Hackers Drain $90 Million From Iran’s Largest Crypto Exchange in Apparent Political Attack

Hackers with alleged links to Israel have drained more than $90 million from Nobitex, Iran’s largest cryptocurrency exchange, in what analysts describe as a politically motivated cyberattack amid escalating tensions between Israel and Iran.

Blockchain analytics firms said the breach targeted a wide range of digital assets, including Bitcoin, Ethereum and Dogecoin. Andrew Fierman, head of national security intelligence at Chainalysis, said the theft was notable given the relatively modest size of Iran’s cryptocurrency market.

The group claiming responsibility, known as Gonjeshke Darande, which translates to Predatory Sparrow in Farsi, announced the attack on its Telegram channel and later leaked what it said was Nobitex’s full source code.

“ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN,” the group wrote, warning users of further exposure.

According to blockchain analytics firm Elliptic, the stolen funds were transferred to cryptocurrency addresses containing messages critical of Iran’s Islamic Revolutionary Guard Corps. Elliptic said the pattern of transfers suggested the operation was not financially motivated.

“The wallets the hackers poured the money into effectively burned the funds in order to send Nobitex a political message,” Elliptic wrote in a blog post, indicating that the attackers may have intentionally rendered the funds irretrievable.

Gonjeshke Darande accused Nobitex of helping Iran’s government evade Western sanctions tied to its advancing nuclear program and of facilitating financial transfers to militant groups. In a post on X, the group claimed the exchange played a role in moving funds on behalf of Tehran.

Nobitex appeared to acknowledge the breach, stating in a post on X that its app and website were offline while it investigated “unauthorised access” to its systems.

Elliptic reported that relatives of Iran’s Supreme Leader, Ali Khamenei, were linked to the exchange, and that sanctioned Revolutionary Guard operatives had used Nobitex. The firm also said it had identified transactions between the exchange and cryptocurrency wallets associated with Iranian allies, including Yemen’s Houthis and Hamas.

The hack comes amid intensifying conflict between Israel and Iran, which erupted after Israeli strikes on Iranian nuclear facilities and military officials last week prompted retaliatory missile attacks from Tehran. The cyberattack on Nobitex follows a separate claim by Gonjeshke Darande that it had destroyed data in a cyber operation targeting Iran’s state controlled Bank Sepah earlier this week.

The group has previously claimed responsibility for high profile cyberattacks inside Iran, including a 2021 operation that disrupted fuel distribution systems and paralysed gas stations nationwide, and a 2022 attack on a steel plant that triggered a major fire.

Israeli media have widely reported that Gonjeshke Darande is linked to Israel, though the Israeli government has never formally acknowledged any connection to the group.

Concerns about Iran’s use of cryptocurrency to bypass sanctions have been raised in Washington in recent years. U.S. Senators Elizabeth Warren and Angus King last year highlighted the potential for Tehran to leverage digital assets to evade economic restrictions imposed by the West.

Analysts say the Nobitex breach marks one of the most significant cyber financial attacks connected to the Israel Iran conflict to date, and underscores how digital infrastructure has become a central front in modern geopolitical disputes.

Photo Credit: DepositPhotos.com