Iranian crypto exchange Nobitex suffers $90 million hack in apparent political attack

Nobitex, Iran's largest cryptocurrency exchange, has reportedly been hacked, resulting in the theft of over $90 million in various cryptocurrencies including Bitcoin, Ethereum, and Dogecoin. 

Blockchain analytics firms suggest the attackers, a group known as Gonjeshke Darande ("Predatory Sparrow" in Farsi), may have links to Israel and that the hack was politically motivated rather than financially driven.

On Thursday (June 19), Gonjeshke Darande claimed responsibility for the breach and leaked what they asserted was Nobitex's full source code, warning that "ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN." The stolen funds were transferred to addresses containing messages critical of Iran's Revolutionary Guard. Blockchain analytics firm Elliptic indicated that the funds were "effectively burned" to send a political message to Nobitex.

Gonjeshke Darande accused Nobitex on X of assisting the Iranian government in evading Western sanctions related to its nuclear program and in transferring money to militant groups. Nobitex appeared to confirm the attack, with its app and website temporarily down for an assessment of "unauthorized access."

Andrew Fierman, head of national security intelligence at Chainalysis, highlighted the significance of the breach given the relatively modest size of Iran's cryptocurrency market. 

The attack appears to be a consequence of escalating tensions in the Israel-Iran conflict, which recently saw Israel strike Iranian nuclear sites and military officials, leading to retaliatory missile barrages from Tehran. 

This incident follows a separate cyberattack claimed by the group against Iran's state-controlled Bank Sepah on Tuesday (June 17).

Elliptic's findings suggest a deeper connection, stating that relatives of Iran’s Supreme Leader Ali Khamenei are linked to Nobitex, and sanctioned Revolutionary Guard operatives have used the exchange. 

Elliptic also presented evidence that Nobitex had transacted with cryptocurrency wallets controlled by Iranian allies such as Yemen’s Houthis and Hamas.

Gonjeshke Darande has a history of high-profile cyberattacks against Iran, including a 2021 operation that disrupted gas stations and a 2022 attack on a steel mill that caused a significant fire. 

While Israeli media has widely reported ties between Gonjeshke Darande and Israel, the Israeli government has not officially acknowledged any links to the group. 

The incident also brings renewed attention to concerns raised last year by U.S. Senators Elizabeth Warren and Angus King regarding Iran's use of cryptocurrencies to circumvent sanctions.