The cryptocurrency world woke up to one of the most audacious cyberattacks in its history on June 19, 2025, as the Israeli-linked hacktivist group Predatory Sparrow infiltrated Iran’s largest cryptocurrency exchange, Nobitex, and systematically destroyed more than $90 million in digital assets. Bitcoin traded at approximately $104,684 and Ethereum at $2,521 at the time of the attack, making the total losses especially significant in the broader market context.
The Exploit Mechanics
According to a Chainalysis bulletin published the same day, the attack began at approximately 2:24 AM Eastern time on June 19. The hackers siphoned Bitcoin, Ethereum, Dogecoin, and five other cryptocurrencies from Nobitex’s hot wallets. Rather than stealing the funds for profit, the attackers transferred the assets to vanity blockchain wallets with addresses specifically designed to taunt Iran’s Islamic Revolutionary Guard Corps (IRGC). Once the funds reached these wallets, the Predatory Sparrow group burned them by locking the assets in accounts with no private-key access, rendering the tokens permanently inaccessible.
The attack also exposed Nobitex’s closely guarded source code, which the hackers leaked publicly. This dual blow of financial destruction and intellectual property exposure revealed deep architectural weaknesses in how the exchange managed its hot wallet infrastructure. Blockchain forensics showed that the attackers exploited elevated access privileges to move funds across multiple chains simultaneously, suggesting they had gained control of key management systems rather than exploiting a smart contract vulnerability.
Affected Systems
Nobitex operated as the dominant cryptocurrency platform in Iran, facilitating the majority of on-chain exchange activity originating from the country. Operating in a heavily sanctioned environment, the exchange had become the primary gateway for Iranian users accessing global crypto markets. Chainalysis data indicated that Nobitex had processed more than $11 billion in assets over recent years and served wallets connected to Iran’s government, Hamas-affiliated media outlets, and sanctioned Russian exchanges including Garantex and Bitpapa.
The attack affected multiple cryptocurrency networks simultaneously. Bitcoin, Ethereum, and Dogecoin holders on the platform all saw their balances vaporized, along with holders of five additional tokens. The cross-chain nature of the attack meant that users had no single recovery path, as each blockchain required independent forensic analysis to trace the movement of funds.
The Mitigation Strategy
In response to the attack, Iran’s Central Bank ordered every domestic cryptocurrency platform to implement immediate restrictions. These measures included limiting operating hours to daylight only, enhancing cold-storage safeguards for the majority of user funds, and mandating real-time reporting of large transfers. While these are standard security practices in the global cryptocurrency industry, their sudden enforcement highlighted how far behind Iranian exchanges had lagged in adopting basic protective measures.
For the broader crypto community, the Nobitex incident underscores the critical importance of hot wallet segregation. Exchanges should maintain only minimal liquidity in hot wallets, with the vast majority of assets stored in air-gapped cold storage systems. Multi-signature authorization for large transfers, combined with hardware security modules for key management, can prevent a single point of compromise from cascading into catastrophic losses.
Lessons Learned
The Nobitex attack is significant not only for its financial impact but for its geopolitical motivation. Unlike typical cryptocurrency heists driven by financial gain, this was an act of cyber warfare. Predatory Sparrow has previously been linked to the 2022 malware attack on an Iranian steel company, a 2021 intrusion that shut down 4,000 gas stations across Iran, and wiper malware attacks against Iran’s national media network. The group’s decision to destroy rather than steal the funds sends a chilling message about the weaponization of cryptocurrency infrastructure in international conflicts.
The attack occurred just 24 hours after Predatory Sparrow claimed responsibility for a separate cyberattack on Iran’s state-owned Bank Sepah, which briefly disrupted fuel and payment systems across the country. These coordinated strikes coincided with broader military escalation between Israel and Iran, demonstrating how cryptocurrency platforms have become legitimate targets in state-sponsored cyber campaigns.
User Action Required
For cryptocurrency users worldwide, the Nobitex incident serves as an urgent reminder to evaluate exchange security practices before depositing funds. Users should prioritize platforms with transparent proof-of-reserves, robust cold storage policies, and regulatory compliance. Hardware wallets remain the most secure option for long-term storage, and no user should keep more funds on an exchange than necessary for active trading. The $90 million burned at Nobitex proves that even the largest platforms can fall victim to sophisticated, state-sponsored attacks.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making decisions about cryptocurrency storage and security.
Interesting perspective — I hadn’t considered that angle before
Bear markets are for building — and builders are delivering
Every cycle the infrastructure gets more robust
Mass adoption is happening incrementally — people just don’t notice
The pace of innovation in crypto continues to surprise me
burning 90M to own your enemy is next level. most hackers want the money. predatory sparrow wanted the humiliation
predatory sparrow burned 90M to make a political point. imagine the audit trail nightmare for nobitex trying to explain their hot wallet architecture after this
burning the funds instead of stealing them is what makes this different. preditory sparrow wasnt after money, they wanted to send a geopolitical message. the vanity addresses spelling out IRGC insults are wild
the vanity addresses were designed so the IRGC could see the insults on chain forever. permanent propaganda etched into the ledger
the IRGC taunting vanity addresses are insane. first time ive seen a crypto hack used purely as a propaganda tool instead of financial gain
hot wallets holding $90M across 8+ chains with no time lock or multisig. exchange security hasnt improved much since mt gox at the architecture level
no multisig on 90M across 8 chains is beyond reckless. even mid tier exchanges learned this after the 2018 round of hacks
even Mt Gox had better operational security than this. an exchange serving millions of users in a sanctioned economy with zero time-locks on hot wallets
chainalysis had the bulletin out within hours of the attack starting. their monitoring of iranian exchanges is clearly extensive