Nobitex Exchange Suffers $90 Million Hot Wallet Breach → Security

A close-up reveals a detailed, futuristic hardware component with a prominent dark screen and metallic blue textured casing. The intricate circuitry and connection ports suggest advanced functionality for digital systems

The image displays a detailed, abstract composition centered on a symmetrical, metallic blue and white 'X' shaped structure. This central element is surrounded and partially integrated into a textured, white, bubbly matrix, creating a sense of depth and complex interweaving

Briefing

On June 18, 2025, Iran’s largest cryptocurrency exchange, Nobitex, suffered a sophisticated cyberattack, resulting in the theft of approximately $90 million in various digital assets from its hot wallets. The attack, attributed to the pro-Israel hacker group Gonjeshke Darande (also known as Predatory Sparrow), was politically motivated, with the stolen funds intentionally burned and anti-regime slogans embedded in transaction addresses. This incident exposed critical vulnerabilities in Nobitex’s internal infrastructure, including a significant lapse in access controls, and led to the leakage of the exchange’s entire source code and internal documentation.

A white, high-tech module is shown partially separated, revealing glowing blue internal components and metallic rings. The detached front section features a circular opening, while the main body displays intricate, illuminated circuitry

Context

Prior to this incident, the digital asset landscape for exchanges operating in sanctioned jurisdictions like Iran presented a complex security posture, often balancing operational necessity with heightened geopolitical risks. Nobitex, as a dominant player, was known to operate with a degree of privacy engineering designed to evade international sanctions and surveillance, which inherently created a unique attack surface. The prevailing risk factors included the potential for state-sponsored cyber warfare and the inherent vulnerabilities of centralized components, particularly hot wallets, which are prime targets for high-value asset concentration.

The artwork displays a central white sphere surrounded by a dynamic interplay of white rings and segmented, deep blue elements, all interwoven with fine, transparent lines. This abstract composition evokes the multifaceted nature of decentralized finance DeFi and the underlying blockchain architecture

Analysis

The incident’s technical mechanics involved the infiltration of Nobitex’s internal infrastructure, leveraging a critical failure in access controls. Attackers gained unauthorized access to the exchange’s hot wallet system, enabling them to drain $90 million in cryptocurrencies. The compromise was not merely a financial heist; the attackers, Gonjeshke Darande, demonstrated their political intent by burning the stolen funds and embedding anti-regime messages in the transaction data. Further, the breach escalated with the leakage of Nobitex’s complete source code and infrastructure documentation, providing an unprecedented blueprint of the exchange’s operational design, including its mechanisms for sanctions evasion.

The image displays a sophisticated device crafted from brushed metal and transparent materials, showcasing intricate internal components illuminated by a vibrant blue glow. This advanced hardware represents a critical component in the digital asset ecosystem, functioning as a secure cryptographic module

Parameters

Protocol Targeted → Nobitex Exchange
Attack Vector → Internal Infrastructure Infiltration & Access Control Failure
Financial Impact → $90 Million
Attacker Group → Gonjeshke Darande (Predatory Sparrow)
Motivation → Geopolitical / Political Statement
Assets Affected → Bitcoin, Ethereum, Dogecoin, Ripple, Solana, Tron, Ton
Key Consequence → Source Code and Infrastructure Documentation Leak

A translucent blue device with a smooth, rounded form factor is depicted against a light grey background. Two clear, rounded protrusions, possibly interactive buttons, and a dark rectangular insert are visible on its surface

Outlook

In the immediate aftermath, Nobitex initiated a comprehensive security overhaul, including migrating all user wallets to new addresses and advising users against depositing funds to old ones. This incident underscores the severe contagion risk of geopolitical cyberattacks on centralized crypto infrastructure, particularly for exchanges operating in high-risk environments. It will likely establish new best practices for access control, supply chain security, and incident response, especially regarding politically motivated breaches that prioritize disruption over financial gain. Protocols must re-evaluate their security postures, recognizing that advanced persistent threats can target infrastructure beyond smart contract logic.

Verdict

The Nobitex breach serves as a stark reminder that geopolitical tensions can manifest as sophisticated cyberattacks, fundamentally challenging the security and operational integrity of digital asset exchanges, particularly those within sanctioned regimes.

Signal Acquired from → TRM Labs