Audit log

Every state-changing event for Nobitex June 2025 Hack (Predatory Sparrow): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-27 17:22:11Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 429,280,494

   sig

   4bjsjUqGZ1P9…HwvK6iWmcopyexplorer ↗

   hash

   Hd7sVH1KP7rY…y97YUJ46copysha256 → base58

   verifying row…full verify ↗

   canonical bytes (24761 B) ▸

   {"actor":"system:backfill","investigation_id":"2a2f5726-bb6d-4493-bff8-e494673c7456","kind":"publish","page_slug":"nobitex-june-2025-hack-predatory-sparrow","published_at":"2026-06-27T17:22:11.850Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Nobitex June 2025 Hack (Predatory Sparrow)","sections":[{"content":"On June 18, 2025, Gonjeshke Darande — operating publicly under the name Predatory Sparrow — announced it had conducted a cyberattack against Nobitex, Iran's largest cryptocurrency exchange, with approximately 7 million registered users. Blockchain analytics firm Elliptic identified over $90 million in outflows from Nobitex-controlled wallets to attacker-controlled addresses across multiple blockchain networks, including Bitcoin, Ethereum (and EVM-compatible chains), TRON, Dogecoin, Ripple (XRP), Solana, and TON. Independent analyst ZachXBT calculated at least $81.7 million lost across Ethereum and TRON-compatible networks. The root cause was assessed by Chainalysis as compromised private keys controlling Nobitex hot wallets. The attack occurred within 24 hours of a separate Predatory Sparrow operation against Bank Sepah, a state-owned Iranian bank, which disrupted fuel and payment systems nationwide. Both attacks were claimed in the context of escalating kinetic military conflict between Israel and Iran, which had commenced with Israeli airstrikes beginning June 13, 2025, followed by Iranian missile retaliation on June 15.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":1,"name":"Iranian crypto exchange Nobitex hacked for over $90 million by pro-Israel group — Elliptic","type":"research","url":"https://www.elliptic.co/blog/iranian-crypto-exchange-nobitex-hacked-pro-israel-group"},{"credibility":1,"name":"Iranian Exchange Nobitex: The $90M Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/nobitex-iranian-exchange-exploit-june-2025/"},{"credibility":2,"name":"Predatory Sparrow Burns $90 Million on Iranian Crypto Exchange in Cyber Shadow War — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/predatory-sparrow-burns-90-million-on-iranian-crypto-exchange-in-cyber-shadow-war/"},{"credibility":1,"name":"Pro-Israel hackers destroy $90 million in Iran crypto exchange breach — CNBC","type":"news_article","url":"https://www.cnbc.com/2025/06/18/pro-israel-hackers-iran-crypto.html"},{"credibility":2,"name":"Nobitex's Source Code Released a Day After Hackers Steal Tokens Across Bitcoin, EVM, Ripple Networks — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2025/06/19/nobitexs-source-code-released-a-day-after-hackers-steal-tokens-across-bitcoin-evm-ripple-networks"}]},{"content":"The defining technical characteristic of this incident was the deliberate and irreversible destruction of the transferred assets. Rather than routing funds to addresses over which they retained private-key control, Predatory Sparrow sent the stolen cryptocurrency to pre-generated vanity addresses whose public keys encode politically charged text strings. Confirmed vanity address examples include '1FuckiRGCTerroristsNoBiTEXXXaAovLX' on Bitcoin, 'DFuckiRGCTerroristsNoBiTEXXXWLW65t' on an EVM chain, and 'TKFuckiRGCTerroristsNoBiTEXy2r7mNX' on TRON. Elliptic noted that generating vanity addresses with text strings of that length is 'computationally infeasible' — meaning the probability of a collision that would yield a matching private key is negligibly small. Blockchain analytics confirmed that no private keys exist that correspond to these addresses, rendering the funds permanently inaccessible to any party, including the attackers themselves. An Elliptic researcher described the operation as 'more of a symbolic hack, as opposed to one where the intention is financial.' The funds destroyed