Hackers Burn $90M in Crypto in Strike on Iran’s Nobitex

In a bold and highly charged cyberattack, one of Iran’s largest cryptocurrency exchanges, Nobitex, was hit by a sophisticated hacking group this week, resulting in the destruction of nearly $90 million worth of digital assets. The attack has once again spotlighted the volatile intersection of geopolitics and digital finance in the Middle East.

The operation was claimed by Gonjeshke Darande — better known internationally as Predatory Sparrow — a hacking collective with a history of targeting key infrastructure within Iran. The group, believed by many analysts to be aligned with Israeli interests, announced on Wednesday that it had breached Nobitex’s systems, seizing funds and allegedly threatening to release the exchange’s proprietary source code.

This marks the group’s second high-profile attack in as many days. On Tuesday, Predatory Sparrow took responsibility for a damaging cyberattack against Iran’s state-owned Bank Sepah, a move that came amid escalating hostilities between Israel and Iran, including retaliatory missile exchanges earlier this year.

Nobitex’s website was swiftly pulled offline following the breach. In a statement posted to X (formerly Twitter), the company acknowledged it had experienced “unauthorized access” to its systems and was taking its services offline for a thorough review. Attempts to reach Nobitex’s support channels on Telegram went unanswered, while the hackers themselves remained silent following their initial announcement.

Predatory Sparrow has become a notorious name in cybersecurity circles for its precise and high-impact attacks. In 2021, the group’s cyber strike led to the shutdown of gas stations across Iran. A year later, it targeted a major Iranian steel plant, triggering a large industrial fire — one of the rare cases where cyber warfare visibly crossed into physical-world damage.

Though Israel has never officially claimed ties to the group, Israeli media routinely describe Predatory Sparrow as a pro-Israeli hacking unit operating in alignment with the country’s strategic cyber interests.

This week’s crypto heist didn’t follow the typical playbook. According to blockchain forensics firm TRM Labs, the hackers moved the stolen funds into wallets they themselves controlled — but intriguingly, the wallets appear designed to be inaccessible, meaning the attackers essentially burned the funds. In a blog post, blockchain analytics firm Elliptic said this was a deliberate political statement aimed at both Nobitex and the Islamic Revolutionary Guard Corps (IRGC), a powerful military and intelligence institution within Iran.

Elliptic also provided evidence linking Nobitex to transactions with wallets associated with Palestinian Islamic Jihad, Hamas, and Yemen’s Houthis — groups hostile to Israel and designated as terrorist organizations by several Western countries. These revelations are consistent with long-standing allegations that Iran uses cryptocurrency platforms to skirt international sanctions and covertly finance proxy operations in the region.

In fact, concerns about Nobitex’s role in sanctions evasion are not new. U.S. Senators Elizabeth Warren and Angus King addressed the issue directly in a May 2024 letter to Biden administration officials, citing earlier Reuters investigations from 2022 that detailed how Iranian authorities leveraged Nobitex to funnel money out of the heavily sanctioned country.

Andrew Fierman, head of national security intelligence at Chainalysis, confirmed the scale of the financial damage in a statement to Reuters, describing the lost sum as roughly $90 million. Given that the funds were rendered irretrievable, Fierman believes the operation was driven more by geopolitical messaging than financial gain. He added that Chainalysis has previously observed IRGC-affiliated ransomware operations using Nobitex as a cash-out platform and facilitating transactions for proxy groups tied to Tehran.