Introduction: A Costly Crypto Breach in Iran

On June 18, 2025, Nobitex—Iran’s largest cryptocurrency exchange—faced a major cyberattack. Hackers stole around $90 million in digital assets. The pro-Israel hacktivist group Predatory Sparrow (Gonjeshke Darande) is believed to be behind the attack. The breach lasted 5 hours and 12 minutes. During this time, widespread internet disruptions in Iran likely increased the platform’s vulnerabilities.
This article examines how these disruptions contributed to the Nobitex hack. It also covers technical details of the attack and offers strategies to improve crypto exchange security in Iran’s unstable digital environment.

The Nobitex Hack: Timeline and Impact

The Nobitex breach began around 6:00 AM Iran Standard Time on June 18, 2025. Hackers gained access to the exchange’s hot wallets and drained assets like Bitcoin, Ethereum, Tether (USDT), and Dogecoin across several blockchains. Blockchain analytics firms, including Elliptic and TRM Labs, estimate the losses at $90–$100 million. Of this, $49.3 million was stolen on the Tron network alone.

The stolen funds were moved to vanity addresses that included anti-IRGC messages. One example is “TKFuckiRGCTerroristsNoBiTEXy2r7mNX.” These addresses are inaccessible, which suggests the attack was politically motivated rather than aimed at financial gain.

Nobitex detected the breach at 2:24 AM EST (10:24 AM Iran time) and quickly suspended platform access. The exchange confirmed that its cold wallets remained secure. It also pledged to cover losses using its insurance fund and reserves. However, the incident exposed major weaknesses, made worse by Iran’s unstable internet infrastructure.

The 5-hour-and-12-minute gap likely marks the time between the attack’s start and Nobitex’s response. Internet disruptions during this period may have delayed detection and slowed down the exchange’s ability to act.  This delay underscores the vulnerabilities of centralized exchanges in geopolitically sensitive regions like Iran.

How Internet Disruptions Fueled the Breach

Iran’s frequent internet disruptions—caused by government restrictions, power outages, and geopolitical tensions—played a key role in the Nobitex hack. On June 18, 2025, network traffic in Iran dropped by 98%. This massive drop was tied to a nationwide internet shutdown. The shutdown aimed to prevent further cyberattacks during the ongoing conflict between Israel and Iran.  These disruptions created a perfect storm for the breach:

• Delayed Monitoring: Internet outages likely disrupted Nobitex’s real-time connectivity to cloud-based tools like SIEM (Security Information and Event Management), which delayed alerts about suspicious wallet activity.
• Slowed Response: The security team likely faced delays in updating firewalls or blocking attacker access due to unstable internet connections to management panels. These disruptions gave hackers more time to carry out the breach.
• Communication Breakdowns: Team members struggled to coordinate through platforms like Telegram or cloud-based tools, which hindered a rapid response during the 5-hour window.
• Limited External Support: Nobitex’s team had limited access to global threat databases and cybersecurity experts. This restriction made it harder to analyze and counter the attack in real time.
• User Impact: Internet disruptions prevented users from reporting suspicious activity or transferring assets to safer wallets, prolonging the attack’s impact.

These factors likely extended the breach’s duration, allowing Predatory Sparrow to drain funds and leak Nobitex’s source code, exposing internal privacy tools designed to evade sanctions.

Technical Analysis of the Breach

The Nobitex hack stemmed from a “critical failure in access controls,” allowing hackers to infiltrate internal systems and hot wallets. Predatory Sparrow exploited these vulnerabilities to transfer funds to burner addresses, which were computationally infeasible to access due to their vanity design. The attack’s stages likely included:

1. Reconnaissance: Gathering data on Nobitex’s infrastructure, possibly aided by prior leaks or social engineering.
2. Initial Access: Exploiting weak access controls, potentially via stolen admin credentials.
3. Asset Extraction: Draining hot wallets across Tron, Ethereum, and other blockchains.
4. Data Leakage: Releasing Nobitex’s source code, revealing anti-surveillance tools like stealth address generation and transaction batching.

The 5-hour-and-12-minute window likely reflects the time from initial access to detection, during which internet disruptions delayed Nobitex’s response. The group’s simultaneous attack on Bank Sepah a day earlier suggests a coordinated effort to disrupt Iran’s financial infrastructure, exploiting network instability.

Iran’s Internet Challenges: A Broader Context

Iran’s internet ecosystem faces unique challenges that amplify cyber risks:

• Government Restrictions: A 97% traffic drop in June 2025, tied to censorship and conflict-related shutdowns, disrupted platform operations.
• Infrastructure Issues: Power outages and overloaded networks weaken signal stability, as reported by Irancell.
• Sanctions: Limited access to global cybersecurity tools and services hampers exchange security.

Nobitex’s role as a sanctions-evading platform, with ties to the IRGC and transactions worth $11 billion, made it a prime target for politically motivated attacks. The leaked source code revealed tools to obscure transactions, underscoring the exchange’s strategic importance and vulnerability.

Lessons and Solutions for Crypto Exchanges

The Nobitex hack highlights critical lessons for Iran’s crypto ecosystem:

• Offline Monitoring Systems: Develop local, internet-independent monitoring tools to detect breaches during disruptions.
• Robust Incident Response Plans: Prepare for scenarios with limited connectivity, including backup communication channels like satellite-based systems.
• Enhanced Access Controls: Implement multi-factor authentication (MFA) and regular audits to prevent unauthorized access.
• User Education: Encourage users to use cold wallets, strong passwords, and 2FA to secure assets.
• Collaboration with Authorities: Work closely with Iran’s Cyber Police (FATA) and global blockchain analytics firms to trace stolen funds and prevent future attacks.

Nobitex’s commitment to compensating losses and cooperating with FATA is a step forward, but proactive measures are essential to restore user trust.

Future of Crypto Security in Iran

The Nobitex hack underscores the need for stronger cybersecurity in Iran’s crypto sector. With exchanges processing billions in transactions, investments in infrastructure, talent, and regulatory frameworks are critical. Reducing internet disruptions through improved telecom stability and easing censorship could indirectly bolster security. A proposed “crypto curfew” limiting exchange operations to 10 AM–8 PM reflects heightened oversight but may disrupt user access, highlighting the need for balanced policies.

Users must also take responsibility by securing their accounts and diversifying asset storage. As geopolitical tensions persist, state-aligned cyberattacks like those by Predatory Sparrow are likely to continue, targeting Iran’s digital infrastructure.

Conclusion: A Wake-Up Call for Iran’s Crypto Ecosystem

The Nobitex hack, unfolding over 5 hours and 12 minutes, exposed how internet disruptions in Iran amplified vulnerabilities, enabling a $90 million breach. By delaying detection, response, and communication, unstable networks gave hackers a critical window to exploit weak access controls and leak sensitive data. This incident is a wake-up call for exchanges to strengthen security, prepare for infrastructure challenges, and foster user trust through transparency. Addressing Iran’s internet instability and investing in robust cybersecurity are essential for a resilient crypto ecosystem.