spanned Bitcoin, Ethereum, TRON, Dogecoin, Ripple (XRP), Solana, and TON.","heading":"Fund Destruction via Vanity Addresses","severity":"critical","sources":[{"credibility":1,"name":"Iranian crypto exchange Nobitex hacked for over $90 million by pro-Israel group — Elliptic","type":"research","url":"https://www.elliptic.co/blog/iranian-crypto-exchange-nobitex-hacked-pro-israel-group"},{"credibility":2,"name":"Nobitex's Source Code Released a Day After Hackers Steal Tokens Across Bitcoin, EVM, Ripple Networks — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2025/06/19/nobitexs-source-code-released-a-day-after-hackers-steal-tokens-across-bitcoin-evm-ripple-networks"},{"credibility":2,"name":"Nobitex hack breakdown and on-chain analysis — crypto.news","type":"news_article","url":"https://crypto.news/nobitex-hack-pulls-curtains-on-months-of-suspicious-fund-movements/"}]},{"content":"Approximately 24 hours after the fund-destruction event, on June 19, 2025, Predatory Sparrow published Nobitex's full internal source code, internal files, and a list of servers via a public repository. The group announced the leak with the statement: 'Time's up — full source code linked below. ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN.' Nobitex subsequently stated that no additional financial losses had occurred following the code release and indicated plans to restore services within approximately five days, with the caveat that Iranian internet disruptions — which the Iranian government described as 'temporary, targeted and controlled' — could delay recovery. TRM Labs conducted an analysis of the leaked codebase, finding a multi-layered hot and cold wallet architecture, hardcoded live API credentials for Iranian fiat payment platforms including Shetab, PAY.IR, Vandar, and IDPay, and privacy-evasion modules labeled 'owshen,' 'zpk,' and 'incentivized_mixer.' Internal documentation titled 'Nobitex Privacy' explicitly outlined strategies to 'evade FinCEN and US Based Blockchain Intelligence company's detection tools,' according to TRM. TRM also identified VIP user pathways that allegedly bypassed standard compliance checks and master encryption keys stored in environment variables and plaintext credentials in development branches, which TRM assessed as likely facilitating the breach.","heading":"Source Code Leak","severity":"high","sources":[{"credibility":2,"name":"Inside the Nobitex Breach: What the Leaked Source Code Reveals About Iran's Crypto Infrastructure — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/inside-the-nobitex-breach-what-the-leaked-source-code-reveals-about-irans-crypto-infrastructure"},{"credibility":2,"name":"Nobitex's Source Code Released a Day After Hackers Steal Tokens Across Bitcoin, EVM, Ripple Networks — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2025/06/19/nobitexs-source-code-released-a-day-after-hackers-steal-tokens-across-bitcoin-evm-ripple-networks"},{"credibility":1,"name":"Pro-Israel hackers destroy $90 million in Iran crypto exchange breach — CNBC","type":"news_article","url":"https://www.cnbc.com/2025/06/18/pro-israel-hackers-iran-crypto.html"}]},{"content":"Predatory Sparrow (Gonjeshke Darande in Persian, meaning 'Predatory Sparrow') is a hacker group that has publicly emerged since 2021 and has been repeatedly linked by security researchers and Israeli media to Israeli government or military operatives, though no official Israeli government attribution has been made public. Elliptic has 'repeatedly linked' the group to Israeli operatives. The group has a documented history of targeted destructive cyberattacks against Iranian critical infrastructure: it claimed responsibility for disabling a significant portion of Iran's fuel distribution network in 2021 and again in December 2023; it caused a major fire at the Khouzestan steel mill in June 2022 by hijacking industrial control systems and spilling a vat of molten steel; and it attacked Bank Sepah on June 17, 2025, disrupting payment and fuel systems, one day before the Nobitex operation. Predatory Sparrow's stated justification for the Nobitex attack was that 'these