Major Iranian Crypto Exchange Nobitex Suffers $100 Million Hack as Attackers Leak Full Source Code

A devastating cyberattack on Nobitex, Iran's largest cryptocurrency exchange, has escalated dramatically as hackers leaked the platform's complete source code following a $100 million theft that appears to be politically motivated rather than financially driven.

Time's up - full source code linked below.

ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN.
بازمانده دارایی های شما در نوبیتکس هم اکنون در معرض دید و خطر هستند

But before that, lets meet Nobitex from the inside:

Exchange Deployment (1/8) pic.twitter.com/jiMfBpNXwd

— Gonjeshke Darande (@GonjeshkeDarand) June 19, 2025

The Attack Unfolds

The breach, which occurred on June 18, 2025, initially targeted Nobitex's hot wallets, draining approximately $90-100 million worth of various cryptocurrencies, including Bitcoin, Ethereum, Dogecoin, Ripple, Solana, Tron, and Ton. However, the situation deteriorated further when the perpetrators took to social media to release what they claim is the exchange's entire source code infrastructure.

The hacker group, operating under the name "Gonjeshke Darande" (also known as "Predatory Sparrow"), published an eight-part Twitter thread containing sensitive technical details about Nobitex's operations. Their message was stark: "Time's up — full source code linked below. ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN."

The leaked information reportedly includes server layouts, privacy tools, deployment systems, and other critical infrastructure components that could potentially compromise any remaining user assets on the platform.

READ MORE: Crypto in Crisis: The Full Story Behind the $90 Million Nobitex Hack

Destruction Rather Than Theft

What sets this attack apart from typical cryptocurrency heists is the attackers' apparent motivation. Rather than attempting to launder or profit from the stolen funds, Gonjeshke Darande claims to have deliberately destroyed the assets by sending them to "vanity addresses" without recoverable private keys.

12 hours ago
8 burn addresses burned $90M from the wallets of the regime's favorite sanctions violation tool, Nobitex.

12 hours from now
The source-code of Nobitex will be open to the public, and Nobitex’s walled garden will be without walls. Where do you want your assets to be?…

— Gonjeshke Darande (@GonjeshkeDarand) June 18, 2025

According to blockchain analytics firm Chainalysis, the stolen funds were distributed across multiple methods of permanent destruction. Some assets were sent to Ethereum's notorious burn address (0x...dead wallet), while Bitcoin was directed to addresses with invalid checksums, making them provably unspendable. Additionally, some funds were transferred to wallets labeled with anti-Iranian Revolutionary Guard Corps (IRGC) slogans, underscoring the political nature of the attack.

The analytics firm confirmed that none of the stolen funds were sent to cryptocurrency mixers or exchanges, which would typically be the case if profit were the primary motive. This deliberate destruction of assets worth nearly $100 million represents one of the most significant acts of crypto-economic warfare to date.

Political Motivations and Regional Context

The timing and nature of the attack appear directly linked to escalating tensions between Israel and Iran. The assault followed a series of Israeli airstrikes inside Iranian territory, part of the ongoing military and cyber conflict between the two nations.

Gonjeshke Darande has explicitly framed their actions as retaliation for Iran's role in regional conflicts, repeatedly referring to Nobitex as the country's "favorite sanctions violations tool." The group's pro-Israel stance and their decision to destroy rather than steal the funds suggests this was primarily an act of economic sabotage designed to damage Iran's cryptocurrency infrastructure.

The hackers had previously threatened to release internal source code and infrastructure data unless Nobitex users withdrew their funds, indicating they had been planning this escalation from the beginning.

Nobitex's Critical Role in Iran's Economy

Understanding the full impact of this attack requires recognizing Nobitex's outsized importance to Iran's financial ecosystem. The exchange serves as a crucial gateway for Iranian citizens and businesses to access global cryptocurrency markets, particularly important given the country's isolation from traditional international banking systems due to comprehensive sanctions.

According to Chainalysis data, Nobitex has processed over $11 billion in total inflows since its inception, exceeding the combined volume of Iran's ten next-largest cryptocurrency exchanges. This makes it the backbone of the country's digital asset economy and a critical piece of infrastructure for circumventing international sanctions.

The exchange's significance extends beyond legitimate commerce. Blockchain analysis has linked Nobitex to wallets associated with various sanctioned entities, including ransomware operators affiliated with Iran's Islamic Revolutionary Guard Corps, pro-Hamas media channels such as Gaza Now, and sanctioned Russian cryptocurrency exchanges, including Garantex and Bitpapa.

Government Response and Market Impact

The Iranian government's response has been swift and restrictive. The Central Bank of Iran has imposed an operational curfew on all domestic cryptocurrency exchanges, limiting their operating hours to between 10 AM and 8 PM. This unprecedented measure reflects the authorities' concern about systemic risks to the country's crypto ecosystem.

Chainalysis analysts suggest this curfew "could signal increasing pressure on exchanges operating within Iran, as the regime attempts to manage systemic risk in a market that plays an outsized role in navigating around global sanctions."

The restrictions highlight how dependent Iran has become on cryptocurrency infrastructure for economic activities, making exchanges like Nobitex particularly vulnerable to both cyber attacks and regulatory crackdowns.

Technical Security Implications

The release of Nobitex's source code represents a severe escalation that could have far-reaching consequences beyond the immediate financial losses. Source code leaks typically expose vulnerabilities, architectural weaknesses, and operational procedures that could be exploited by other malicious actors.

For users still maintaining assets on the platform, the code leak creates additional security risks. The hackers' warning that "assets left in Nobitex are now entirely out in the open" suggests they believe the leaked information could enable further attacks on the platform's remaining infrastructure.

Nobitex has responded by stating that user assets remain secure in cold storage and that all hot wallets have been emptied as a precautionary measure. The exchange has also confirmed that its reserve fund will fully cover the losses and that it has implemented additional security measures, including migrating funds to new offline wallets.

Broader Implications for Crypto Security

This incident represents a new paradigm in cryptocurrency attacks, where geopolitical motivations drive destructive rather than profitable cybercrime. The attackers' willingness to permanently destroy $100 million in assets purely for political impact demonstrates how cryptocurrency exchanges have become targets in broader international conflicts.

The attack also highlights the vulnerabilities facing exchanges operating in sanctioned jurisdictions. While Nobitex served legitimate users seeking access to global financial markets, its connections to sanctioned entities made it a high-value target for politically motivated hackers.

For the broader cryptocurrency industry, the incident underscores the need for enhanced security measures, particularly for exchanges operating in geopolitically sensitive regions. The combination of financial incentives and political motivations creates a complex threat landscape that traditional security frameworks may struggle to address.

Looking Forward

As Nobitex works to recover from this devastating attack, the incident's implications extend far beyond a single exchange. The successful targeting of Iran's largest cryptocurrency platform demonstrates how digital assets have become both tools of economic warfare and casualties of geopolitical conflicts.

The exchange's efforts to restore operations will likely face ongoing challenges, particularly given the source code leak and the broader restrictions imposed by Iranian authorities. Users and industry observers will be watching closely to see whether Nobitex can rebuild trust and security in the wake of such a comprehensive breach.

This attack may also prompt other exchanges in politically sensitive regions to reassess their security postures and operational procedures, recognizing that they may face threats motivated by factors beyond simple financial gain. As cryptocurrency adoption continues to grow globally, the intersection of digital assets and international conflicts is likely to produce more incidents of this nature, requiring new approaches to both cybersecurity and regulatory oversight.