Hackers say they wiped out $90 million from Iran cryptocurrency exchange

Key Points

• Hackers with possible links to Israel drained over $90 million from Nobitex, Iran’s largest cryptocurrency exchange, and leaked its full source code, forcing the platform offline to assess unauthorized access.
• The stolen funds, spanning Bitcoin, Ethereum, Dogecoin and more, were transferred to wallets where they were effectively burned and labeled with messages criticizing Iran’s Revolutionary Guard, signaling a political motive.
• The group Gonjeshke Darande claimed responsibility, accusing Nobitex of aiding Iran in evading Western sanctions and funding militants, while blockchain analysts at Elliptic linked the exchange to relatives of Iran’s Supreme Leader and sanctioned groups like the Houthis and Hamas.
• Coming amid escalating Israel-Iran tensions and following previous cyberattacks on Iranian institutions, this breach underscores the growing use of cybersecurity operations in geopolitical conflicts.

DUBAI, United Arab Emirates (AP) — Hackers with possible links to Israel have drained more than $90 million from Nobitex, Iran’s largest cryptocurrency exchange, according to blockchain analytics firms.

The group that claimed responsibility for the hack leaked on Thursday what it said was the company’s full source code. “ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN,” the group wrote on its Telegram account.

The stolen funds were transferred to addresses bearing messages that criticized Iran’s Revolutionary Guard, Blockchain analytics firm Elliptic wrote in a blog post. It said the attack likely was not financially motivated as the wallets the hackers had poured the money into “effectively burned the funds in order to send Nobitex a political message.”

The hackers group, Gonjeshke Darande — “Predatory Sparrow” in Farsi — accused Nobitex of having helped Iran’s government to evade Western sanctions over the country's rapidly advancing nuclear program and transfer money to militants, in a post on X claiming the attack.

Nobitex appeared to have confirmed the attack. Its app and website were down as it assessed “unauthorized access” to its systems, it said in a post on X.

The theft spanned a range of cryptocurrencies, including Bitcoin, Ethereum, Dogecoin and more, said head of national security intelligence at Chainalysis Andrew Fierman. The breach is “particularly significant given the comparatively modest size of Iran's cryptocurrency market,” he added.

The hack appears to be motivated by escalating tensions in the Israel-Iran conflict, which broke out last week when Israel struck Iran’s nuclear sites and military officials, drawing Tehran’s response with barrages of missiles. It came after the group said it had destroyed data in a cyberattack against Iran’s state-controlled Bank Sepah on Tuesday.

Elliptic said that relatives of Iran's Supreme Leader Ali Khamenei were linked to the exchange and that sanctioned Revolutionary Guard operatives had used Nobitex. It shared evidence that the exchange had sent and received funds from cryptocurrency wallets controlled by Iranian allies including Yemen’s Houthis and Hamas.

Gonjeshke Darande has previously claimed responsibility for other high-level cyberattacks against Iran, including a 2021 operation that paralyzed gas stations and a 2022 effort against a steel mill that sparked a large fire.

Israeli media have widely reported that Gonjeshke Darande is linked to Israel but the country’s government has never officially acknowledged ties to the group.

U.S. Senators Elizabeth Warren and Angus King last year raised concerns about Iran’s use of cryptocurrencies to evade sanctions.