cyberattacks are the result of Nobitex being a key regime tool for financing terrorism and violating sanctions.' The group announced the attack and subsequent source code leak via posts on the social media platform X (formerly Twitter).","heading":"Attacker Attribution: Predatory Sparrow","severity":"high","sources":[{"credibility":2,"name":"Predatory Sparrow: Inside the Cyber Warfare Targeting Iran's Critical Infrastructure — Picus Security","type":"research","url":"https://www.picussecurity.com/resource/blog/predatory-sparrow-inside-the-cyber-warfare-targeting-irans-critical-infrastructure"},{"credibility":1,"name":"Iranian crypto exchange Nobitex hacked for over $90 million by pro-Israel group — Elliptic","type":"research","url":"https://www.elliptic.co/blog/iranian-crypto-exchange-nobitex-hacked-pro-israel-group"},{"credibility":1,"name":"Pro-Israel hackers attack Iran's largest crypto exchange, destroying $90 million — NBC News","type":"news_article","url":"https://www.nbcnews.com/world/middle-east/hackers-attack-irans-largest-crypto-exchange-destroying-90-million-rcna213920"},{"credibility":2,"name":"Predatory Sparrow operation against Iranian steel maker (2022) — CCDCOE Cyber Law Toolkit","type":"research","url":"https://cyberlaw.ccdcoe.org/wiki/Predatory_Sparrow_operation_against_Iranian_steel_maker_(2022)"}]},{"content":"Blockchain analytics firms had documented alleged illicit finance links at Nobitex prior to the June 2025 hack, which Predatory Sparrow cited as justification for the attack. Elliptic reported wallet-level interactions between Nobitex-controlled infrastructure and addresses associated with Hamas, Palestinian Islamic Jihad, Yemen's Houthis, DPRK-affiliated hacking groups, Syrian-based actors, and the Russian exchange Garantex (which was sanctioned by OFAC). Chainalysis confirmed that 'IRGC-affiliated ransomware actors' had leveraged Nobitex to cash out proceeds. Elliptic's open-source investigation identified major shareholders including Seyed Mohammad Baqer Kharazi, described as a relative of Iran's Supreme Leader and a known associate of Mohsen Rezaee Mirqaed, a founding commander of the IRGC. The IRGC has been designated a foreign terrorist organization by the United States. Separately, the leaked source code's internal documentation explicitly described strategies to evade FinCEN and U.S. blockchain intelligence detection tools, according to TRM Labs. On June 2, 2026 — approximately one year after the hack — OFAC formally sanctioned Nobitex along with three other Iranian exchanges (Wallex, Bitpin, and Ramzinex), citing sanctions evasion, terrorist financing, and support for the Iranian regime. OFAC designated four Nobitex executives: chairman and former CEO Amir Hossein Rad, current CEO Seyed Ali Khoee, and co-founders Seyed Mohammad Ali Aghamir and Seyed Mohammad Aghamir. The four sanctioned exchanges had collectively sent or received cryptoasset transactions totaling at least $40 billion, and Nobitex alone accounted for over 50% of all Iranian digital asset inflows in the prior year, according to Elliptic.","heading":"Nobitex's Prior Alleged Illicit Finance Connections","severity":"critical","sources":[{"credibility":1,"name":"Inside Nobitex: How Iran's largest crypto exchange fuels sanctions evasion and illicit finance — Elliptic","type":"research","url":"https://www.elliptic.co/blog/inside-nobitex-how-irans-largest-crypto-exchange-fuels-sanctions-evasion-and-illicit-finance"},{"credibility":1,"name":"OFAC Sanctions Nobitex and Iranian Cryptocurrency Exchanges — Chainalysis","type":"regulatory","url":"https://www.chainalysis.com/blog/ofac-sanctions-iranian-crypto-exchanges-june-2026/"},{"credibility":1,"name":"OFAC sanctions Nobitex and three other Iranian cryptoasset exchanges — Elliptic","type":"regulatory","url":"https://www.elliptic.co/blog/ofac-sanctions-nobitex-and-three-other-iranian-cryptoasset-exchanges"},{"credibility":2,"name":"U.S. sanctions Nobitex crypto exchange used by Iranian ransomware actors — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/the-us-sanctions-nobitex-crypto-exchange-used-by-ransomware/"},{"credibility":2,"name":"U.S. sanctions