Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 237Private Key Compromise

Nobitex Politically-Motivated Burn

$90M+ drained from Iran's largest exchange by Predatory Sparrow, then burned to addresses tagged with anti-IRGC messages — a destruction-not-profit hack.

Date
Victim
Nobitex
Chain(s)
BitcoinEthereumTronBNB Chain
Status
Funds Stolen
Attribution
Gonjeshke Darande / Predatory Sparrow

On June 17, 2025, Nobitex — by volume the largest cryptocurrency exchange in Iran — was drained of more than $90 million in customer assets across at least four chains. What set the incident apart was the destination of the funds: addresses whose private keys provably do not exist, with vanity prefixes spelling anti-IRGC slogans. The money was not stolen. It was deliberately destroyed.

What happened

A group calling itself Gonjeshke Darande ("Predatory Sparrow") — which security firms including Elliptic have repeatedly linked to Israeli state operatives — claimed responsibility. The group has previously conducted destructive operations against Iranian gas stations, steel plants and rail systems; this was their first major crypto operation.

The compromise reached deep into Nobitex's infrastructure. Funds were swept from hot wallets across Bitcoin, Ethereum, Tron and BNB Chain. Each chunk was sent to a vanity address whose prefix included a profanity-laden reference to the Islamic Revolutionary Guard Corps — addresses for which no private key can plausibly exist, meaning the funds are forever locked.

Two days after the hack, the attackers leaked Nobitex's entire source code, infrastructure documentation, and internal R&D, exposing the architecture of Iran's flagship crypto rails.

Aftermath

  • Nobitex paused all operations and announced it would compensate users from internal reserves and a controlled wallet migration.
  • Elliptic and TRM Labs published analyses of the leaked source code, documenting how Nobitex had been used to evade sanctions and route funds for sanctioned entities.
  • No funds were recovered. None ever will be — they cannot be moved.

Why it matters

Nobitex is the first widely-documented case of a state-aligned hack whose explicit goal was destruction rather than profit. It fundamentally changes the threat model for exchanges in geopolitically exposed jurisdictions: the worst case is no longer just losing money, but becoming a target whose infrastructure is leaked as a strategic asset.

Sources & on-chain evidence

  1. [01]bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/pro-israel-hackers-hit-irans-nobitex-exchange-burn-90m-in-crypto/
  2. [02]cnbc.comhttps://www.cnbc.com/2025/06/18/pro-israel-hackers-iran-crypto.html
  3. [03]trmlabs.comhttps://www.trmlabs.com/resources/blog/inside-the-nobitex-breach-what-the-leaked-source-code-reveals-about-irans-crypto-infrastructure
  4. [04]halborn.comhttps://www.halborn.com/blog/post/explained-the-nobitex-hack-june-2025

Related filings