Today (June 18, 2025), Nobitex, the largest cryptocurrency exchange in Iran, was targeted in a cyberattack that resulted in the theft of nearly USD 90 million across multiple blockchains including TRON, Ethereum, and Bitcoin. Hacking group Gonjeshke Darande, also known as Predatory Sparrow, which has reported links to Israel, has claimed responsibility for the attack.
On June 17, 2025, the group also claimed responsibility for an attack on Iranian bank Sepah that disrupted services and allegedly destroyed Islamic Revolutionary Guard Corps (IRGC) data, which it said was in retaliation for the bank funding Iran’s military and nuclear programs.
The attacks come amid the escalating Israel-Iran conflict, which began with Israel targeting Iran’s military and nuclear sites on June 13, 2025. The flow of funds out of Iranian exchanges has declined since June 13, with multiple Iranian exchanges notifying their users of temporary closures of the Toman/Tether trading markets, generally between the hours of 8:30pm to 9:00am (Iran Standard Time), by order of the Central Bank of Iran.
TRM data and insights
Today’s exploit began at approximately 6:00am (Iran Standard Time) with funds being funneled to vanity addresses — blockchain addresses that incorporate custom character strings sometimes used by actors to create a recognizable identity. The vanity addresses all contain variations of the phrase “F*ckiRGCTerrorists”, visible in the addresses. So far, the hackers have not moved the funds from the initial exploit wallets. The TRM graph below visualizes groups of structured transactions that the hackers used on TRON to funnel funds from Nobitex.
Iran’s use of crypto
As discussed in TRM’s May 18, 2025 blog post New Drones, Old Tactics: How Iran Is Experimenting With Crypto To Fund Conflict and Evade Sanctions, crypto infrastructure is playing a growing role in how Iran adapts to the challenges of long-standing international sanctions. Iranian entities have experimented with virtual assets as both a financial workaround and as a strategic asset to support broader geopolitical ambitions — including the proliferation of advanced weapons technology.
The likely role of Nobitex in sanctions evasion and conflict funding
Exchanges such as Nobitex help facilitate billions in crypto transactions, many of which are routed through platforms that permit large withdrawals without enforcing robust Know Your Customer (KYC) checks. Nobitex, among other Iranian exchanges, has also utilized advanced techniques for moving customer funds, to decrease the cost of operations and to obfuscate the destination and origin of funds from global services.
Although Iranian crypto exchanges like Nobitex likely facilitate transactions that support the regime’s sanctions evasion and geopolitical strategy, these platforms are also used by ordinary citizens. For some Iranians, virtual assets represent a lifeline amid inflation and economic isolation — underscoring the dual-use nature of crypto infrastructure in Iran’s digital economy.
What comes next
This latest incident highlights how crypto exchanges, once peripheral to conflict, are increasingly becoming strategic targets for geopolitical actors. On February 21, 2025, North Korea’s Lazarus Group hacked Dubai-based exchange Bybit, stealing a record USD 1.5 billion. Such attacks underscore that state-aligned groups are now using cyberattacks to project power and fund operations.
TRM will continue monitoring the situation and provide updates as new on-chain movements emerge.
{{horizontal-line}}
Nobitex hack FAQs
Who is Gonjeshke Darande and what is their role in the Nobitex hack?
Gonjeshke Darande, also known as Predatory Sparrow, is a state-aligned hacking group that has previously been linked to Israel. They claimed responsibility for the cyberattack on Nobitex, which led to the theft of approximately USD 90 million in cryptocurrency across blockchains like TRON, Ethereum, and Bitcoin. The group is also known for targeting Iranian infrastructure, including a recent attack on Bank Sepah, indicating their broader involvement in cyber operations against Iranian institutions.
Why was Nobitex targeted in this cyberattack?
Nobitex, Iran’s largest crypto exchange, likely presented a strategic target due to its central role in facilitating large volumes of virtual asset transactions — some of which may support Iran’s sanctions evasion efforts and geopolitical strategies. This includes its possible use by state-aligned entities to obfuscate fund movements. However, Nobitex is also used by ordinary citizens, illustrating the dual-use nature of virtual asset platforms in Iran’s digital economy.
How did the attackers execute the hack?
According to TRM analysis, the exploit began around 6:00am Iran Standard Time and involved the use of vanity blockchain addresses that contained anti-IRGC messaging. These addresses were used to route stolen funds in a structured way, particularly on the TRON network. As of now, the stolen funds have not moved from the original wallets associated with the hack.
What does this incident reveal about the evolving role of crypto in geopolitical conflicts?
This attack highlights how cryptocurrency platforms are becoming strategic tools and targets in modern geopolitical conflicts. It follows a growing trend where state-aligned hacking groups, such as North Korea’s Lazarus Group, use cyberattacks on exchanges to fund operations. The Nobitex case underscores how cyber threats now intersect with financial infrastructure and national security.
How is TRM Labs responding to the Nobitex hack?
TRM Labs continues to monitor the blockchain for movements of the stolen funds and is providing timely updates as new insights emerge. By leveraging blockchain intelligence, TRM supports efforts to trace the flows and potentially disrupt illicit financial activity. This incident reinforces the importance of proactive monitoring and resilience within the crypto ecosystem.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.
