How did Nobitex go from Iran’s crypto lifeline to the center of a geopolitical breach, and what’s next for users trapped between war and decentralization?
Nobitex breach marks new chapter in cyber risk
In the early hours of Jun. 18, Iran’s largest crypto exchange, Nobitex, suffered a coordinated cyberattack that resulted in one of the most severe digital asset breaches in the country’s history.
The incident was confirmed by Nobitex’s technical team and involved the compromise of multiple hot wallets. A wide range of assets was affected, including Bitcoin (BTC), Ethereum (ETH), Dogecoin (DOGE), Tether (USDT), Ripple (XRP), Solana (SOL), Tron (TRX), and Toncoin (TON).
Estimates of the stolen funds vary. TRM Labs, Chainalysis, and Elliptic each placed the losses near $90 million, while independent analyst ZachXBT calculated at least $81.7 million lost across Ethereum and Tron-compatible networks.
The breach was first identified after Nobitex detected unauthorized access to its internal reporting infrastructure, triggering an emergency response that led to the suspension of both its website and mobile application.
Cyvers researcher Hakan Unal noted that the breach stemmed from a failure in segregating wallet credentials, which should have remained isolated from the systems that were compromised.
However, unlike typical crypto hacks where funds are laundered for profit, the Nobitex case showed a different intent.
The stolen crypto was transferred to vanity addresses with politically charged labels, such as TKFuckiRGCTerroristsNoBiTEXy2r7mNX on Tron and 0xffFFfFFffFFffFfFffFFfFfFFFFDead on Ethereum, both computationally impossible to access, rendering the funds effectively “burned.”
Shortly after the incident, the pro-Israel hacker group Gonjeshke Darande, also known as Predatory Sparrow, claimed responsibility via a post on X.
The group, previously linked to Israeli interests by Reuters and The Times of Israel, though without official confirmation, threatened to release Nobitex’s source code and internal data within 24 hours unless users withdrew funds, warning that remaining assets were at risk.
On Jun. 19, the group acted on the threat. In another X post, Predatory Sparrow shared what they claimed to be the full source code of Nobitex. The post read, “Time’s up — full source code linked below. ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN.”
An eight-part thread followed, revealing confidential technical documentation, including server configurations, privacy tools, deployment procedures, and backend infrastructure.
The Nobitex attack came just one day after a similar breach by the same group. On Jun. 17, Predatory Sparrow targeted Iran’s state-owned Bank Sepah, disrupting ATM services nationwide.
Together, the incidents suggest that the Nobitex breach may form part of a broader cyber campaign linked to escalating tensions. The attack followed Israeli military strikes on Iran, launched on Jun. 13 amid growing concerns over Iran’s nuclear program.
New crypto curfew reflects crisis mood
Following the Nobitex breach, Iranian authorities moved swiftly to tighten oversight of the country’s digital asset infrastructure.
On Jun. 19, the Central Bank of Iran imposed a curfew limiting operating hours for all domestic crypto exchanges to between 10 AM and 8 PM daily.
The measure coincided with rising military tensions between Iran and Israel. As of Jun. 18, official reports listed 224 deaths in Iran and 24 in Israel following a series of missile strikes. Actual figures may be significantly higher.
Analysts at Chainalysis noted that the curfew may also be intended to limit capital flight and increase financial surveillance during the crisis.
Meanwhile, in direct response to the hack, Nobitex activated emergency protocols to secure remaining reserves. Large amounts of Bitcoin were moved into new cold storage wallets, a step confirmed by Chainalysis as part of the platform’s containment strategy.
The exchange issued a public statement assuring users that the majority of customer assets held in cold wallets remained secure. Nobitex also pledged to use its reserve and insurance fund to fully reimburse affected clients.
Despite these reassurances, user access to Nobitex would remain suspended in the upcoming days. Users have expressed growing anxiety over frozen funds, limited access, and broader trust issues.
The situation was further complicated by a nationwide internet blackout. Data from Cloudflare showed a 90% decline in traffic volumes compared to the previous week.
No official link has been established between the cyberattack and the internet outage. However, the disruption severely impacted civilian access to online services, including financial platforms, messaging apps, and news portals.
Blockchain forensics reveal troubling patterns
In a country facing international sanctions, limited access to global banking, and persistent currency devaluation, Nobitex has emerged as a critical financial gateway for Iranians.
Founded in 2017, the platform has grown into the most dominant player in Iran’s crypto market. The platform has over 7 million registered users and accounts for the majority of the country’s digital asset activity.
According to Chainalysis, Nobitex has received more than $11 billion in total inflows, exceeding the combined total of Iran’s next ten largest exchanges.
Nobitex enables users to trade crypto assets using Iranian Rials, offering a way to store value, participate in global markets, and sidestep the limitations of Iran’s restricted financial infrastructure.
While Nobitex has served an important role for civilians grappling with economic uncertainty, it has been accused of facilitating not only everyday transactions but also financial activity linked to the Iranian state.
