Nobitex Resumes Operations After $100 Million Cyberattack

Iran’s largest cryptocurrency exchange, Nobitex, has resumed operations following a politically motivated cyberattack that resulted in the loss of $100 million in digital assets. The exchange began restoring wallet access in phases, starting with verified users and prioritizing spot wallet services. The process is being rolled out gradually, with access to other wallet types to follow as the system stabilizes. Only users who complete identity verification will be allowed to access their wallets, and once user data is confirmed, wallet balances will be displayed in phases. Nobitex has alerted users that delays may occur due to additional security checks and technical conditions, urging users to be patient during the verification period. Users will be allowed to withdraw their holdings starting June 30, with other services such as trading and deposits expected to be restored gradually. However, a fixed timeline for the full return of operations was not disclosed. Nobitex also warned users against depositing assets to old wallet addresses due to a complete migration of its wallet system, noting that doing so may result in the permanent loss of funds.

On June 18, Nobitex suffered a major breach when pro-Israel hacking group Gonjeshke Darande, also known as Predatory Sparrow, infiltrated its hot wallets and siphoned off $100 million in cryptocurrencies, including Bitcoin, Ethereum, Dogecoin, Ripple, Solana, and Ton. According to the attackers, the hack was intended to disrupt the Iranian regime’s financial infrastructure. The hackers used vanity wallet addresses embedded with anti-government slogans and later announced that they had burned over $90 million worth of the stolen assets by transferring them to unrecoverable wallets. In a further escalation, the group leaked what it claimed was Nobitex’s full source code and internal infrastructure data. The eight-part leak included server configurations, privacy modules, and deployment systems, raising additional concerns about the platform’s security and the exposure of remaining user funds. Nobitex later confirmed that its cold storage reserves were untouched and subsequently pledged to fully compensate affected users using its insurance fund and internal reserves.

In response to the incident, Iranian authorities imposed operational restrictions on all domestic cryptocurrency exchanges, limiting their activity to between 10 am and 8 pm. The Central Bank of Iran implemented the curfew as a measure to reduce systemic risk and to tighten oversight in a sector it views as critical amid ongoing international sanctions. Nobitex plays an outsized role in Iran’s crypto economy, having processed over $11 billion in inflows, more than all other Iranian exchanges combined. The exchange has also been linked to wallets associated with sanctioned entities, including IRGC-affiliated groups, Hamas-aligned media, and blacklisted Russian exchanges. Further scrutiny followed an investigation by blockchain intelligence firm Global Ledger, which uncovered patterns of suspicious fund movements predating the recent attack. These included the use of peelchains, one-use wallets, and systematic balance sweeps, techniques often associated with money laundering and transaction obfuscation. The probe also found that Nobitex’s so-called “rescue wallet,” deployed after the breach, had been active for months prior, conducting gradual transfers of large sums. Investigators concluded that these methods indicated deliberate efforts to obscure fund flows, raising questions about the exchange’s operational transparency and potential links to illicit finance.