Security

Iran’s Nobitex Exchange Suffers $90 Million Cyberattack via Malware

Politically motivated breach of a major exchange's hot wallets highlights critical risks from compromised credentials and nation-state cyber warfare.
September 21, 20253 min

A luminous white sphere, encircled by a ring, anchors a complex arrangement of sharp, glowing blue crystalline structures and darker polygonal forms. Thin, flexible lines interweave through this core, creating a dynamic, interconnected system with several smaller white orbs floating nearby, against a blurred background of similar elements
The image displays a futuristic, abstract metallic blue object with silver accents and a prominent circular recess revealing a glowing blue sphere of illuminated dots. The object's surface exhibits subtle scratches, adding texture to its sleek design

Briefing

Nobitex, Iran’s largest cryptocurrency exchange, was targeted in a sophisticated cyberattack by the “Predatory Sparrow” group, resulting in the drainage of approximately $90 million from its hot wallets. This incident, primarily politically motivated rather than financially driven, exposed critical vulnerabilities in the exchange’s operational security and internal infrastructure. The attackers subsequently “burned” the stolen funds by transferring them to unmovable vanity addresses, signaling a strategic disruption rather than a profit-seeking endeavor.

A polished metallic square plate, featuring a prominent layered circular component, is securely encased within a translucent, wavy, blue-tinted material. The device's sleek, futuristic design suggests advanced technological integration

Context

Prior to this incident, Nobitex, despite its dominant position in Iran’s crypto market, operated within a highly sanctioned environment, necessitating sophisticated privacy engineering and integration with domestic banking systems to circumvent global monitoring. The prevailing attack surface included the inherent risks of centralized exchange hot wallets and the constant threat of sophisticated social engineering or malware campaigns targeting employee credentials.

The image features a close-up of an abstract, futuristic object composed of translucent blue and clear flowing forms, integrated with brushed silver cylindrical components. These metallic elements display concentric ring patterns on their visible ends, contrasting with the organic shapes

Analysis

The attack vector leveraged compromised employee credentials, likely obtained through infostealer malware, granting unauthorized access to Nobitex’s internal systems and hot wallets. This breach allowed the “Predatory Sparrow” group to systematically drain approximately $90 million across various cryptocurrencies, including Bitcoin, Ethereum, and Dogecoin, from the exchange’s hot storage. The subsequent public leak of Nobitex’s source code and infrastructure documentation further underscored the depth of the compromise, revealing how the exchange was designed to operate in defiance of sanctions and surveillance. The attackers’ choice to render the funds irretrievable via vanity addresses with anti-regime slogans confirms the incident’s geopolitical motivations.

The image displays a close-up of a sleek, transparent electronic device, revealing its intricate internal components. A prominent brushed metallic chip, likely a secure element, is visible through the blue-tinted translucent casing, alongside a circular button and glowing blue circuitry

Parameters

  • Protocol Targeted → Nobitex Exchange
  • Attack Vector → Compromised Employee Credentials (Infostealer Malware)
  • Financial Impact → ~$90 Million USD
  • Attacker Group → Predatory Sparrow (Gonjeshke Darande)
  • Motivation → Geopolitical / Political Message
  • Assets Drained → Bitcoin, Ethereum, Dogecoin, Ripple, Solana, Tron, Ton
  • Blockchain(s) Affected → Ethereum, Tron (Hot Wallets)
  • Additional Compromise → Source Code & Infrastructure Documentation Leak

A futuristic, rectangular device with rounded corners is prominently displayed, featuring a translucent blue top section that appears frosted or icy. A clear, domed element on top encapsulates a blue liquid or gel with a small bubble, set against a dark grey/black base

Outlook

Immediate mitigation for exchanges involves rigorous enhancement of internal access controls, multi-factor authentication for all critical systems, and comprehensive employee cybersecurity training to counter sophisticated malware and phishing campaigns. This incident highlights the escalating risk of nation-state-backed cyberattacks targeting digital asset infrastructure, potentially leading to increased regulatory scrutiny and demands for greater transparency from exchanges operating in sensitive geopolitical regions. The exposure of Nobitex’s sanctions-evasion mechanisms will likely prompt global compliance teams to refine their blockchain intelligence and monitoring frameworks.

A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Verdict

This politically charged breach of a major cryptocurrency exchange underscores the critical intersection of digital asset security and geopolitical conflict, demanding a robust, multi-layered defense against evolving state-sponsored threat actors.

Signal Acquired from → TRM Labs

Micro Crypto News Feeds

cryptocurrency exchange

Definition ∞ A cryptocurrency exchange is an online platform where users can purchase, vend, or trade digital assets like Bitcoin and Ethereum.

malware

Definition ∞ Malware is malicious software designed to infiltrate and damage computer systems or steal sensitive information.

infrastructure

Definition ∞ Infrastructure refers to the fundamental technological architecture and systems that support the operation and growth of blockchain networks and digital asset services.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

wallets

Definition ∞ 'Wallets' are software or hardware applications that store the private and public keys necessary to interact with a blockchain network and manage digital assets.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

digital asset

Definition ∞ A digital asset is a digital representation of value that can be owned, transferred, and traded.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

Tags:

Tags: