Nobitex Restores Services After $90 Million Hack

Tehran-based crypto exchange Nobitex has initiated the restoration of limited services following a significant hack that occurred earlier this month. The breach, which resulted in the loss of $90 million, was claimed by the pro-Israel hacking group Gonjeshke Darande. The exchange has begun allowing users who have completed identity verification to access their wallets, with spot trading users given priority. Withdrawals are scheduled to be re-enabled on June 30, while other functions such as deposits and trading will be gradually restored, though no specific timeline has been provided.

Nobitex has cautioned users against sending funds to previously used wallet addresses, as the exchange has undergone a full migration of its wallet system. The company emphasized that previous addresses are no longer valid, and any deposits made to them may result in the loss of funds. The breach, which took place on June 18, was widely seen as politically motivated due to the group’s alignment with Israel and Nobitex’s status as Iran’s largest crypto platform. Gonjeshke Darande claimed responsibility for the attack, burned most of the stolen funds, and published what appeared to be the exchange’s source code.

The attack has highlighted the geopolitical dimensions of crypto infrastructure in the region. Nobitex processed more than $11 billion in crypto inflows, significantly ahead of other local exchanges, and has apparent links to entities under international sanctions, including Iran’s Revolutionary Guard and Russian crypto platforms. The timing of the attack is notable, as it occurred just days before Israeli authorities announced the arrest of three individuals accused of carrying out espionage activities on behalf of Iran. Two of the suspects were reportedly paid in cryptocurrency, with one individual, a 28-year-old named Dmitri Cohen, allegedly receiving $500 in crypto per completed task, which included intelligence gathering and online propaganda.

The hackers, known by their Farsi name which translates to Predatory Sparrow, claimed responsibility for the breach and followed through by publishing what they say is Nobitex’s core backend code—scripts, infrastructure data, and privacy configurations. Nobitex’s CEO, Amir Rad, rejected claims that the company is state-affiliated, describing it as a private entity. He also alleged that the attack was supported by the Israeli government. In response to the incident, Iranian regulators have imposed tighter controls on crypto platforms, restricting their operating hours to 10 a.m. to 8 p.m.

The Nobitex case is part of a broader trend of politically driven cyberattacks targeting the crypto sector in 2025. North Korean hacking groups, in particular, have accounted for a significant share of global crypto thefts this year, including the $1.5 billion Bybit exploit in February. South Korean officials have noted that some of these groups have started using AI tools like ChatGPT to assist in their operations. The incident underscores the increasing intersection of geopolitics and cybersecurity in the crypto industry, highlighting the need for enhanced security measures and regulatory oversight.