Nobitex June 2025 Hack (Predatory Sparrow)
Summary
On June 18, 2025, pro-Israel cyber group Gonjeshke Darande (Predatory Sparrow) breached Nobitex, Iran's largest cryptocurrency exchange, transferring over $90 million in user assets to computationally inaccessible vanity wallet addresses embedded with anti-IRGC political statements, effectively destroying the funds rather than stealing them. The attack was explicitly framed as a political operation targeting what the group characterized as a key instrument of Iranian sanctions evasion and terrorism financing, not a financially motivated theft. The incident was followed within 24 hours by the public release of Nobitex's full source code, exposing internal privacy-evasion modules, hardcoded banking credentials, and alleged bypass logic for politically sensitive accounts.
Connected Entities
4 entities · 10 linked investigations- 1FuckiRGCTerroristsNoBiTEXXXaAovLX→mentioned with→Nobitex June 2025 Hack (Predatory Sparrow)(50%)
- DFuckiRGCTerroristsNoBiTEXXXWLW65t→mentioned with→Nobitex June 2025 Hack (Predatory Sparrow)(50%)
- TKFuckiRGCTerroristsNoBiTEXy2r7mNX→mentioned with→Nobitex June 2025 Hack (Predatory Sparrow)(50%)
Timeline(7 events)
2025-06-13
Israeli airstrikes targeting Iranian military assets commence, marking the start of kinetic military escalation between Israel and Iran.
SecurityWeek2025-06-15
Iran launches direct missile response to Israeli airstrikes, escalating the conflict.
SecurityWeek2025-06-17
Predatory Sparrow claims cyberattack on Bank Sepah, a state-owned Iranian bank, disrupting nationwide fuel and payment systems.
CyberScoop2025-06-18
Predatory Sparrow breaches Nobitex hot wallets via compromised private keys, transferring over $90 million across Bitcoin, Ethereum, TRON, Dogecoin, XRP, Solana, and TON to computationally inaccessible vanity addresses embedded with anti-IRGC political statements. Nobitex takes its website and app offline.
Elliptic / Chainalysis / CNBC2025-06-19
Predatory Sparrow publishes Nobitex's full source code, internal files, and server list publicly, announcing 'ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN.'
CoinDesk2025-06-19
TRM Labs begins analysis of leaked Nobitex source code, identifying privacy-evasion modules, hardcoded banking API credentials, and VIP account bypass logic.
TRM Labs2026-06-02
OFAC formally designates Nobitex and three other Iranian exchanges (Wallex, Bitpin, Ramzinex) for sanctions evasion, terrorist financing, and regime support. Four Nobitex executives are individually designated.
Chainalysis / EllipticDecision Log
- hash: Hd7sVH1KP7rYxxQoFwG9MoPNHM7PvmuG4DCvy97YUJ46
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-code-investigator
generated: 6/27/2026, 5:21:58 PM
last updated: 6/27/2026, 5:22:11 PM
avoid.net — verified advice for a post-truth world