Cyberattackers Posing as Hacktivists Infiltrate Iranian Cryptocurrency Exchange

In a striking digital assault with significant geopolitical implications, suspected Israeli state-backed cyber operatives masquerading as Iranian opposition hacktivists under the moniker Gonjeshke Darande successfully infiltrated Nobitex, Iran’s largest cryptocurrency exchange, on June 18, 2025.

Rather than seeking financial profit, the hackers chose to “burn” an estimated $90 million in digital assets by transferring them to invalid wallet addresses.

The attack, laden with political symbolism, comes amid rapidly escalating tensions between Iran and Israel, following a series of airstrikes on Iranian military and nuclear sites earlier in June.

At the heart of the attack was a message embedded within the wallet addresses used to destroy the funds: “FuckiRGCTerroristsNoBiTE,” an apparent jab at the Islamic Revolutionary Guard Corps (IRGC), which the group accused of using Nobitex to circumvent international sanctions and finance terrorism.

The group’s public statement, disseminated via their Telegram channel and verified X (formerly Twitter) account, announced the imminent release of Nobitex’s entire source code, deployment configurations, and scripts for managing cold wallets a move aimed at inflicting lasting reputational and operational harm.

Technical Analysis: How the Attack Unfolded

Gonjeshke Darande’s attack relied on advanced, long-term access to Nobitex’s internal infrastructure.

Security analysts speculate that the group gained high-privilege entry well before the operation, possibly through compromised credentials, insider collaboration, or exploitation of misconfigured access controls.

Once inside, the attackers waited for a geopolitically significant moment to maximize impact.

The attack targeted the exchange’s hot wallet, which is typically used for daily transactions and kept online for liquidity.

By contrast, the offline storage of cold wallets for the bulk of digital assets remained secure.

After burning the assets, Gonjeshke Darande leaked extensive internal documentation, including server configurations and backend scripts, suggesting deep familiarity with Nobitex’s operations.

The release of sensitive data incentivizes potential further exploitation by other malicious actors.

Nobitex responded swiftly, suspending services and isolating affected servers to contain the breach.

The exchange assured users that only hot wallet assets were compromised, but nationwide internet disruptions in Iran have hampered recovery efforts. Restoring services is expected to take four to five days.

Broader Implications and Emerging Cyber Threat Trends

This attack marks a pivotal moment in cyber-enabled geopolitical strategy. By destroying funds rather than exfiltrating them for profit, Gonjeshke Darande emphasized its mission: to undermine public trust in regime-affiliated institutions and signal technical superiority.

The group’s history includes high-profile attacks on Iran’s railway system (2021), gas stations (2021, 2023), and a steel mill (2022), each accompanied by visible political messaging.

The Nobitex incident highlights key trends: cryptocurrency exchanges are now a frontline target for state-sponsored cyber operations, insider threats and long-term access are critical vulnerabilities, and cyberattacks are increasingly used as narrative weapons in international conflicts.

As tensions remain high, experts warn that further attacks targeting Iran’s financial and critical infrastructure are likely, signaling a new era where digital sabotage is central to geopolitical rivalry.