Threat Insight

Cyber Attack on Iranian Crypto Exchange During Israel-Iran War

On June 18, 2025, an Israeli hacktivist group calling themselves “Gonjeshke Darande”, or Predatory Sparrow, reportedly breached the Iranian crypto exchange Nobitex and stole $90 million in crypto currency assets.

  • Insight

Notably, attacker-controlled wallets that the stolen assets were transferred to, appears to have been burner addresses lacking private key access, meaning the crypto currency was essentially deleted rather than stolen. This suggests that the theft of more than $90 million was likely politically motivated, rather than financial in nature.

Nobitex is the largest cryptocurrency exchange in Iran and a central pillar of the country’s digital asset ecosystem. Operating in a heavily sanctioned environment, it has become the go-to platform for Iranian users seeking access to global crypto markets, facilitating the majority of on-chain exchange activity originating in the country.

Analysis of crypto currency transactions shows that Nobitex serves a number of shady clients, including Iran’s Revolutionary Guard Corps (IRGC), terrorist organizations, and Russian cybercrime actors as well as a number of actors involved in cyber fraud and online scams.

Assessment

The so-called hacktivist in Predatory Sparrow is assessed to be actively supported by the Israeli government. They claim to be Iranian dissidents but are suspected to consist mainly of Iranian Jews that have fled to Israel. This cyber attack is therefore highly likely a direct part of the war between Israel and Iran June 13 to June 24, 2025, and the objective of the attack was highly likely to harm Iran’s critical financial infrastructure.

Crypto exchanges, like Nobitex, are becoming key centres in a financial ecosystem aimed at avoiding Western sanctions regimes. It is not just used by the government, terrorists, and criminals. Many ordinary Iranian citizens also use Nobitex to transfer money or protect their assets against inflation.

The importance of Nobitex and the Iranian crypto currency ecosystem in general is expected to increase as the country now struggles to finance rebuilding its military capabilities after the war with Israel, while at the same time grappling with Western sanctions.

This is also another example of how the borders between state actors and organized crime is blurring in cyberspace. The governments of sanctioned countries like Iran and North Korea finance their activities through cybercrime, while cybercriminals benefit from the financial ecosystem set up to avoid Western sanctions and law enforcement.

References

https://www.chainalysis.com/blog/nobitex-iranian-exchange-exploit-june-2025/