Hackers possibly linked to Israel have stolen over $90 million from Nobitex, Iran’s largest cryptocurrency exchange, according to blockchain analytics firms. The group behind the attack leaked what they claim is the full source code of the company on Thursday, declaring that “assets left in Nobitex are now entirely out in the open” on their Telegram channel.
The stolen funds were sent to cryptocurrency addresses carrying messages critical of Iran’s Revolutionary Guard. Blockchain analytics firm Elliptic suggested the attack was likely politically motivated rather than financially driven, noting that the hackers essentially destroyed the funds to send a message to Nobitex.
The hacker group, known as Gonjeshke Darande, or “Predatory Sparrow” in Farsi, accused Nobitex of assisting Iran’s government in circumventing Western sanctions, aiding its advancing nuclear program, and funding militant groups, as stated in a post on X.
Nobitex appeared to confirm the breach, with its app and website offline as it investigated “unauthorized access” to its systems, according to a statement on X.
The theft involved multiple cryptocurrencies including Bitcoin, Ethereum, and Dogecoin, according to Andrew Fierman, head of national security intelligence at Chainalysis. He emphasized the significance of the breach given the relatively small size of Iran’s cryptocurrency market.
This hack comes amid heightened tensions between Israel and Iran following Israel’s recent strikes on Iran’s nuclear and military sites, which prompted missile attacks from Tehran. The group behind the hack had also claimed responsibility for a cyberattack on Iran’s state-controlled Bank Sepah earlier in the week that destroyed data.
Elliptic revealed that relatives of Iran’s Supreme Leader Ali Khamenei have ties to Nobitex, and that the exchange was used by sanctioned Revolutionary Guard operatives. The firm provided evidence showing that Nobitex had transferred funds to and from cryptocurrency wallets linked to Iranian allies such as Yemen’s Houthis and Hamas.
Gonjeshke Darande has claimed responsibility for previous high-profile cyberattacks against Iran, including a 2021 operation that disrupted gas stations and a 2022 attack on a steel mill that caused a major fire.
Israeli media widely report that Gonjeshke Darande is connected to Israel, although the Israeli government has never officially confirmed any association.
Last year, U.S. Senators Elizabeth Warren and Angus King raised alarms about Iran’s use of cryptocurrencies to bypass sanctions.
