Nobitex Crypto Exchange Hacked: Predatory Sparrow Burns $90M in Symbolic Anti-Iran Attack
Do Son 
On the night of June 18, 2025, the Iranian cryptocurrency exchange Nobitex fell victim to a devastating cyberattack, which was subsequently claimed by the pro-Israeli hacking group known as Predatory Sparrow. According to their own statements, the hackers exfiltrated over $90 million worth of cryptocurrency from the platform and deliberately destroyed the stolen funds by transferring them to irrecoverable “burn addresses”—a symbolic act of political protest against Iran and its Islamic Revolutionary Guard Corps (IRGC).
The first report of the breach surfaced at 2:24 a.m. Eastern Time on Nobitex’s official account on X, in which the team revealed it had detected unauthorized access to parts of its infrastructure responsible for accounting, as well as to its so-called “hot wallet.” Upon discovering signs of intrusion, system access was immediately severed and an internal investigation was launched. As of this writing, the Nobitex website remains offline.
Almost immediately following the platform’s disclosure, Predatory Sparrow released a public statement claiming responsibility for the breach. The group announced its intention to publish the platform’s source code and internal documents allegedly exfiltrated during the operation. In their message, the hackers portrayed Nobitex as a critical financial apparatus of the Iranian regime—used, they asserted, to circumvent sanctions and finance terrorist entities.
Blockchain analytics firm Elliptic confirmed that more than $90 million in digital assets had indeed been siphoned from Nobitex wallets. However, their investigation found that the attackers made no attempt to launder or cash out the stolen funds. Instead, the vast majority of the assets were sent to custom “vanity” addresses—cryptographic wallets whose identifying strings include pointed, often profane, anti-IRGC messages such as “FckIRGCterrorists.”
Generating such addresses is an immensely resource-intensive process, requiring tremendous computational effort and numerous iterations to produce a key pair with the desired textual pattern. According to Elliptic, the probability of brute-forcing a private key for these addresses is virtually nonexistent. This means the funds sent to them are irretrievably lost—rendered permanently unusable.
Analysts have emphasized that the incident bears no hallmarks of financial motivation. Rather, it appears to be a calculated act of symbolic sabotage intended to tarnish the reputation and dismantle the infrastructure of the exchange. Elliptic’s findings further suggest that Nobitex maintains ties to high-ranking individuals and organizations closely aligned with the Iranian regime. Moreover, the exchange has been cited in investigations related to the laundering of ransomware proceeds, particularly from DiskCryptor and BitLocker campaigns.
The assault on Nobitex came swiftly after a similar strike on Bank Sepah, a state-controlled financial institution overseen by Iranian authorities. In both cases, the objective was not financial enrichment but the deliberate disruption of economic and technological instruments. These incidents unfold against the backdrop of Iran’s increasing digital isolation, as the nation moves to restrict access to the global internet in a bid to safeguard its infrastructure from external interference.
Donate