Nobitex Exchange Suffers $90 Million Hot Wallet Breach → Security

The artwork displays a central white sphere surrounded by a dynamic interplay of white rings and segmented, deep blue elements, all interwoven with fine, transparent lines. This abstract composition evokes the multifaceted nature of decentralized finance DeFi and the underlying blockchain architecture

A white, minimalist digital asset wallet is at the core of a dynamic, abstract structure composed of sharp, blue crystalline formations. These formations, resembling fragmented geometric shapes, extend outwards, creating a sense of a vast, interconnected network

Briefing

On June 18, 2025, Iran’s largest cryptocurrency exchange, Nobitex, suffered a sophisticated cyberattack, resulting in the theft of approximately $90 million in various digital assets from its hot wallets. The attack, attributed to the pro-Israel hacker group Gonjeshke Darande (also known as Predatory Sparrow), was politically motivated, with the stolen funds intentionally burned and anti-regime slogans embedded in transaction addresses. This incident exposed critical vulnerabilities in Nobitex’s internal infrastructure, including a significant lapse in access controls, and led to the leakage of the exchange’s entire source code and internal documentation.

A polished metallic circular component, resembling a secure element, rests centrally on a textured, light-grey substrate, likely a flexible circuit or data ribbon. This assembly is set within a vibrant, translucent blue environment, exhibiting dynamic, reflective contours

Context

Prior to this incident, the digital asset landscape for exchanges operating in sanctioned jurisdictions like Iran presented a complex security posture, often balancing operational necessity with heightened geopolitical risks. Nobitex, as a dominant player, was known to operate with a degree of privacy engineering designed to evade international sanctions and surveillance, which inherently created a unique attack surface. The prevailing risk factors included the potential for state-sponsored cyber warfare and the inherent vulnerabilities of centralized components, particularly hot wallets, which are prime targets for high-value asset concentration.

A transparent sphere with layered blue digital elements is positioned next to a cubic structure revealing complex blue circuitry and a central white emblem. A clear panel is shown in the process of being removed from the cube, exposing its inner workings

Analysis

The incident’s technical mechanics involved the infiltration of Nobitex’s internal infrastructure, leveraging a critical failure in access controls. Attackers gained unauthorized access to the exchange’s hot wallet system, enabling them to drain $90 million in cryptocurrencies. The compromise was not merely a financial heist; the attackers, Gonjeshke Darande, demonstrated their political intent by burning the stolen funds and embedding anti-regime messages in the transaction data. Further, the breach escalated with the leakage of Nobitex’s complete source code and infrastructure documentation, providing an unprecedented blueprint of the exchange’s operational design, including its mechanisms for sanctions evasion.

A close-up view reveals a sleek, translucent device featuring a prominent metallic button and a subtle blue internal glow. The material appears to be a frosted polymer, with smooth, ergonomic contours

Parameters

Protocol Targeted → Nobitex Exchange
Attack Vector → Internal Infrastructure Infiltration & Access Control Failure
Financial Impact → $90 Million
Attacker Group → Gonjeshke Darande (Predatory Sparrow)
Motivation → Geopolitical / Political Statement
Assets Affected → Bitcoin, Ethereum, Dogecoin, Ripple, Solana, Tron, Ton
Key Consequence → Source Code and Infrastructure Documentation Leak

A sophisticated, silver-toned modular device, featuring a prominent circular interface with a blue accent and various rectangular inputs, is dynamically positioned amidst a flowing, translucent blue material. The device's sleek, futuristic design suggests advanced technological capabilities, with the blue element appearing to interact with its structure

Outlook

In the immediate aftermath, Nobitex initiated a comprehensive security overhaul, including migrating all user wallets to new addresses and advising users against depositing funds to old ones. This incident underscores the severe contagion risk of geopolitical cyberattacks on centralized crypto infrastructure, particularly for exchanges operating in high-risk environments. It will likely establish new best practices for access control, supply chain security, and incident response, especially regarding politically motivated breaches that prioritize disruption over financial gain. Protocols must re-evaluate their security postures, recognizing that advanced persistent threats can target infrastructure beyond smart contract logic.

The intricate design showcases a futuristic device with a central, translucent blue optical component, surrounded by polished metallic surfaces and subtle dark blue accents. A small orange button is visible, hinting at interactive functionality within its complex architecture

Verdict

The Nobitex breach serves as a stark reminder that geopolitical tensions can manifest as sophisticated cyberattacks, fundamentally challenging the security and operational integrity of digital asset exchanges, particularly those within sanctioned regimes.

Signal Acquired from → TRM Labs