Hackers obliterated over $90 million in digital assets from Iran’s largest cryptocurrency exchange, Nobitex, in a politically motivated cyberattack that deliberately destroyed the stolen funds rather than profiting from them. The breach targeted Bitcoin, Ether, Dogecoin, and five other cryptocurrencies, affecting the platform that serves more than 10 million users and handles the majority of Iran’s on-chain crypto activity.
Pro-Israel hackers destroyed $90 million in Iranian cryptocurrency assets in a politically motivated attack targeting the nation’s largest exchange.
Predatory Sparrow, a pro-Israel hacking group also known as Gonjeshke Darande, claimed responsibility for the operation. The attackers utilized sophisticated brute-force methods to generate vanity blockchain wallet addresses, which they used to siphon funds from the exchange. These wallet addresses contained taunts directed toward the Islamic Guard Corps, demonstrating the attack’s political motivations.
The hackers rendered the stolen assets permanently inaccessible by transferring them to wallets without private-key access, effectively “burning” the funds rather than attempting to profit from the theft. Blockchain analysis firms Elliptic and TRM Labs verified the destruction of funds by tracing asset flows into irrecoverable wallets. This unprecedented approach highlighted the attack’s strategic rather than financial objectives. The attack demonstrated characteristics of a zero-day exploit, targeting previously unknown vulnerabilities in the exchange’s security infrastructure.
Predatory Sparrow justified the breach by accusing Nobitex of facilitating sanction evasion and financing groups hostile to Israel, including Hamas, the Houthis, and the IRGC. The group previously targeted Iranian organizations, including Bank Sepah, which suffered widespread ATM outages and service disruptions.
As part of the Nobitex operation, the hackers exposed the exchange’s source code, intensifying the breach’s impact. The cyberattack occurred amid heightened tensions between Israel and Iran, with both countries engaging in ongoing cyber and physical confrontations spanning over a decade. Open-source investigations have identified Nobitex’s ties to relatives of Supreme Leader Ali Khamenei and connections to Iranian government figures.
Iranian state media characterized the incident as an escalation of Israel’s “cyber war” efforts against Iran’s digital infrastructure. Nobitex responded by taking its website and application offline indefinitely, citing unauthorized access concerns.
The platform’s disruption affected both individual and institutional users who relied on the exchange for global crypto market access. The incident exposed significant vulnerabilities within Iran’s crypto infrastructure and established a precedent for politically motivated attacks targeting financial systems for strategic impact rather than monetary gain. Predatory Sparrow has demonstrated a pattern of targeting critical infrastructure, including their 2021 disruption of Iran’s fuel network and a 2022 cyber attack that triggered a fire at a steel plant.
