Overview

In a politically charged cyberattack, Iran-based crypto exchange Nobitex has been exploited for over $81 million across Tron and EVM-compatible blockchains. The incident was first reported by renowned blockchain investigator ZachXBT and has triggered widespread concern across the crypto community.

🧠 Technical Breakdown: Vanity Addresses & Access Control Failure

The exploit involved the use of vanity wallet addresses, custom-generated public keys designed to contain specific strings. These addresses were used to withdraw tens of millions in assets from Nobitex’s hot wallets. Notably:

• The first $49M was drained through a Tron address containing the phrase:
  TKFuckiRGCTerroristsNoBiTEXy2r7mNX

• Another $30M+ was moved via Ethereum address:
  0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead

According to Cyvers’ security team, the breach likely stemmed from a critical access control failure, enabling attackers to access internal systems and execute unauthorized withdrawals.

🔒 Nobitex Response: Cold Wallets Are Safe

Nobitex promptly acknowledged the attack, stating that:

“Unauthorized access was detected in a portion of our hot wallets. Affected wallets were immediately disabled. Users’ assets remain secure under our cold storage standards, and losses will be covered by our insurance fund and internal reserves.”

While the response was swift, users remain uneasy as more data emerges about the scale and implications of the breach.

🕵️‍♂️ Who’s Behind the Attack?

A group calling itself “Gonjeshke Darande”, identifying as pro-Israel, has claimed responsibility. In a bold post, the group stated:

“Nobitex is a key instrument in the Iranian regime’s terror financing and sanctions evasion. Working at Nobitex is considered equivalent to military service.”

They’ve also threatened to release Nobitex’s internal files and source code within 24 hours, warning users that “remaining funds are at risk.”

🌍 A Regional Flashpoint Becomes Digital

The hack coincides with the fifth day of escalating military conflict between Israel and Iran. On June 13, Israel conducted its most extensive strikes on Iranian soil since the Iran-Iraq war, killing over 200 people. Strategic retaliation from both sides has ignited fears of a broader regional war — and now, the cyber arena has become the newest battlefield.

📉 Nobitex Wallets Plummet

Data from blockchain analytics firm Arkham shows that total holdings in Nobitex-labeled wallets fell from $1.8 billion on June 16 to just $96 million by June 18.

However, according to Cyvers, this decline may not reflect direct losses, as Nobitex routinely rotates its hot wallets — sometimes weekly — for operational security.

🧪 Security Experts: A Political, Not Financial, Statement

Yehor Rudytsia, from Hacken, noted:

“This was not your average hack. Assets were sent to burner addresses with no intent to launder or profit. It’s a politically motivated operation aimed at undermining Iran’s crypto infrastructure.”

Moreover, around $55M in stolen USDT could potentially be recovered if Tether takes action to freeze or reissue the tokens.

🔢 Context: Over $2.1B Stolen in 2025 So Far

According to CertiK, total losses from crypto hacks and scams in 2025 have already surpassed $2.1 billion, with a majority linked to wallet key mismanagement, access breaches, and social engineering rather than technical exploits.

The Nobitex hack further highlights the growing threat of politically-driven attacks in crypto, where ideology—not just profit—is a motive.

🚨 Final Thoughts

The Nobitex incident isn’t just another exchange hack — it’s a wake-up call. As geopolitical tensions spill into the digital finance world, exchanges and users must reevaluate their security standards.

For users, this means relying less on hot wallets and more on secure cold storage and verified custodians. For regulators and the industry at large, it signals an urgent need to defend crypto infrastructure from state-linked or ideologically-driven attacks.