A politically charged cyberattack has rocked Iran’s cryptocurrency market. On June 18, 2025, pro-Israel hacking group Predatory Sparrow (also known as Gonjeshke Darande) claimed responsibility for an attack on Nobitex—Iran’s largest crypto exchange—resulting in the destruction of over $90 million worth of cryptocurrency.
The group didn’t just steal the crypto. They burned it.
Nobitex Breach Confirmed: Funds Lost, Systems Offline
The breach was first acknowledged publicly by Nobitex through its official X (formerly Twitter) account in the early hours of June 19:
“This morning, June 19, our technical team detected signs of unauthorized access to a portion of our reporting infrastructure and hot wallet.
Immediately upon detection, all access was suspended and our internal security teams are closely investigating the extent of the incident.”
Following this announcement, Nobitex’s platform went offline. At the time of writing, the website remains inaccessible.
Shortly after the company’s statement, Predatory Sparrow claimed responsibility. The group warned of plans to leak Nobitex’s internal source code and sensitive network data within 24 hours and accused the exchange of enabling Iran’s alleged financial support of terrorism.
“We Burned the Money to Send a Message”
Blockchain forensics firm Elliptic has confirmed that the hackers drained approximately $90 million from Nobitex hot wallets. But instead of funneling the funds into mixers or cold storage wallets, the attackers sent the stolen crypto to so-called vanity addresses—wallets that contain politically charged phrases like “F*ckIRGCterrorists” embedded in their address strings.
Elliptic researchers say the attack was not financially motivated:
“The vanity addresses used by the hackers are generated through brute force methods—
involving the creation of large numbers of cryptographic key pairs until one contains the desired text.
But creating vanity addresses with text strings as long as those used in this hack is computationally infeasible.”
In simpler terms, the stolen cryptocurrency was sent to wallets that nobody can access—ever. It was deliberately destroyed in what appears to be a symbolic move against the Iranian regime.
Political Messaging and Cyber Warfare
Predatory Sparrow’s message accompanying the attack tied Nobitex directly to the Iranian government and the Islamic Revolutionary Guard Corps (IRGC):
“The Nobitex exchange is at the heart of the regime’s efforts to finance terror worldwide…
We, ‘Gonjeshke Darande,’ conducted cyberattacks against Nobitex.”
This isn’t the first time Predatory Sparrow has been linked to politically motivated operations. The group had previously claimed responsibility for attacks on Bank Sepah and other targets allegedly connected to Iran’s financial networks and security forces.
Their tactics—destruction over profit—signal a growing trend where cyberattacks are used for political messaging rather than monetary gain.
Crypto Security and Exchange Risk
While crypto exchanges often focus on preventing theft for financial reasons, this attack highlights a broader threat surface—where politically driven threat actors may aim to destroy, not just steal.
Nobitex is now dealing with operational shutdowns, reputational damage, and the looming release of internal source code. The attack not only disrupted crypto holdings but threatens to expose the company’s backend infrastructure and processes.
If your organization operates in a high-risk sector or politically sensitive region, securing digital assets against ideologically motivated threat actors is as essential as protection from financially motivated ransomware groups.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
