Israeli Group Suspected in $90M Hack Targeting Iran’s Nobitex Crypto Exchange

Nobitex Hacked for $90M as Israel-Linked Group Escalates Cyber Campaign Against Iran

Iranian cryptocurrency exchange Nobitex has become the latest target in a series of cyberattacks allegedly carried out by Gonjeshke Darande, a hacking group believed to have ties to Israel. The group reportedly drained $90 million from the exchange and has threatened to leak Nobitex’s internal source code, labeling the platform a “terror-financing tool” used to evade international sanctions.

In a post on social media platform X, the group declared:

“After Bank Sepah, it was Nobitex’s turn.”

This statement referenced their attack just one day earlier on Iran’s state-owned Bank Sepah.

Blockchain investigator ZachXBT was among the first to spot suspicious transactions involving around $81.7 million moving out of Nobitex across multiple tokens, including Tron’s TRX, bitcoin (BTC), and dogecoin (DOGE). He shared details of the activity on his Telegram channel on Wednesday.

The stolen assets were traced to a wallet with a conspicuous vanity address: TKFuckiRGCTerroristsNoBiTEXy2r7mNX. Subsequent analysis raised the estimate of the stolen funds to over $82 million, siphoned across Bitcoin, Dogecoin, and several EVM-compatible chains. Other vanity addresses linked to the theft include:

• 0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
• 1FuckiRGCTerroristsNoBiTEXXXaAovLX
• DFuckiRGCTerroristsNoBiTEXXXWLW65t

Gonjeshke Darande has accused Nobitex of being a critical part of the Iranian regime’s alleged terror financing operations, claiming the platform helps the country sidestep sanctions through crypto-based transactions.

Nobitex, which is Iran’s largest crypto exchange, confirmed the cyberattack via a statement on X but did not disclose any details regarding the amount of funds stolen.

Hack Driven by Politics, Not Profit

Despite the large sums involved, blockchain security firm Elliptic said the attack appeared politically motivated rather than a financial heist.

The stolen funds were transferred to crypto wallets featuring lengthy customized text strings, created using “brute force” techniques that generate countless cryptographic key pairs to achieve specific wording.

“Creating vanity addresses with text strings as long as those used in this hack is computationally infeasible,” Elliptic explained. “This suggests Predatory Sparrow wouldn’t have access to the private keys for those addresses and has effectively burned the funds to send Nobitex a political message.”

At this time, it remains unclear how exactly Gonjeshke Darande breached Nobitex’s systems.

The attack comes amid a backdrop of intensifying cyber and physical confrontations between Iran and Israel. Gonjeshke Darande — also known as Predatory Sparrow — has previously claimed responsibility for coordinated cyberattacks on Iranian infrastructure, including steel mills and gas stations.

With threats to publish Nobitex’s proprietary code still looming, the exchange is grappling not just with potential financial losses but a deepening crisis of trust. Users who haven’t yet withdrawn funds from the platform could be at risk of losing their assets entirely if further breaches occur, according to the hackers’ latest warnings.