Pro-Israeli hackers cause $81 million breach in Nobitex cryptocurrency exchange platform
In a series of politically motivated cyberattacks, a pro-Israel hacker group known as Gonjeshke Darande (also known as Predatory Sparrow) has targeted Iranian entities, most notably the Iran-based cryptocurrency exchange Nobitex and Bank Sepah, one of Iran's oldest and largest state-owned banks.
The most publicized attack occurred on June 18, 2025, when Gonjeshke Darande executed a hack on Nobitex, resulting in the theft of $81 million worth of cryptocurrencies. This attack was not financially motivated but aimed as a political statement against Iran’s financial infrastructure, which is closely tied to the Iranian military and sanctioned groups like the Islamic Revolutionary Guard Corps (IRGC), Hamas, and the Houthis[1][2].
The hackers exploited a vulnerability in Nobitex’s hot wallets to steal multiple cryptocurrencies, including Bitcoin, Ether, Tron, Solana, and Dogecoin. They used special "vanity addresses" with customized characters containing anti-IRGC and anti-terrorist messages, which cryptographic analysts say effectively rendered the stolen assets irretrievable—emphasizing the political rather than financial aim of the attack[1].
Gonjeshke Darande also claimed responsibility for a cyberattack on Bank Sepah, accusing the bank of evading international sanctions and using Iranian citizens' funds to support the regime's terrorist affiliates, ballistic missile development, and military nuclear ambitions[2].
Nobitex acknowledged the hack and assured users that all losses will be fully covered using its insurance reserves and internal resources. However, Gonjeshke Darande warned users that associating with such infrastructure puts their assets at risk. The incident was limited to a subset of funds held in hot wallets, and at least $81.7 million in assets were drained across the Tron network and Ethereum Virtual Machine (EVM)-compatible blockchains[3].
The initial $49 million was drained through an address labeled "TKFuckiRGCTerroristsNoBiTEXy2r7mNX," and a second address used in the operation was "0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead." ZachXBT reported that the attackers behind the Nobitex breach leveraged a "vanity address" to carry out the exploit[3].
The activities of Gonjeshke Darande align with a broader pattern of cyber conflict reflecting the ongoing geopolitical hostility between Israel and Iran, where cyberattacks serve as asymmetric tools against Iranian political and military structures[2][3]. This group operates as a pro-Israel hacktivist collective, emerging amid heightened Israeli-Iranian tensions.
Since these attacks, there have been reported strategic missile attacks between the two nations, resulting in 224 reported fatalities in Iran and 24 in Israel, according to The Guardian[4]. The cyberattack by Gonjeshke Darande on Nobitex coincides with escalating tensions between Israel and Iran, further underscoring the politically charged nature of these cyber operations.
[1] The Verge [2] CyberScoop [3] Kaspersky [4] The Guardian
- The political nature of the attack by Gonjeshke Darande, a pro-Israel hacker group, was emphasized when they used "vanity addresses" with customized characters containing anti-IRGC and anti-terrorist messages in their theft from Nobitex's hot wallets.
- The incident at Nobitex, a cryptocurrency exchange in Iran, resulted in the loss of $81 million worth of cryptocurrencies and was followed by a cyberattack on Bank Sepah, one of Iran's largest state-owned banks.
- The use of technology, specifically blockchain and cybersecurity, has become a unique battleground in the ongoing geopolitical conflict between Israel and Iran, with hacker groups like Gonjeshke Darande employing these tools as asymmetric weapons against Iranian political and military structures.
- The activities of Gonjeshke Darande have been linked to a broader pattern of cyber conflict, with reports of strategic missile attacks between Israel and Iran after the attack on Nobitex, causing fatalities on both sides.
- The political implications of the cyberspace framework for regulation are becoming increasingly significant as nations cope with war-and-conflicts, general-news, crime-and-justice, and technology-driven threats emerging from groups like Gonjeshke Darande.
