Nobitex Hack Exposes Months of Shady Crypto Fund Movements—Was This Inevitable?
Another day, another crypto exchange breach—but this one stinks of insider drama.
Nobitex's security collapse didn't happen overnight. Behind the hack? A trail of suspicious transactions dating back months. Now users are left holding empty bags while forensic analysts trace the digital breadcrumbs.
Regulators shrug, traders rage, and the usual 'lessons will be learned' press release gets drafted. Meanwhile, someone's probably sipping a margarita on a non-extradition beach—courtesy of your misplaced trust in centralized exchanges.
Hot Wallets, Cold Moves: Nobitex’s shady crypto shuffle
Since as far back as October 2024, Nobitex has been using a stealth tactic known as peelchains, a method where funds are gradually split and passed through intermediaries or one-time-use wallets. This technique is used to quietly MOVE large amounts of crypto, while obscuring their trail and making them difficult to trace.
On multiple occasions, several hot wallets tied to Nobitex repeatedly passed exactly 30 BTC between addresses, often through one-time-use intermediaries. Funds in these flows were eventually sent to exchange addresses or, in some cases, destinations linked to illicit actors.
Additionally, the investigation traced funds moving in and out of a wallet cluster that behaved like a central mixing layer. Many of these wallets had a short lifespan and were used just once before being abandoned, suggesting an intentional scheme to avoid detection.
Further evidence shows that Nobitex’s “rescue wallet,” which was supposedly deployed after the hack to safeguard the remaining funds, was found to have been active for months prior, consistently receiving chipped-off funds. The exchange has also continued similar asset movements post-hack and is said to still hold substantial reserves.
Global Ledger’s findings now raise questions about Nobitex’s operational transparency, including possible ties to illicit activity such as money laundering.
Gonjeshke Darande, the pro-Israel hacker group that claimed responsibility for the attack, previously accused Nobitex of being Iran’s “favorite sanctions violation tool.” The group also cited this as a key reason for targeting the exchange, claiming it as part of a broader retaliation effort tied to the Israel-Iran conflict.
