Cyberattack Wipes Out $81M from Iran’s Top Crypto Exchange Nobitex—Pro-Israel Hackers Claim Responsibility

Iran's crypto ecosystem takes a brutal hit as digital assailants drain millions from its premier trading platform.

Who's behind the attack? A pro-Israel hacking group flexes its muscles—turning geopolitical tensions into a costly blockchain heist.

Security fail or insider job? Nobitex users demand answers while the exchange scrambles to patch vulnerabilities (and restore what's left of their reputation).

Meanwhile, regulators shrug—because when has crypto ever played by the rules? Just another Tuesday in decentralized finance.

TLDR

• Iran’s largest crypto exchange Nobitex lost over $81 million in a cyberattack by pro-Israel hackers using vanity wallet addresses
• The hacker group “Gonjeshke Darande” claimed responsibility and threatened to release source code within 24 hours
• Iran’s Central Bank responded by restricting crypto exchange operating hours to 10 AM-9 PM following the breach
• Stolen funds included Bitcoin, Ethereum, XRP, Dogecoin, Solana, TRON and Toncoin across multiple blockchain networks
• The same hacker group also targeted Iran’s state-owned Bank Sepah earlier this week

Iran’s biggest cryptocurrency exchange suffered a major security breach this week when hackers drained over $81 million from its systems. The attack on Nobitex represents one of the largest crypto exchange thefts in recent months.

🚨 NEW: Iran’s Largest crypto exchange Nobitex Hacked for $73M on Tron Network

Blockchain sleuth @zachxbt exposes one of 2025’s biggest crypto breaches, @nobitexmarket users locked out as $73M vanishes to a traced wallet. Thousands of Iranian traders left in limbo. pic.twitter.com/wa4m3p9dUg

— CryptosRus (@CryptosR_Us) June 18, 2025

Blockchain investigator ZachXBT first reported the breach on June 16, 2025. The attackers moved $81.7 million from the exchange’s hot wallets across multiple networks. The stolen funds came from both the TRON blockchain and various Ethereum-compatible chains.

The hackers used two specially crafted wallet addresses to MOVE the stolen cryptocurrency. The first vanity address read “TKFuckiRGCTerrorists” and handled $49 million of the theft. A second custom address ending in “Dead” was used to steal the remaining funds.

These human-readable wallet names weren’t chosen randomly. Security experts say they reveal how the attackers bypassed Nobitex’s internal security controls. The custom addresses allowed hackers to access funds that should have remained locked in secure wallets.

Hakan Unal from Cyvers security firm explained that the breach showed flaws in the exchange’s access controls. The attackers managed to infiltrate systems designed to block unauthorized wallet addresses. Nobitex confirmed it detected the breach quickly and suspended the affected hot wallets.

A pro-Israel hacker group called “Gonjeshke Darande” claimed responsibility for the attack. The group posted on social media that they viewed Nobitex as a tool for “regime financing.” They threatened to release the exchange’s source code and internal files within 24 hours.

After the IRGC’s “Bank Sepah” comes the turn of Nobitex
WARNING!

In 24 hours, we will release Nobitex's source code and internal information from their internal network.
Any assets that remain there after that point will be at risk!

The Nobitex exchange is at the heart of the… pic.twitter.com/GFyBCPCFIE

— Gonjeshke Darande (@GonjeshkeDarand) June 18, 2025

Political Tensions Drive Cyberattacks

The timing of this attack coincides with escalating tensions between Israel and Iran. Recent military strikes between the two countries have resulted in hundreds of casualties. Reports indicate at least 224 people died in Iran and 24 in Israel during renewed conflict.

The same hacker group also targeted Bank Sepah, one of Iran’s largest state-owned banks, earlier this week. These coordinated attacks appear politically motivated rather than purely financial. The hackers seem focused on disrupting Iran’s financial infrastructure.

Chainalysis research shows the stolen cryptocurrencies included Bitcoin, Ethereum, Dogecoin, XRP, Solana, TRON, and Toncoin. The attackers used burner wallet addresses without private key access, suggesting they planned to destroy rather than profit from the stolen funds.

Iran’s Central Bank responded swiftly to the breach by imposing new restrictions on crypto exchanges. All domestic cryptocurrency platforms must now operate only between 10 AM and 9 PM. The new rules aim to increase oversight of crypto trading activities.

Exchange Promises Full Recovery

Nobitex assured users that their main funds remain secure in cold storage systems. The exchange said only a fraction of hot wallet assets were affected by the breach. Company officials promised to cover all losses using their insurance fund and internal resources.

The exchange has processed over $11 billion in total inflows, making it larger than the next ten Iranian exchanges combined. Nobitex serves as a key gateway connecting Iran’s sanctioned financial system to global crypto markets.

Security experts have previously linked various illicit actors to the Nobitex platform. These include ransomware operators affiliated with Iran’s Revolutionary Guard and networks connected to Hamas and Houthi groups. The platform has also facilitated transactions with sanctioned entities.

Following the attack, Nobitex moved large amounts of Bitcoin to new cold storage wallets. The exchange took immediate steps to enhance security and prevent future breaches. Iran’s Central Bank now requires stricter operating hours for all domestic crypto exchanges as authorities increase oversight of digital asset trading.