How Iran’s Nobitex exchange lost more than $80 million. Chronology of the hack

The hacking of the largest crypto exchange in Iran does not look like a typical attack for profit. All factors point to the fact that the asset theft was politically motivated. GetBlock AML Research breaks down the details of the Nobitex hack.

First among the sanctioned

Over the past few years, Nobitex has become a key player in the Iranian market. The exchange has become the largest trading platform in the country in the face of international sanctions. In addition to normal retail activity, Nobitex has processed transactions for individuals and organizations that are under sanctions. On-chain analysis confirms Nobitex’s ties to ransomware creators, the Houthis, Hamas, Russian crypto exchanges Garantex (now Grinex), and Bitpapa.

A graph of Nobitex’s ties to sanctioned individuals and entities. Data: Chainalysis

Political motive

The Nobitex hack came after Israel launched a military operation against Iran. Previously, Israel’s National Bureau for Counter Terror Financing (NBCTF) named Nobitex as the largest financial hub through which many Iranian programs and entities are funded. Israeli experts discovered that Nobitex and other crypto trading platforms were controlled directly by the IRGC (Islamic Revolutionary Guard Corps) and personally by Iran’s Supreme Leader, Ali Khamenei.

The responsibility for the Nobitex hack was taken by the pro-Israeli hacker group Predatory Sparrow, which had previously attacked the Iranian bank Sepah.

Chronology of the attack

• The famous crypto detective ZachXBT was the first to report the Nobitex hack in his Telegram channel. He discovered large suspicious transactions on the Tron network.;
• Later, it became known that Nobitex lost assets worth $84,6 million.;
• The Nobitex team acknowledged the hacking and suspended the exchange for investigation;
• The Predatory Sparrow group took responsibility for the attack and promised to publicly disclose the source code of Nobitex. It turned out that the exchange is built primarily in Python and is run using Kubernetes (K8s).

Nobitex source code published in Predatory Sparrow’s X-account.

Asset Burning

Most of the stolen funds were transferred to syntactically incorrect address formats (e.g., TKFuckiRGCTerroristsNoBiTEXy2r7mNX). According to the Predatory Sparrow group, these addresses are specifically designed to be burned because it is impossible to send funds from these addresses.

List of assets stolen from Nobitex.