A prominent cryptocurrency exchange in Iran, Nobitex, faced a major security breach on Wednesday, perpetrated by the hacker group Gonjeshke Darande. The group claimed to have stolen over $100 million in cryptocurrency, which they subsequently moved and destroyed. Matters worsened when the group posted essential source code from Nobitex on social media platform X. Nobitex stated that this attack was unjustly targeting the peace and assets of its citizens.
A Heist Exceeding $100 Million
After the attack, Gonjeshke Darande swiftly took responsibility, making headlines with their social media posts. They shared screenshots allegedly containing sensitive sections of Nobitex’s coding vital for exchanges, privacy, and user interface. Such disclosures pose significant security risks to the cryptocurrency exchange.
The breach came to light when blockchain researcher ZachXBT identified unusual withdrawals from Nobitex’s wallets on the Tron and EVM networks. Nobitex validated that the stolen cryptocurrency amounted to more than $100 million. It was reported that the perpetrators moved and destroyed the stolen funds.
Following this incident, Iranian authorities limited operational hours for local cryptocurrency exchanges. According to Chainalysis, these exchanges are now only operational from 10:00 AM to 8:00 PM.
Motivations Behind the Attack
Gonjeshke Darande justified their actions by accusing Nobitex of being an instrumental tool for the regime in financing terrorism and violating sanctions. This attack occurred against a backdrop of increasing tensions between Iran and Israel, including missile attacks on cities and strategic points.
Meanwhile, a Chainalysis report issued a day before the incident stressed Nobitex’s pivotal role in Iran’s sanctioned cryptocurrency ecosystem. The report highlighted that Nobitex acts as a critical hub, enabling access to global markets for users cut off from traditional financial systems under heavy sanctions.
Chainalysis has previously linked Nobitex with illegal entities, including ransomware operators connected to Iran’s Islamic Revolutionary Guard Corps (IRGC) and sanctioned Russian cryptocurrency exchanges. The platform noted that the attack underscores the tension between cryptocurrency’s borderless nature and geopolitical realities imposed by nation-states.
