Security

Iran’s Nobitex Exchange Suffers $90 Million Cyberattack via Malware

Politically motivated breach of a major exchange's hot wallets highlights critical risks from compromised credentials and nation-state cyber warfare.
September 21, 20253 min

The image displays an abstract composition of metallic, cylindrical objects interspersed with voluminous clouds of white and blue smoke. A glowing, textured sphere resembling the moon is centrally positioned among the metallic forms
A sleek, silver-edged device, resembling a hardware wallet, is embedded within a pristine, undulating white landscape, evoking a secure digital environment. Its screen and surrounding area are adorned with translucent, blue-tinted ice shards, symbolizing cryptographic primitives and immutable ledger entries

Briefing

Nobitex, Iran’s largest cryptocurrency exchange, was targeted in a sophisticated cyberattack by the “Predatory Sparrow” group, resulting in the drainage of approximately $90 million from its hot wallets. This incident, primarily politically motivated rather than financially driven, exposed critical vulnerabilities in the exchange’s operational security and internal infrastructure. The attackers subsequently “burned” the stolen funds by transferring them to unmovable vanity addresses, signaling a strategic disruption rather than a profit-seeking endeavor.

A futuristic metallic device, possibly a satellite or specialized node, is partially submerged in a calm body of water. From its lower section, a vigorous stream of bright blue liquid, intermingled with white foam, forcefully ejects, creating dynamic ripples and splashes on the water's surface

Context

Prior to this incident, Nobitex, despite its dominant position in Iran’s crypto market, operated within a highly sanctioned environment, necessitating sophisticated privacy engineering and integration with domestic banking systems to circumvent global monitoring. The prevailing attack surface included the inherent risks of centralized exchange hot wallets and the constant threat of sophisticated social engineering or malware campaigns targeting employee credentials.

A close-up view reveals a complex blue and white mechanical or digital assembly, prominently featuring a glowing, spherical blue core surrounded by concentric white rings and detailed metallic components. The surrounding structure consists of dark blue panels with etched silver circuitry patterns, suggesting an advanced technological device

Analysis

The attack vector leveraged compromised employee credentials, likely obtained through infostealer malware, granting unauthorized access to Nobitex’s internal systems and hot wallets. This breach allowed the “Predatory Sparrow” group to systematically drain approximately $90 million across various cryptocurrencies, including Bitcoin, Ethereum, and Dogecoin, from the exchange’s hot storage. The subsequent public leak of Nobitex’s source code and infrastructure documentation further underscored the depth of the compromise, revealing how the exchange was designed to operate in defiance of sanctions and surveillance. The attackers’ choice to render the funds irretrievable via vanity addresses with anti-regime slogans confirms the incident’s geopolitical motivations.

A high-tech, white modular apparatus is depicted in a state of connection, with two primary sections slightly apart, showcasing complex internal mechanisms illuminated by intense blue light. A brilliant, pulsating blue energy stream, representing a secure data channel, actively links the two modules

Parameters

  • Protocol Targeted → Nobitex Exchange
  • Attack Vector → Compromised Employee Credentials (Infostealer Malware)
  • Financial Impact → ~$90 Million USD
  • Attacker Group → Predatory Sparrow (Gonjeshke Darande)
  • Motivation → Geopolitical / Political Message
  • Assets Drained → Bitcoin, Ethereum, Dogecoin, Ripple, Solana, Tron, Ton
  • Blockchain(s) Affected → Ethereum, Tron (Hot Wallets)
  • Additional Compromise → Source Code & Infrastructure Documentation Leak

A sophisticated internal mechanism, featuring polished metallic bearings and gears alongside angular blue structural components, is partially revealed. This intricate system is overlaid and partially encased by a translucent, white, porous material composed of countless interconnected spheres, creating a resilient network

Outlook

Immediate mitigation for exchanges involves rigorous enhancement of internal access controls, multi-factor authentication for all critical systems, and comprehensive employee cybersecurity training to counter sophisticated malware and phishing campaigns. This incident highlights the escalating risk of nation-state-backed cyberattacks targeting digital asset infrastructure, potentially leading to increased regulatory scrutiny and demands for greater transparency from exchanges operating in sensitive geopolitical regions. The exposure of Nobitex’s sanctions-evasion mechanisms will likely prompt global compliance teams to refine their blockchain intelligence and monitoring frameworks.

A transparent wearable device with a circular display is positioned on a detailed blue circuit board. The electronic pathways on the board represent the complex infrastructure of blockchain technology

Verdict

This politically charged breach of a major cryptocurrency exchange underscores the critical intersection of digital asset security and geopolitical conflict, demanding a robust, multi-layered defense against evolving state-sponsored threat actors.

Signal Acquired from → TRM Labs

Micro Crypto News Feeds

cryptocurrency exchange

Definition ∞ A cryptocurrency exchange is an online platform where users can purchase, vend, or trade digital assets like Bitcoin and Ethereum.

malware

Definition ∞ Malware is malicious software designed to infiltrate and damage computer systems or steal sensitive information.

infrastructure

Definition ∞ Infrastructure refers to the fundamental technological architecture and systems that support the operation and growth of blockchain networks and digital asset services.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

wallets

Definition ∞ 'Wallets' are software or hardware applications that store the private and public keys necessary to interact with a blockchain network and manage digital assets.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

digital asset

Definition ∞ A digital asset is a digital representation of value that can be owned, transferred, and traded.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

Tags:

Tags: