On June 18, 2025, Iran’s largest cryptocurrency exchange, Nobitex, became the target of a sophisticated and politically-motivated $90 million cyberattack by an allegedly pro-Israeli hacker group Gonjeshke Darande, also known as Predatory Sparrow.

The group alleges that Nobitex played a key role in helping Iran’s Islamic Revolutionary Guard Corps (IRGC) and other state-linked entities bypass international sanctions. Unlike in a typical hacking incident, the stolen funds were not laundered or transferred to mixers. Instead, the group deliberately burned the assets.

Stolen Funds Sent to “Vanity Addresses”

According to blockchain forensics firm Elliptic, the stolen assets included Bitcoin, Ethereum, and other cryptocurrencies. These were transferred to “vanity addresses,” or customized wallet addresses containing politically charged phrases such as “FuckIRGCTerrorists”. Many of these addresses are not just symbolically provocative but also with no known private keys, making recovery impossible.

For Ethereum, portions of the funds were also sent to the 0x000… dead address, which is commonly used to permanently remove tokens from circulation. Some Bitcoin wallets used by the attackers even included invalid checksums, rendering them unusable.

The method of destruction suggests the attack was not financially motivated but symbolic. It was essentially a way to deliver a political message to the Iranian government and affiliated entities.

Who Are Predatory Sparrow?

Predatory Sparrow is a highly skilled cyber-activist group widely believed to have ties to Israeli intelligence, although formal attribution remains unconfirmed. Active since at least 2021, the group has previously targeted Iranian infrastructure, including steel factories, gas stations, and media networks. It calls itself a collective acting in defense of regional stability and against terrorism.

Just a day before the Nobitex breach, the group claimed responsibility for hacking Iran’s Bank Sepah, causing major service outages at ATMs and fueling stations across the country.

These cyberattacks come amid heightened geopolitical tensions between Israel and Iran, including recent Israeli airstrikes on Tehran’s nuclear facilities. Experts suggest that the hack on Nobitex is part of a broader escalation in cyberwarfare between the two nations.

Nobitex’s Response and Security Measures

Following the incident, Nobitex confirmed that unauthorized access had occurred and stated that its hot wallets were drained as a precaution. The exchange reassured users that cold storage wallets remain secure, and it holds sufficient reserves to cover any potential losses among its reported 10 million users.

The hackers also threatened to leak the exchange’s internal source code and system architecture, encouraging users to withdraw any remaining funds for their own protection.

Longstanding Allegations of IRGC Ties

Nobitex has faced scrutiny in the past for alleged connections to sanctioned Iranian entities. Investigations by blockchain analysts and open-source researchers have identified links between Nobitex and individuals connected to Iran’s ruling elite, including relatives of Supreme Leader Ali Khamenei and business partners affiliated with the IRGC.

In 2022, the U.S. Office of Foreign Assets Control (OFAC) sanctioned two Iranian nationals—Ahmad Khatibi Aghada and Amir Hossein Niakeen Ravari—for their role in cyberattacks using BitLocker ransomware. Blockchain analysis confirmed that these individuals used Nobitex to receive and transfer cryptocurrency related to those operations.

A graph published by Elliptic shows further on-chain evidence of interactions between Nobitex and wallets associated with Hamas, Palestinian Islamic Jihad, and the Houthi movement—highlighting how crypto exchanges can be leveraged in the financing of groups designated as terrorist organizations in various jurisdictions.

Implications for Crypto and Cybersecurity

This incident is just one example of how cryptocurrency platforms are increasingly caught in the crossfire of geopolitical conflicts. Unlike financially motivated hacks, the Nobitex breach was driven by political aims. It exploited the transparency of blockchain systems not just to extract value, but to publicly deliver a powerful message against violence and terrorism.

‍