Hackers destroy $90m in hit on Iranian crypto exchange

Detroit — An anti-Iranian hacking group with possible ties to Israel announced an attack on one of Iran’s largest cryptocurrency exchanges on Wednesday, destroying nearly $90m and threatening to expose the platform’s source code.

A group known as Gonjeshke Darande, or “Predatory Sparrow”, claimed the attack, making it the group’s second operation in two days. On Tuesday the group claimed to have destroyed data at Iran’s state-owned Bank Sepah amid the increasing hostilities and missile attacks between Israel and Iran.

Wednesday’s attack targeted Nobitex, one of Iran’s largest cryptocurrency exchanges. The platform allegedly helps the Iranian government avoid sanctions and finance illicit operations worldwide, the hackers claimed in a message posted to its social media channels early Wednesday.

Nobitex’s website was unavailable on Wednesday. Messages sent to the company’s support channel on Telegram were not returned. Gonjeshke Darande did not respond to requests for comment. Nobitex said in a post on X that it had pulled its website and app offline as it reviewed “unauthorised access” to its systems.

Gonjeshke Darande is an established hacking group with a history of sophisticated cyberattacks targeting Iran. A 2021 operation claimed by the group caused widespread fuel station outages, while a 2022 attack targeting an Iranian steel mill caused a large fire and tangible, offline damage.

Israel has never formally acknowledged that it is behind the group, though Israeli media has widely reported Gonjeshke Darande as “Israel-linked”.

Wednesday’s attack started in the early hours of the morning when funds were moved to hacker-controlled wallets denouncing the Islamic Revolutionary Guard Corps (IRGC), according to blockchain analysis firm TRM Labs, which pegged the total theft at about $90m across multiple types of cryptocurrencies.

‘Burnt’

The way the hacker-controlled wallets were created suggests the hackers would not be able to access the stolen money, meaning that the hackers “effectively burnt the funds to send Nobitex a political message”, blockchain analysis firm Elliptic said in a blog post.

Elliptic’s post shared evidence that Nobitex had sent and received funds to cryptocurrency wallets controlled by groups hostile to Israel, including Palestinian Islamic Jihad, Hamas and Yemen’s Houthis.

Senators Elizabeth Warren and Angus King had raised concerns about Nobitex’s role in enabling Iranian sanctions evasion in a May 2024 letter to top Biden administration officials.

Andrew Fierman, head of national security intelligence with Chainalysis, confirmed in an email that the value of the attack was about $90m and that it was likely to have been geopolitically motivated, given that the money was burnt.

Chainalysis has “previously seen IRGC-affiliated ransomware actors leveraging Nobitex to cash out proceeds, and other IRGC proxy groups leveraging the platform”, Fierman said.

Reuters