Nobitex, other Iranian crypto exchanges amid ongoing war — CoinDesk","type":"news_article","url":"https://www.coindesk.com/policy/2026/06/02/u-s-sanctions-iranian-crypto-exchanges-in-ongoing-war-against-country"},{"credibility":2,"name":"Inside the Nobitex Hack: How the Iran-Israel Conflict Exposed Tehran's Grip on Its Crypto Services — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/inside-the-nobitex-hack-how-the-iran-israel-conflict-exposed-tehrans-grip-on-its-crypto-services"}]},{"content":"The Nobitex hack occurred within an escalating cycle of kinetic and cyber conflict between Israel and Iran. Israeli airstrikes targeting Iranian military assets began on June 13, 2025, followed by an Iranian missile response on June 15. The Nobitex attack on June 18 and the concurrent Bank Sepah attack on June 17 represented a sustained cyber campaign against Iranian financial infrastructure coinciding with the kinetic operations. Iran responded to the broader disruptions by ordering the Central Bank to instruct domestic crypto platforms to restrict operating hours, enhance cold-storage security protocols, and report large transfers in real-time. Iran also temporarily reduced internet speeds and closed the Tehran Stock Exchange. Predatory Sparrow's pattern of operations — dating to 2021 — represents a documented example of financially destructive cyber operations used as a geopolitical instrument, with the June 2025 campaign being its largest and most financially impactful to date.","heading":"Geopolitical Context and Cyber Shadow War","severity":"high","sources":[{"credibility":2,"name":"Iran's financial sector takes another hit as largest crypto exchange is targeted — CyberScoop","type":"news_article","url":"https://cyberscoop.com/iran-nobitex-cyberattack-predatory-sparrow/"},{"credibility":2,"name":"Predatory Sparrow Burns $90 Million on Iranian Crypto Exchange in Cyber Shadow War — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/predatory-sparrow-burns-90-million-on-iranian-crypto-exchange-in-cyber-shadow-war/"},{"credibility":1,"name":"Hackers reportedly wipe out $90 million from largest Iranian cryptocurrency exchange — PBS NewsHour","type":"news_article","url":"https://www.pbs.org/newshour/world/hackers-reportedly-wipe-out-90-million-from-largest-iranian-cryptocurrency-exchange"},{"credibility":1,"name":"Israel hacks Iranian crypto exchange for $90 million — Fortune","type":"news_article","url":"https://fortune.com/crypto/2025/06/18/nobitex-gonjeshke-darande-predatory-sparrow-iran-israel-hack/"}]},{"content":"Nobitex took its website and mobile application offline following the breach, confirming it was investigating 'unauthorized access' to its systems. The exchange stated that no additional losses occurred after the source code leak and announced plans to restore services within approximately five days. The full extent of user fund recovery or reimbursement was not publicly confirmed in sources available at the time of this investigation. The breach affected user-held assets across at least seven blockchain networks. The subsequent OFAC sanctions designation on June 2, 2026 further complicated Nobitex's ability to interact with international financial infrastructure, as any entity globally that processes transactions for OFAC-designated parties faces secondary sanctions exposure.","heading":"User Impact and Exchange Response","severity":"high","sources":[{"credibility":1,"name":"Pro-Israel hackers attack Iran's largest crypto exchange, destroying $90 million — NBC News","type":"news_article","url":"https://www.nbcnews.com/world/middle-east/hackers-attack-irans-largest-crypto-exchange-destroying-90-million-rcna213920"},{"credibility":1,"name":"Hackers reportedly wipe out $90 million from largest Iranian cryptocurrency exchange — PBS NewsHour","type":"news_article","url":"https://www.pbs.org/newshour/world/hackers-reportedly-wipe-out-90-million-from-largest-iranian-cryptocurrency-exchange"},{"credibility":1,"name":"OFAC Sanctions Nobitex and Iranian Cryptocurrency Exchanges — Chainalysis","type":"regulatory","url":"https://www.chainalysis.com/blog/ofac-sanctions-iranian-crypto-exchanges-june-2026/"}]}],"sources_used":[{"credibility":1,"name":"Iranian crypto exchange Nobitex hacked for over $90 million by pro-Israel group — Elliptic","type":"research","url":"https://www.elliptic.co/blog/iranian-crypto-exchange-nobitex-hacked-pro-israel-group"},{"credibility":2,"name":"Predatory Sparrow Burns $90 Million on Iranian Crypto Exchange in Cyber Shadow War — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/predatory-sparrow-burns-90-million-on-iranian-crypto-exchange-in-cyber-shadow-war/"},{"credibility":1,"name":"Iranian Exchange Nobitex: The $90M Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/nobitex-iranian-exchange-exploit-june-2025/"},{"credibility":2,"name":"Nobitex's Source Code Released a Day After Hackers Steal Tokens Across Bitcoin, EVM, Ripple Networks — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2025/06/19/nobitexs-source-code-released-a-day-after-hackers-steal-tokens-across-bitcoin-evm-ripple-networks"},{"credibility":1,"name":"Pro-Israel hackers destroy $90 million in Iran crypto exchange breach — CNBC","type":"news_article","url":"https://www.cnbc.com/2025/06/18/pro-israel-hackers-iran-crypto.html"},{"credibility":1,"name":"Pro-Israel hackers attack Iran's largest crypto exchange, destroying $90 million — NBC News","type":"news_article","url":"https://www.nbcnews.com/world/middle-east/hackers-attack-irans-largest-crypto-exchange-destroying-90-million-rcna213920"},{"credibility":1,"name":"Hackers reportedly wipe out $90 million from largest Iranian cryptocurrency exchange — PBS NewsHour","type":"news_article","url":"https://www.pbs.org/newshour/world/hackers-reportedly-wipe-out-90-million-from-largest-iranian-cryptocurrency-exchange"},{"credibility":1,"name":"Israel hacks Iranian crypto exchange for $90 million — Fortune","type":"news_article","url":"https://fortune.com/crypto/2025/06/18/nobitex-gonjeshke-darande-predatory-sparrow-iran-israel-hack/"},{"credibility":2,"name":"Iran's financial sector takes another hit as largest crypto exchange is targeted — CyberScoop","type":"news_article","url":"https://cyberscoop.com/iran-nobitex-cyberattack-predatory-sparrow/"},{"credibility":2,"name":"Inside the Nobitex Breach: What the Leaked Source Code Reveals About Iran's Crypto Infrastructure — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/inside-the-nobitex-breach-what-the-leaked-source-code-reveals-about-irans-crypto-infrastructure"},{"credibility":2,"name":"Inside the Nobitex Hack: How the Iran-Israel Conflict Exposed Tehran's Grip on Its Crypto Services — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/inside-the-nobitex-hack-how-the-iran-israel-conflict-exposed-tehrans-grip-on-its-crypto-services"},{"credibility":1,"name":"Inside Nobitex: How Iran's largest crypto exchange fuels sanctions evasion and illicit finance — Elliptic","type":"research","url":"https://www.elliptic.co/blog/inside-nobitex-how-irans-largest-crypto-exchange-fuels-sanctions-evasion-and-illicit-finance"},{"credibility":1,"name":"OFAC Sanctions Nobitex and Iranian Cryptocurrency Exchanges — Chainalysis","type":"regulatory","url":"https://www.chainalysis.com/blog/ofac-sanctions-iranian-crypto-exchanges-june-2026/"},{"credibility":1,"name":"OFAC sanctions Nobitex and three other Iranian cryptoasset exchanges — Elliptic","type":"regulatory","url":"https://www.elliptic.co/blog/ofac-sanctions-nobitex-and-three-other-iranian-cryptoasset-exchanges"},{"credibility":2,"name":"U.S. sanctions Nobitex crypto exchange used by Iranian ransomware actors — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/the-us-sanctions-nobitex-crypto-exchange-used-by-ransomware/"},{"credibility":2,"name":"U.S. sanctions Nobitex, other Iranian crypto exchanges amid ongoing war — CoinDesk","type":"news_article","url":"https://www.coindesk.com/policy/2026/06/02/u-s-sanctions-iranian-crypto-exchanges-in-ongoing-war-against-country"},{"credibility":2,"name":"Predatory Sparrow: Inside the Cyber Warfare Targeting Iran's Critical Infrastructure — Picus Security","type":"research","url":"https://www.picussecurity.com/resource/blog/predatory-sparrow-inside-the-cyber-warfare-targeting-irans-critical-infrastructure"},{"credibility":2,"name":"Predatory Sparrow operation against Iranian steel maker (2022) — CCDCOE Cyber Law Toolkit","type":"research","url":"https://cyberlaw.ccdcoe.org/wiki/Predatory_Sparrow_operation_against_Iranian_steel_maker_(2022)"},{"credibility":2,"name":"Nobitex hack pulls curtains on months of suspicious fund movements — crypto.news","type":"news_article","url":"https://crypto.news/nobitex-hack-pulls-curtains-on-months-of-suspicious-fund-movements/"},{"credibility":2,"name":"Breaking Down the Nobitex Hack: Timeline, Impact, and Key Takeaways — AMLBot Blog","type":"research","url":"https://blog.amlbot.com/breaking-down-the-nobitex-hack-timeline-impact-and-key-takeaways/"}],"summary":"On June 18, 2025, pro-Israel cyber group Gonjeshke Darande (Predatory Sparrow) breached Nobitex, Iran's largest cryptocurrency exchange, transferring over $90 million in user assets to computationally inaccessible vanity wallet addresses embedded with anti-IRGC political statements, effectively destroying the funds rather than stealing them. The attack was explicitly framed as a political operation targeting what the group characterized as a key instrument of Iranian sanctions evasion and terrorism financing, not a financially motivated theft. The incident was followed within 24 hours by the public release of Nobitex's full source code, exposing internal privacy-evasion modules, hardcoded banking credentials, and alleged bypass logic for politically sensitive accounts.","timeline":[{"date":"2025-06-13","event":"Israeli airstrikes targeting Iranian military assets commence, marking the start of kinetic military escalation between Israel and Iran.","source":"SecurityWeek","source_url":"https://www.securityweek.com/predatory-sparrow-burns-90-million-on-iranian-crypto-exchange-in-cyber-shadow-war/"},{"date":"2025-06-15","event":"Iran launches direct missile response to Israeli airstrikes, escalating the conflict.","source":"SecurityWeek","source_url":"https://www.securityweek.com/predatory-sparrow-burns-90-million-on-iranian-crypto-exchange-in-cyber-shadow-war/"},{"date":"2025-06-17","event":"Predatory Sparrow claims cyberattack on Bank Sepah, a state-owned Iranian bank, disrupting nationwide fuel and payment systems.","source":"CyberScoop","source_url":"https://cyberscoop.com/iran-nobitex-cyberattack-predatory-sparrow/"},{"date":"2025-06-18","event":"Predatory Sparrow breaches Nobitex hot wallets via compromised private keys, transferring over $90 million across Bitcoin, Ethereum, TRON, Dogecoin, XRP, Solana, and TON to computationally inaccessible vanity addresses embedded with anti-IRGC political statements. Nobitex takes its website and app offline.","source":"Elliptic / Chainalysis / CNBC","source_url":"https://www.elliptic.co/blog/iranian-crypto-exchange-nobitex-hacked-pro-israel-group"},{"date":"2025-06-19","event":"Predatory Sparrow publishes Nobitex's full source code, internal files, and server list publicly, announcing 'ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN.'","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2025/06/19/nobitexs-source-code-released-a-day-after-hackers-steal-tokens-across-bitcoin-evm-ripple-networks"},{"date":"2025-06-19","event":"TRM Labs begins analysis of leaked Nobitex source code, identifying privacy-evasion modules, hardcoded banking API credentials, and VIP account bypass logic.","source":"TRM Labs","source_url":"https://www.trmlabs.com/resources/blog/inside-the-nobitex-breach-what-the-leaked-source-code-reveals-about-irans-crypto-infrastructure"},{"date":"2026-06-02","event":"OFAC formally designates Nobitex and three other Iranian exchanges (Wallex, Bitpin, Ramzinex) for sanctions evasion, terrorist financing, and regime support. Four Nobitex executives are individually designated.","source":"Chainalysis / Elliptic","source_url":"https://www.chainalysis.com/blog/ofac-sanctions-iranian-crypto-exchanges-june-2026/"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 1078ff50-fa94-4a45-94c6-131f19a567adcopy