Pro-Israel Cyber Operatives Compromise Iran’s Nobitex Exchange, Resulting in $90 Million Cryptocurrency Loss

The hacking group known as “Predatory Sparrow,” which is associated with pro-Israel motivations, has reportedly executed a significant cyber operation against Nobitex, Iran’s leading cryptocurrency exchange. The group claims to have extracted over $90 million in cryptocurrency, subsequently destroying the funds in a display of political intent.

This incident took place on June 18, 2025, with Nobitex initially disclosing the security breach via X (formerly Twitter) at 2:24 AM EST. In their announcement, they indicated, “This morning, June 19, our technical team detected signs of unauthorized access to a portion of our reporting infrastructure and hot wallet.” They promptly initiated an access suspension and began an in-depth investigation to ascertain the extent of the breach.

In the wake of the attack, Predatory Sparrow took responsibility via their Gonjeshke Darande X account, asserting their intent to release the source code and internal data of Nobitex that was acquired during the hack. As a result of the incident, Nobitex’s online platform has remained inactive.

In a statement, Predatory Sparrow warned, “After the IRGC’s ‘Bank Sepah’ comes the turn of Nobitex. WARNING! In 24 hours, we will release Nobitex’s source code and internal information from their internal network. Any assets that remain there after that point will be at risk.” They described Nobitex as a critical instrument for the Iranian regime’s financing of terrorism globally, as well as a favored tool for circumventing sanctions.

Blockchain analysis firm Elliptic reported that over $90 million in cryptocurrency was withdrawn from Nobitex’s wallets and redirected to accounts under the hackers’ control. Uniquely, rather than exploiting the stolen funds for financial gain, Predatory Sparrow transferred nearly all of the cryptocurrency to vanity addresses. These addresses feature anti-Islamic Republic Guard Corps (IRGC) messages, such as “F*ckIRGCterrorists,” effectively rendering the stolen assets unrecoverable.

Creating these vanity addresses necessitates considerable computational power. Elliptic noted that the complexity involved renders these long string names “computationally infeasible,” indicating a calculated choice by the hackers to eliminate access to the stolen cryptocurrency.

Elliptic emphasized that the hack did not appear to be financially motivated. The vanity addresses involved are generated through brute force techniques, which involve producing vast numbers of cryptographic key pairs to find a match containing the specified text. Given the extensive length of the strings used in this case, such an endeavor is rare.

Furthermore, Elliptic’s investigation into Nobitex has revealed potential connections to the IRGC and Iranian leadership, with previous reports linking the exchange to relatives of Supreme Leader Ali Khamenei and various IRGC-associated business interests. Nobitex is believed to have facilitated fund transfers for individuals connected to the DiskCryptor and BitLocker ransomware operations.

Additionally, the Predatory Sparrow group had conducted a prior cyber breach against the Iran-affiliated Bank Sepah, focusing on disruption rather than financial acquisition.

These coordinated attacks arise at a time when Iran is increasingly isolating itself from global internet connectivity in an effort to mitigate the risk of cyber threats to its critical infrastructure.