Security

Iran’s Nobitex Exchange Suffers $90 Million Cyberattack via Malware

Politically motivated breach of a major exchange's hot wallets highlights critical risks from compromised credentials and nation-state cyber warfare.
September 21, 20253 min

A detailed perspective showcases advanced, interconnected mechanical components in a high-tech system, characterized by white, dark blue, and glowing electric blue elements. The composition highlights precision engineering with transparent blue conduits indicating dynamic energy or data transfer between modules
Two advanced cylindrical mechanisms, predominantly white and grey, are depicted in a state of dynamic interaction, enveloped by a translucent blue liquid. A brilliant blue energy conduit, emanating from their core interfaces, pulses with luminous particles, symbolizing a critical data exchange

Briefing

Nobitex, Iran’s largest cryptocurrency exchange, was targeted in a sophisticated cyberattack by the “Predatory Sparrow” group, resulting in the drainage of approximately $90 million from its hot wallets. This incident, primarily politically motivated rather than financially driven, exposed critical vulnerabilities in the exchange’s operational security and internal infrastructure. The attackers subsequently “burned” the stolen funds by transferring them to unmovable vanity addresses, signaling a strategic disruption rather than a profit-seeking endeavor.

A white, circuit-patterned cylinder, suggestive of a data conduit, is centrally positioned, passing through a dense, blue-lit toroidal structure. This intricate structure is composed of countless interconnected metallic blocks, radiating a digital glow

Context

Prior to this incident, Nobitex, despite its dominant position in Iran’s crypto market, operated within a highly sanctioned environment, necessitating sophisticated privacy engineering and integration with domestic banking systems to circumvent global monitoring. The prevailing attack surface included the inherent risks of centralized exchange hot wallets and the constant threat of sophisticated social engineering or malware campaigns targeting employee credentials.

Two sophisticated modular components, crafted in white and metallic finishes with vibrant blue luminous elements, are depicted in a dynamic state of connection, exchanging intricate data streams. From one module, a dense cluster of metallic, crystalline data packets and cryptographic primitives emanates, suggesting active information transfer

Analysis

The attack vector leveraged compromised employee credentials, likely obtained through infostealer malware, granting unauthorized access to Nobitex’s internal systems and hot wallets. This breach allowed the “Predatory Sparrow” group to systematically drain approximately $90 million across various cryptocurrencies, including Bitcoin, Ethereum, and Dogecoin, from the exchange’s hot storage. The subsequent public leak of Nobitex’s source code and infrastructure documentation further underscored the depth of the compromise, revealing how the exchange was designed to operate in defiance of sanctions and surveillance. The attackers’ choice to render the funds irretrievable via vanity addresses with anti-regime slogans confirms the incident’s geopolitical motivations.

A clear, ovular capsule with white structural accents sits centered on a deep blue circuit board, illuminated by internal blue light patterns. The circuit board displays complex pathways and a subtle bar graph visualization

Parameters

  • Protocol Targeted → Nobitex Exchange
  • Attack Vector → Compromised Employee Credentials (Infostealer Malware)
  • Financial Impact → ~$90 Million USD
  • Attacker Group → Predatory Sparrow (Gonjeshke Darande)
  • Motivation → Geopolitical / Political Message
  • Assets Drained → Bitcoin, Ethereum, Dogecoin, Ripple, Solana, Tron, Ton
  • Blockchain(s) Affected → Ethereum, Tron (Hot Wallets)
  • Additional Compromise → Source Code & Infrastructure Documentation Leak

A close-up view reveals a complex, futuristic apparatus featuring prominent transparent blue rings at its core, surrounded by dark metallic and silver-toned components. A white, textured material resembling frost or fibrous netting partially covers parts of the structure, particularly on the right and lower left

Outlook

Immediate mitigation for exchanges involves rigorous enhancement of internal access controls, multi-factor authentication for all critical systems, and comprehensive employee cybersecurity training to counter sophisticated malware and phishing campaigns. This incident highlights the escalating risk of nation-state-backed cyberattacks targeting digital asset infrastructure, potentially leading to increased regulatory scrutiny and demands for greater transparency from exchanges operating in sensitive geopolitical regions. The exposure of Nobitex’s sanctions-evasion mechanisms will likely prompt global compliance teams to refine their blockchain intelligence and monitoring frameworks.

The image showcases a high-precision hardware component, featuring a prominent brushed metal cylinder partially enveloped by a translucent blue casing. Below this, a dark, wavy-edged interface is meticulously framed by polished metallic accents, set against a muted grey background

Verdict

This politically charged breach of a major cryptocurrency exchange underscores the critical intersection of digital asset security and geopolitical conflict, demanding a robust, multi-layered defense against evolving state-sponsored threat actors.

Signal Acquired from → TRM Labs

Micro Crypto News Feeds

cryptocurrency exchange

Definition ∞ A cryptocurrency exchange is an online platform where users can purchase, vend, or trade digital assets like Bitcoin and Ethereum.

malware

Definition ∞ Malware is malicious software designed to infiltrate and damage computer systems or steal sensitive information.

infrastructure

Definition ∞ Infrastructure refers to the fundamental technological architecture and systems that support the operation and growth of blockchain networks and digital asset services.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

wallets

Definition ∞ 'Wallets' are software or hardware applications that store the private and public keys necessary to interact with a blockchain network and manage digital assets.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

digital asset

Definition ∞ A digital asset is a digital representation of value that can be owned, transferred, and traded.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

Tags:

Tags: