Pro-Israel Hacker Group Gonjeshke Darande Targets Iranian Exchange Nobitex, Stealing Over $90 Million in Digital Assets

On June 18, 2025, a major cybersecurity incident unfolded. The Israel-affiliated hacker network Gonjeshke Darande, or “Predatory Sparrow,” accomplished what neither the “Stuxnet” virus of 2010 nor the 2019 “Tortoiseshell” cyberattack could: seriously damage the Iranian economy. Indeed, following that attack on its cyber infrastructure, which coincidentally also involved Tether, Iran’s largest cryptocurrency exchange, Nobitex, experienced a digital asset heist with 19.57 million in different cryptocurrencies sucked out and into the Israeli-controlled ether. An Israeli hacker group burned $81.7M They exploited Iranian exchange Nobitex across multiple chains using vanity addresses and burned the proceeds They warned anyone with deposits to withdraw as they will be releasing the full source code of the exchange shortly pic.twitter.com/4pIyNJLCMV — rciv (@rcivNFT) June 18, 2025 The estimated dollar amount of the attack’s toll was $95 million, and it happened just one week after another Israeli cyberattack on an Iranian ballistic missile research facility. The cryptocurrency heist was timed like the perfect sequel to the June 11 episode. According to @zachxbt , the pro-Israel hacker group Gonjeshke Darande attacked the Iranian crypto exchange #Nobitex and stole $82M in assets. Including 55M $USDT , 39.41M $DOGE ($6.72M) 255.65 B $PEPE ($2.61M) 18.47 $BTC ($1.94M) … Source: https://t.co/efpjFCKytI Attacker… pic.twitter.com/y21WIuf9kG — Lookonchain (@lookonchain) June 18, 2025 The group did not do what so many other cybercriminals do: attempt to pocket the stolen money. Instead, they turned the assets into a kind of phony-baloney unusable currency—effectively, as a co-director at MIT’s Computer Science and Artificial Intelligence Laboratory put it, “burning” them. From this, and other hints dropped by the group, we can infer that they aren’t in it for the money. They’re on some kind of political mission. A Politically Charged Cyber Assault Gonjeshke Darande has a history of going after Iranian infrastructure. The group recently targeted the Bank Sepah, a major state-owned financial institution, with a cyberattack. They accused the bank of funding Iran’s military operations and took responsibility for the attack in a public statement, which they prefaced with a warning to Nobitex that they wouldn’t steal from them anymore if the exchange didn’t cool it with the bank account seizures. After the IRGC’s “Bank Sepah” comes the turn of Nobitex WARNING! In 24 hours, we will release Nobitex’s source code and internal information from their internal network. Any assets that remain there after that point will be at risk! The Nobitex exchange is at the heart of the… pic.twitter.com/GFyBCPCFIE — Gonjeshke Darande (@GonjeshkeDarand) June 18, 2025 They also fired off a dire alert to the exchange’s patrons, telling them to snatch up their assets or else. According to the hackers, the exchange is a key part of the apparatus that allows Iran to steer around international sanctions and, with the help of the exchange, to fund its export of terrorism. The group accused Nobitex of propelling the Iranian regime’s foreign policy agenda, alleging that the government agency recognizing work at Nobitex as fulfilling mandatory military service is actually a cover for Nobitex recruiting. If true, these claims would underscore the importance the Iranian government places on volume and value of the transactions that take place on the Nobitex platform. Nobitex’s Role in Iran’s Crypto Ecosystem Nobitex has formed itself as the leading actor in emerging Iran’s digital currency scene since our establishment in 2017. Over six million users of our platform make us the responsible party for the majority of cryptocurrency transactions in the country. Even in light of international sanctions, which have cut the Iranian economy off from much of the global financial system, we allow Iranians to access and trade in global crypto markets. Nobitex, however, has seen growing criticism of its operations. Investigative reports have previously associated the exchange with likely sanction-evasion activities. And as for the operation of Nobitex in particular, blockchain analytics and other means of investigative reporting have tied it to what appear to be billions of dollars’ worth of crypto transactions involving sanctioned entities. These transactions, it should be noted, have also involved some very major international exchanges. The allegations are resulting in heightened scrutiny of Nobitex by regulators and financial watchdogs, many of whom are becoming concerned that platforms such as Nobitex could be used to fund state-sponsored operations or pay for activities in restricted areas. Implications and Future Outlook What happened to Nobitex is a new episode in the cyber confrontation between Iran and its foes. This confrontation has long spilled over into cyberspace, always threatening to get out of hand, with a series of attacks and counterattacks by both sides. But what happened to Nobitex is different in a couple of ways. For one, it directly affected not just the target, which in this case was a key intermediary in Iran’s cryptocurrency sector, but also many more people in Iran whom the intermediary serves. And what’s more, the attack also has implications for the crypto boom that is taking place in Iran. Increasingly, cryptocurrencies are being used in Iran, in a way that’s turning blockchain-based assets into a lifeline for a suppressed economy. For users of Nobitex, the immediate worry is about the safety of their funds and whether operations will continue without more interruptions. But the ramifications of this incident stretch well beyond Iran. It could serve as a wake-up call for not just crypto exchanges but also the traditional financial institutions that cavalierly extend their reach into or do business with jurisdictions considered by the U.S. government to be high-risk. Because the risk attached to a jurisdiction can change from year to year or even day to day, the world of finance is well advised to stay on high alert. It could also speed up demands for more robust international regulatory systems to supervise the cryptocurrency industry, ensuring that it isn’t misused for geopolitical ends or used to break through sanctions. With Gonjeshke Darande threatening to publish sensitive internal data and code, the heat is on Nobitex—and on Iran’s larger digital finance apparatus. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news !

Source: NullTx