In June 2025, Nobitex, Iran’s largest crypto exchange, was the victim of a hack. Gonjeshke Darande, a pro-Israel hacking group also known as Predatory Sparrow, claimed responsibility for the attack, which stole an estimated $90 million from the exchange.
Inside the Attack
The Nobitex hack involved thefts of cryptocurrency from the exchange’s hot wallets across multiple blockchains. The attackers stole an estimated $90 million in various crypto on blockchains compatible with the Ethereum Virtual Machine (EVM) and Tron.
Like many exchange hacks, the root cause of this incident is believed to be compromised private keys. It’s believed that private keys were insecurely stored on systems that were compromised by the attackers, allowing them to gain control over these accounts and drain the exchange’s hot wallets.
Unlike many crypto hacks, which are financially motivated, Gonjeshke Darande – the group allegedly behind the attack – performed it for political reasons. One indication of this was the fact that stolen funds were sent to inaccessible vanity addresses rather than being laundered to cover their tracks.
Vanity addresses are on-chain addresses selected so that the hexadecimal representation of the address includes a particular word or starts with zeros, making it take up less memory. Often, these words are short due to the number of private keys that need to be generated and tested to find one that meets the desired criteria.
In this case, the attackers sent the stolen funds to addresses containing longer, political messages. Since it’s computationally infeasible to calculate the private keys for these exact addresses, the tokens sent to them were “burned” or rendered inaccessible forever.
Beyond stealing the tokens held in the exchange’s hot wallets, the group behind the attack threatened to release details of the exchange’s source code and infrastructure within 24 hours. After they made good on that threat, all user funds remaining on the platform were at risk since other attackers may have been able to identify and exploit vulnerabilities that allow the theft of user funds.
Lessons Learned from the Attack
The Nobitex hack is an example of a major crypto exchange being exploited due to its lack of strong private key security and access controls. Many exchanges have fallen prey to these attacks, which exploit poor off-chain security processes rather than vulnerabilities in smart contracts. This incident differs in that the attackers also released other sensitive information stolen from the exchange’s servers, including source code and sensitive configuration data.
Exchanges looking to avoid a similar fate should implement private key security best practices for their hot wallets. For help in developing a robust off-chain security program, reach out to Halborn.