Which Iranian crypto exchange got hacked in June 2025?
Iran-based crypto exchange Nobitex suffered a hack on June 18. Pro-Israel hacker group Gonjeshke Darande claimed responsibility for the $81-million crypto theft.
Blockchain security analyst ZachXBT alerted the community within the same day of the attack. According to the analyst, hackers exploited a hot wallet failure in the crypto exchange to access and drain wallets.
Nobitex later confirmed that $81 million worth of cryptocurrencies, including Bitcoin (BTC), Ether (ETH), Tron (TRX), Solana (SOL) and Dogecoin (DOGE), was stolen. The exchange clarified that only hot wallets were affected by the attack and that cold wallets remain safe.
Meanwhile, pro-Israel hacker group Gonjeshke Darande (Predatory Sparrow) claimed responsibility for the attack through its social media accounts.
For those following up on current events, the hack may seem more than just another crypto attack and possibly tied to the Israel-Iran conflict. And that assumption has some merit.
But before examining the purpose behind the Nobitex crypto hack, let’s take a look at the long-standing conflict between Iran and Israel.
The history of the Iran-Israel conflict
Once allies, Iran and Israel’s relationship took a U-turn after the Iranian Revolution in 1979. Under the new Iranian government, diplomatic relations between the two countries were completely cut off.
Sanctions have played a significant role in shaping this conflict. Iran has been under US-led sanctions for decades, mainly due to its nuclear program. This led Iran to actively support countries opposed to the US and its allies, such as Palestine and Lebanon.
Over time, the two countries came to view each other as threats. Iran views Israel as a source of instability in the region. Meanwhile, Israel sees Iran’s regional alliances and nuclear ambitions as existential concerns.
Yet Iran and Israel refrained from direct confrontation most of the time. This has fueled a “shadow war” carried out with assassinations, support for proxy groups and cyberattacks, including crypto hacks.
However, tensions escalated in 2025, and a direct conflict between the two countries broke out on June 13. While countries exchanged missiles, war ignited on the digital front as well.
Inside the Nobitex crypto hack: What exactly happened?
As a heavily sanctioned country, Iran has few ways to access global finance, and cryptocurrencies are one of them. So, cryptocurrencies stand as an important component of the country’s financial infrastructure.
Nobitex is the largest crypto exchange in Iran. According to data by Chainalysis, the exchange received over $11 billion, a number larger than the combined inflows of the next 10 biggest exchanges in the country.
Moreover, Nobitex has known connections to Iran’s military and political establishment. Past investigations linked the platform to the Islamic Revolutionary Guard Corps (IRGC), high-ranking Iranian officials and US-sanctioned groups such as Hamas and the Houthis.
That made it an obvious target.
What’s more, onchain analysis reveals that money was not the motivation behind the attack; it was politics.
The Gonjeshke Darande hacker group used vanity addresses for the crypto exploit. A vanity address refers to a customized wallet address that includes specifically chosen characters. Creating one requires time and energy proportional to the number of customized characters.
The pro-Israel hacker group used two vanity addresses that contained large amounts of customized characters and carried a message:
- TKFuckiRGCTerroristsNoBiTEXy2r7mNX
- 0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
Elliptic revealed that meeting the computational demand for creating such addresses is not possible, even for state-level actors. This means Gonjeshke Darande does not hold the private keys of these addresses, and they function as burner addresses.
The assets that were stolen in the Nobitex crypto hack and sent to these addresses are lost forever. Etherscan and Tron blockchain records prove that the assets were not moved, which makes it clear it was a political crypto hack.
The aftermath of the Nobitex hack
Nobitex responded by moving large amounts of BTC into new cold storage wallets.
It also released a public statement and gave assurance to reimburse affected users through the insurance fund and Nobitex’s own resources.
The incident forced Iranian regulators to take action as well. The Central Bank of Iran limited the working hours of domestic crypto exchanges to between 10 am and 8 pm.
After claiming responsibility, Gonjeshke Darande pledged to leak Nobitex’s source code and urged users to move funds off of the platform. The crypto hacker group also demanded an exchange shutdown.
As the demand was ignored, the source code was published on social media on June 19.
Iran and Israel’s crypto-powered conflicts
The Nobitex crypto hack is just the latest incident in Iran and Israel’s crypto warfare. The digital shadow war has been ongoing for many years.
Since May 2021, the Israel National Bureau for Counter Terror Financing (NBCTF) has been seizing cryptocurrency from accounts of proxy groups linked to Iran, such as Hamas. Around 190 Binance accounts have been frozen.
The NBCTF carried out asset freezes in 2023 as well, freezing over $1.7 million worth of crypto. These assets were linked to the Iranian military’s Quds Force and another proxy group, Hezbollah.
Both countries also use cryptocurrency as a tool to fund spies. In May 2025, Iran executed an individual found guilty of spying for Mossad. The individual reportedly received payments in crypto, including BTC.
A month later, Israeli authorities arrested three individuals suspected of spying for Iran. Investigations revealed that at least two of these individuals were paid in crypto.
When crypto hacking becomes cyber warfare
Crypto hacks are often assumed to be financially motivated. While that’s the case in many individual incidents, state-affiliated actors can carry out crypto hacks for political reasons as well.
North Korea’s state-sponsored Lazarus Group is a well-known example. The group is linked to several high-profile crypto thefts, with funds reportedly used to finance the country’s weapons programs.
Lazarus was associated with the $625-million Ronin Bridge hack that occurred in March 2022. The stolen funds were laundered through coin mixers to avoid sanctions.
The group hacked another blockchain bridge within the same year, Harmony’s Horizon Bridge. The total value of stolen cryptocurrencies was around $100 million.
Lazarus was also behind the Bybit hack that occurred in February 2025. The group got away with cryptocurrencies worth almost $1.5 billion. The Bybit hack stands as the largest crypto hack as of July 2025.
Crypto has become a war tactic in the ongoing Ukraine-Russia conflict. In 2022, pro-Russian hackers used the Mars Stealer malware to target crypto wallets in Ukraine and Eastern Europe. These attacks were launched during the early stages of the war in Ukraine and aimed to disrupt access to digital funds.
#ProIsrael #hackers #81M #crypto #wasnt #money