.twitter.com/y12HyszcyZ
— PeckShieldAlert (@PeckShieldAlert) June 18, 2025
The attackers appear to have exploited internal security weaknesses in Nobitex’s infrastructure, particularly hot wallet access controls, just days after claiming responsibility for a cyberattack on Iran’s Bank Sepah. Analysts at TRM Labs and Elliptic estimate that the stolen funds represent a significant portion of Nobitex’s liquid reserves, although the company has reassured users that the exchange’s cold wallets have not been affected:
Nobitex Announcement No. 4 – Regarding the Security Incident
As part of Nobitex’s ongoing response to the recent security incident, we would like to inform our users that the situation is now under control. All external access to our servers has been completely severed.
If you…
— Nobitex | نوبیتکس (@nobitexmarket) June 18, 2025
Hackers “Vaporized” Funds
Experts say the attack carries hallmarks of a highly sophisticated, state-aligned operation. “They didn’t steal the money—they vaporized it,” said one analyst, describing it as a digital act of protest or deterrence. Attacks of this nature, where hackers deliberately destroy vast sums of money rather than steal it, are exceptionally rare in the world of cybercrime, with most breaches financially motivated. The Nobitex incident stands out because the perpetrators chose to render over $90 million in cryptocurrency permanently inaccessible, using addresses that cannot be recovered.
This kind of politically charged sabotage, aimed at inflicting reputational and economic damage rather than gaining financially, reflects an unusual level of coordination and ideological commitment, suggesting a shift from conventional cybercrime toward strategic, nation-state-style cyberwarfare using decentralized financial infrastructure as the battleground.
