Cyber Incident Victim: Nobitex
Date:
Jun 2025
Location:
Iran
Summary
An Iranian cryptocurrency exchange suffered a $81.7 million exploit across Tron and EVM-compatible blockchains, attributed to unauthorized access draining assets from some hot wallets. The pro-Israel hacker group Gonjeshke Darande claimed responsibility, framing the attack as a political statement against the Iranian regime and threatening further leaks. While the exchange confirmed the breach and suspended affected wallets, it assured users that cold storage assets remained secure and pledged full compensation. Security analysts identified critical access control failures enabling the theft, noting the stolen funds were unmoved post-attack. A significant drop in labeled wallet holdings was observed but attributed to routine migrations rather than additional losses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 18, 2025, blockchain investigator ZachXBT disclosed via Telegram that Iran-based cryptocurrency exchange Nobitex had suffered a significant security breach resulting in the theft of digital assets exceeding $81 million. The attack targeted Nobitex-linked wallets across the Tron network and Ethereum Virtual Machine (EVM)-compatible blockchains. Attackers utilized specific "vanity addresses," custom public wallet addresses containing provocative phrases like "TKFuckiRGCTerroristsNoBiTEXy2r7mNX" and "0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead," to facilitate suspicious outflows totaling at least $81.7 million. Shortly after this disclosure, a pro-Israel hacker group identifying itself as "Gonjeshke Darande" claimed responsibility for the attack on social media platform X. The group stated its intention to release Nobitex's source code and internal files within 24 hours and warned users that any remaining assets on the platform were at risk. Gonjeshke Darande justified the attack by alleging Nobitex was central to Iranian regime efforts to finance terrorism globally and evade international sanctions, further claiming that working at Nobitex constituted valid military service for Iran. This incident occurred amidst escalating military tensions between Israel and Iran, including significant Israeli strikes inside Iran earlier that week.
Nobitex confirmed unauthorized access to a portion of its hot wallets, which were immediately suspended upon detection. The exchange assured users that their assets remained secure according to cold storage standards and that only assets within the compromised hot wallets were affected. Nobitex pledged to compensate all damages using its insurance fund and company resources. Blockchain security firm Cyvers, through senior security operations lead Hakan Unal, assessed that the exploit likely resulted from a critical failure in access controls, enabling attackers to infiltrate internal systems and drain hot wallets across multiple chains. Unal noted the stolen funds remained unmoved following the theft. Hacken security researcher Yehor Rudytsia characterized the attack as a political statement rather than a typical financially motivated theft, pointing out that stolen assets across more than 20 tokens on EVM chains were sent to clean burner addresses, potentially limiting recovery options except for possible USDT stablecoin reissuance. Data from Arkham indicated a sharp decline in the total value held in the Nobitex-labeled wallet, falling over 90% from over $1.8 billion on June 16 to $96 million by June 18; however, Cyvers' Unal clarified this likely reflected routine hot wallet migrations by Nobitex and not additional losses. The breach contributed to the 2025 crypto industry hack total exceeding $2.1 billion, predominantly attributed to wallet compromises and operational failures according to CertiK co-founder Ronghui Gu.