Nearly $100 Million Burned: Iran’s Largest Crypto Exchange Nobitex Suffers Major Hack
Author: Lisa & 23pds
Editor: Sherry
Background
On June 18, 2025, on-chain investigator ZachXBT revealed that Nobitex, the largest crypto exchange in Iran, may have fallen victim to a security breach involving suspicious large-scale asset transfers across multiple blockchains.
SlowMist further confirmed that the compromised assets span the TRON, EVM-compatible, and Bitcoin networks, with preliminary estimates putting the losses at approximately $81.7 million.
Nobitex later issued a public statement, confirming that parts of its infrastructure and hot wallets had been accessed without authorization, while emphasizing that user funds remain safe.
Notably, the attacker not only siphoned funds but also deliberately sent large amounts to custom “burn addresses”, effectively destroying nearly $100 million in crypto assets.
Timeline of Events
June 18
- ZachXBT discloses a suspected hack at Nobitex involving a large number of suspicious TRON transactions.
- SlowMist confirms that the breach involves multiple chains, with estimated losses of $81.7 million.
- Nobitex announces that some hot wallets and infrastructure were illegally accessed. The team immediately disabled external interfaces and launched an internal investigation. Most funds, stored in cold wallets, were unaffected. The breach was limited to wallets used for daily liquidity operations.
- The hacker group Predatory Sparrow (Gonjeshke Darande) claims responsibility, threatening to leak Nobitex’s source code and internal data within 24 hours.
June 19
- Nobitex releases its fourth official statement, clarifying that hot wallet transfers were a proactive security measure to protect funds. The platform confirms that some stolen assets were transferred to non-standard, arbitrary-character burn addresses, used to destroy user assets. Estimated destroyed value: nearly $100 million.
- Predatory Sparrow claims to have burned about $90 million in crypto, calling them “sanction-evading tools.”
- The group also publishes Nobitex’s source code.
Source Code Leak
The files released by the attackers include various internal directories:
Key insights:
Nobitex’s core system is mainly written in Python, deployed and managed using Kubernetes (K8s).
Based on the file structure and known information, it is suspected that the attackers breached DevOps boundaries to gain internal network access. Detailed analysis is omitted for now.
MistTrack Analysis
The attackers transferred assets to several “burn addresses” that appear syntactically valid on-chain but are functionally irreversible blackholes. These addresses follow correct address format rules and can receive funds, but once funds are sent, they are permanently destroyed.
Many of these addresses include provocative messaging, such as:
TKFuckiRGCTerroristsNoBiTEXy2r7mNX
0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
1FuckiRGCTerroristsNoBiTEXXXaAovLX
DFuckiRGCTerroristsNoBiTEXXXWLW65t
FuckiRGCTerroristsNoBiTEXXXXXXXXXXXXXXXXXXX
UQABFuckIRGCTerroristsNOBITEX1111111111111111_jT
one19fuckterr0rfuckterr0rfuckterr0rxn7kj7u
rFuckiRGCTerroristsNoBiTEXypBrmUMUsing the anti-money laundering and on-chain tracking tool — MistTrack, the losses have been tallied as follows:
Additional observations from MistTrack:
- On TRON, the attackers executed 110,641 USDT transactions and 2,889 TRX transactions.
- EVM assets were stolen across multiple chains: BSC, Ethereum, Arbitrum, Polygon, Avalanche, and involved a mix of mainstream and DeFi tokens.
- On Bitcoin, attackers stole 18.4716 BTC over approximately 2,086 transactions.
- On Dogechain, they took 39.4 million DOGE across 34,081 transactions.
- On Solana, assets included SOL, WIF, and RENDER.
- On the TON, Harmony, and Ripple networks, the attackers stole 3,374.4 TON, 35,098,851.74 ONE, and 373,852.87 XRP, respectively:
MistTrack has labeled the relevant addresses as malicious and continues to monitor related on-chain activities.
Conclusion
The Nobitex incident is a stark reminder that security must be holistic. For platforms that rely on hot wallets for daily operations, SlowMist recommends:
- Strictly isolate permissions and access between hot and cold wallets. Conduct regular audits of hot wallet authorization.
- Deploy real-time on-chain threat monitoring systems (e.g., MistEye) for proactive alerting and threat intelligence.
- Use AML tools like MistTrack to track suspicious fund flows and prevent further losses.
- Strengthen incident response capabilities to ensure rapid reaction within the golden window after an attack.
The incident is still under investigation. SlowMist will continue to follow up and provide timely updates.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
