Nearly $100 million stolen: Iranian exchange Nobitex theft incident

Author: Lisa & 23pds

Editor: Sherry

background

On June 18, 2025, the on-chain detective ZachXBT revealed that Iran’s largest crypto trading platform, Nobitex, was suspected of being hacked, involving abnormal transfers of large amounts of assets across multiple public chains.

 (https://t.me/investigations)

SlowMist further confirmed that the affected assets in the incident included TRON, EVM and BTC networks, and the initial estimated loss was approximately US$81.7 million.

 (https://x.com/slowmist_team/status/1935246606095593578)

Nobitex also issued an announcement confirming that some infrastructure and hot wallets had indeed suffered unauthorized access, but emphasized that user funds were safe.

 (https://x.com/nobitexmarket/status/1935244739575480472)

It is worth noting that the attacker not only transferred the funds, but also actively transferred a large amount of assets to a specially designed destruction address. The value of the assets that were "burned" was nearly 100 million US dollars.

 (https://x.com/GonjeshkeDarand/status/1935412212320891089)

Timeline

June 18

• ZachXBT disclosed that the Iranian crypto exchange Nobitex was suspected of being hacked, and a large number of suspicious withdrawal transactions occurred on the TRON chain. SlowMist further confirmed that the attack involved multiple chains, and the initial estimated loss was about 81.7 million US dollars.
• Nobitex said that the technical team detected illegal access to some infrastructure and hot wallets, and immediately cut off external interfaces and launched an investigation. The vast majority of assets stored in cold wallets were not affected, and the intrusion was limited to some hot wallets used for daily liquidity.
• The hacker group Predatory Sparrow (Gonjeshke Darande) claimed responsibility for the attack and announced that it would release Nobitex source code and internal data within 24 hours.

 (https://x.com/GonjeshkeDarand/status/1935231018937536681)

June 19

• Nobitex released its fourth statement, saying that the platform has completely blocked external access to the server, and that the hot wallet transfer was "active migration made by the security team to protect funds." At the same time, the official confirmed that the stolen assets were transferred to some wallets with non-standard addresses composed of arbitrary characters, which were used to destroy user assets, totaling about $100 million.
• The hacker group Predatory Sparrow (Gonjeshke Darande) claims to have burned about $90 million worth of crypto assets, calling it a "sanctions circumvention tool."
• The hacker group Predatory Sparrow (Gonjeshke Darande) released the Nobitex source code.

 (https://x.com/GonjeshkeDarand/status/1935593397156270534)

Source code information

According to the source code information released by the attacker, the folder information is as follows:

Specifically, the following contents are involved:

The core system of Nobitex is mainly written in Python and deployed and managed using K8s. Based on the known information, we speculate that the attacker may have broken through the operation and maintenance boundary and entered the intranet, which will not be analyzed here.

MistTrack Analysis

The attacker used multiple seemingly legitimate but uncontrollable "destruction addresses" to receive assets. Most of these addresses comply with the on-chain address format verification rules and can successfully receive assets, but once the funds are transferred in, they are permanently destroyed. At the same time, these addresses also contain emotional and provocative words, which are offensive. Some of the "destruction addresses" used by the attacker are as follows:

• TKFuckiRGCTerroristsNoBiTEXy2r7mNX
• 0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
• 1FuckiRGCTerroristsNoBiTEXXXaAovLX
• DFuckiRGCTerroristsNoBiTEXXWLW65t
• FuckiRGCTerroristsNoBiTEXXXXXXXXXXXXXXXXXXX
• UQABFuckIRGCTerroristsNOBITEX11111111111111111_jT
• one19fuckterr0rfuckterr0rfuckterr0rxn7kj7u
• rFuckiRGCTerroristsNoBiTEXypBrmUM

We used the on-chain anti-money laundering and tracking tool MistTrack for analysis, and the incomplete statistics of Nobitex’s losses are as follows:

According to MistTrack analysis, the attacker completed 110,641 USDT transactions and 2,889 TRX transactions on TRON:

The EVM chains stolen by the attacker mainly include BSC, Ethereum, Arbitrum, Polygon and Avalanche. In addition to the mainstream currencies of each ecosystem, they also include UNI, LINK, SHIB and other tokens.

On Bitcoin, the attacker stole a total of 18.4716 BTC, or about 2,086 transactions.

On Dogechain, the attacker stole a total of 39,409,954.5439 DOGE, approximately 34,081 transactions.

On Solana, the attacker steals SOL, WIF, and RENDER:

On TON, Harmony, and Ripple, the attacker stole 3,374.4 TON, 35,098,851.74 ONE, and 373,852.87 XRP respectively:

MistTrack has added the relevant addresses to the malicious address database and will continue to pay attention to related chain trends.

Conclusion

The Nobitex incident once again reminds the industry that security is a whole. Platforms need to further strengthen security protection and adopt more advanced defense mechanisms, especially for platforms that use hot wallets for daily operations. SlowMist recommends:

• Strictly isolate the permissions and access paths of cold and hot wallets, and regularly audit the hot wallet call permissions;
• Use on-chain real-time monitoring systems (such as MistEye) to obtain comprehensive threat intelligence and dynamic security monitoring in a timely manner;
• Cooperate with on-chain anti-money laundering systems (such as MistTrack) to promptly detect abnormal fund flows;
• Strengthen emergency response mechanisms to ensure effective response within the golden window after an attack occurs.
• The incident is still under investigation, and the SlowMist security team will continue to follow up and update the progress in a timely manner.