In one of the most significant cyber attacks to hit the Iranian financial sector, hackers allegedly linked to Israel have siphoned off over $90 million in cryptocurrencies from Nobitex, Iran’s leading crypto exchange, according to blockchain analytics firms.
The group claiming responsibility—Gonjeshke Darande (translated as Predatory Sparrow)—shared what they alleged to be the complete source code of Nobitex on Telegram. In a dramatic statement, they declared that “all assets left in Nobitex are now entirely out in the open,” suggesting a total breach of the platform’s systems.
Cybersecurity Experts Highlight Political Motive
Blockchain intelligence company Elliptic revealed that the stolen funds were transferred to crypto wallets embedded with messages condemning Iran’s Revolutionary Guard Corps (IRGC). Analysts at Elliptic believe this was a politically motivated act rather than one intended for financial gain, as many of the wallets used appear to have destroyed the funds intentionally.
Adding to the political undertone, the hackers accused Nobitex of helping the Iranian government sidestep international sanctions and channel funds to militant proxies such as Hamas and Yemen’s Houthis. According to the group’s statements on social media platform X, the attack was also a response to the Iranian regime’s nuclear activities and regional interventions.
Nobitex Confirms Security Breach
Nobitex responded via a post on X, confirming unauthorized access to its systems. Both its website and mobile app have been taken offline while the exchange assesses the extent of the breach. The platform has yet to release an official incident report but has acknowledged the cyber intrusion.
Cryptocurrencies Targeted Include Bitcoin, Ethereum, Dogecoin
The cyberattack reportedly affected various digital assets, including Bitcoin, Ethereum, and Dogecoin, according to Chainalysis‘ Head of National Security Intelligence, Andrew Fierman. He noted that while Iran’s crypto market is relatively small compared to global standards, the magnitude of this theft makes it a notable incident in the cybersecurity landscape.
Geopolitical Context: Cyber Warfare Escalates
The hack comes in the wake of heightened tensions between Iran and Israel, sparked by Israeli strikes on Iranian nuclear infrastructure and subsequent missile responses from Tehran. Earlier in the week, Gonjeshke Darande claimed to have executed a cyberattack on Bank Sepah, one of Iran’s largest state-run banks, erasing sensitive data in the process.
The group has a track record of high-profile operations, including a 2021 cyber strike on Iranian gas stations and a 2022 attack on a steel factory that caused a massive fire. While Israeli media frequently attribute Gonjeshke Darande to the Israeli government, official confirmation has never been issued.
Involvement of High-Profile Figures Alleged
Elliptic further reported links between Nobitex and individuals close to Supreme Leader Ali Khamenei, and suggested that sanctioned IRGC operatives had actively used the platform for cross-border fund transfers.
Global Concerns Over Crypto and Sanctions Evasion
The incident has reignited concerns over how cryptocurrency platforms may be exploited to evade sanctions, particularly in regions under heavy financial restrictions. In 2024, U.S. Senators Elizabeth Warren and Angus King had publicly expressed concerns over Iran’s use of digital currencies for such purposes.
Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
USDC 
Wrapped SOL 
Lido Staked Ether 
TRON 
Dogecoin 