Following the June 2025 breach, hacker group Predatory Sparrow claimed Nobitex was targeted for allegedly aiding the Iranian government in evading sanctions and funding illicit operations.
Blockchain analytics firms including Elliptic and Chainalysis have traced the platform’s activity to individuals and groups under U.S. sanctions.
Among them are Ahmad Khatibi Aghada and Amir Hossein Niakeen Ravari, both designated by the U.S. Office of Foreign Assets Control in 2022 for their involvement in ransomware operations.
Further blockchain analysis has linked wallets on Nobitex to groups such as Hamas, Palestinian Islamic Jihad, the Houthis, and accounts promoting al-Qaeda-affiliated content.
U.S. lawmakers have raised repeated concerns over Nobitex’s role in potential sanctions evasion. In May 2024, Senators Elizabeth Warren and Angus King sent a letter referencing a Reuters investigation from 2022 that uncovered nearly $8 billion in transactions between Nobitex and Binance between 2018 and 2022.
The letter questioned whether such flows might reflect systemic gaps in global enforcement.
Nobitex’s internal policies have also drawn attention. Public reports indicate the platform previously issued user guidance on bypassing financial restrictions, prompting concern from regulatory authorities and international watchdogs.
Predatory Sparrow has gone so far as to claim that employment at Nobitex is considered equivalent to military service within Iran, due to the platform’s perceived strategic value to the regime’s financial operations.
Is Iran going to attack the U.S.?
As tensions between Iran and Israel escalate, prediction markets have seen a rise in activity focused on conflict-related outcomes.
On Polymarket, users are trading on the likelihood of various geopolitical events, including military actions, cyberattacks, leadership changes, and diplomatic negotiations.
The combined volume across these contracts now exceeds $70 million, offering a glimpse into how speculative behavior continues even in high-risk, politically sensitive contexts.
One of the most active markets centers on the possibility of U.S. military action against Iran before July. The contract has recorded more than $19 million in volume, with current odds reflecting a 45% probability.
A related contract measuring the likelihood of a major cyberattack on Iran during June has surged to 95%. The shift follows recent breaches at Nobitex and Bank Sepah, reinforcing expectations of ongoing digital escalation.
Markets predicting Israeli airstrikes on Iran within specific June timeframes are also heavily traded. The contract for a strike on June 20 is priced at 99%, while neighboring dates hover just below that threshold.
Leadership-related scenarios have drawn increased attention as well. A contract forecasting that Iran’s Supreme Leader Ayatollah Khamenei will leave office before July is trading at 60% probability, with over $2 million in trade volume.
Contracts covering broader regime change, direct invasions by the U.S. or Israel, or formal declarations of war remain priced far lower, with probabilities ranging from 1% to 5%.
At the same time, markets are also speculating on diplomatic outcomes. Scenarios involving a U.S.-Iran nuclear deal or resumed negotiations are currently priced between 15% and 40%, reflecting uncertainty about the possibility of de-escalation in the near term.
Experts chime in
crypto.news spoke with Yehor Rudytsia and Oleksii Haponiuk from Hacken to explore how the Nobitex breach challenges traditional assumptions about crypto hacks in today’s geopolitical environment.
What set the incident apart was not just the scale of the breach but the fact that the stolen funds were deliberately burned. There was no attempt to launder, convert, or profit from the assets.
According to Rudytsia, that detail represents a monumental change in how threats to exchanges should be interpreted.
“Web3 projects, especially centralized exchanges, are no longer just targets for financial theft. They can also become instruments for politically motivated cyberattacks. The Nobitex case shows that attackers may act with the intent to disrupt rather than gain.”
He stressed that centralized exchanges remain the primary access point for millions of users. A successful breach has consequences that can cascade through the broader ecosystem, affecting not just the platform but the public’s confidence in crypto infrastructure.
“We need to move past the idea that decentralization alone is the answer. Most users still rely on centralized exchanges, and securing them remains essential for web3 adoption.”
The attack also brought renewed focus to Nobitex’s position within Iran’s financial system and its potential role in sanctions evasion.
Haponiuk explained that while crypto offers pseudonymity, it does not guarantee anonymity, especially when transaction patterns are scrutinized over time.
“State-affiliated entities often rely on tools like mixers, chain hopping, or layered routing. But their behavior differs from that of regular users, who typically stay within predictable thresholds and transactional habits.”
He added that blockchain analytics has advanced to the point where clustering, attribution, and behavioral profiling can detect coordinated activity across wallets and chains.
Although not foolproof, these tools are now strong enough to yield actionable insights when supported by consistent signals.
As blockchain infrastructure becomes more integrated into global finance. The Nobitex case offers a clear example of how crypto platforms operating in politically sensitive regions are increasingly exposed to conflict-driven risks.
And as crypto continues to merge with real-world systems, the frequency and complexity of such attacks are likely to grow.
