On June 18, 2025, Iran's largest cryptocurrency exchange, Nobitex, suffered a significant cyber attack in the early hours, with part of its hot wallet assets being plundered. A hacker group claiming to be 'Gonjeshke Darande' (predatory sparrow), widely believed to be linked to Israel, has boldly claimed responsibility for the incident on social media and threatened to leak the exchange's source code within 24 hours.
This is not only a 'Pearl Harbor' moment for Iran's crypto industry but also a dangerous signal: on the global chessboard of geopolitical conflict, crypto infrastructure is being used as a weapon for precise strikes, and the ripple effects may far exceed the survival of a single exchange.
The 'blitz' in the early hours: a textbook-style precise strike.
According to an emergency security notice released by Nobitex, the attack occurred in the early hours of June 18 local time. The hackers breached the platform's security defenses in a very short time, successfully accessing the hot wallet system used for daily transactions, and quickly transferred an undetermined amount of crypto assets.
Although Nobitex promptly suspended all services and emphasized that the cold wallets (offline storage) accounting for the vast majority of the platform's total assets remained safe, and promised to fully compensate affected users through an insurance fund, the panic in the market did not subside. The symbolic significance and psychological impact of this attack far outweigh the potential direct economic losses.
Even industry leaders within the region may be vulnerable in the face of national-level cyber attack forces.
'Predatory Sparrows': Ghosts hovering over Tehran.
'Gonjeshke Darande' is not an unknown entity. This mysterious hacker organization has become the sword of Damocles hanging over Iran's critical infrastructure in recent years. Its past 'achievements' are shocking:
December 2023: Paralyzing 70% of Iran's nationwide gas station network.
2022: Attacking Iranian steel factories, causing production disruptions.
On June 17, 2025: Just one day before the attack on Nobitex, the organization claimed to have launched a devastating attack on Iran's state-owned Bank Sepah, deleting its core data.
Each attack precisely targets the pain points of Iran's economy and people's livelihoods. The choice of Nobitex this time makes its strategic intent equally clear. The organization stated on the X platform that Nobitex 'provides financial support for the Iranian regime' and attempted to destroy its technical credibility by making the source code public.
Although Israeli officials have never acknowledged any connection to this organization, the complexity of its attack methods, the precision of timing, and the strategic nature of its targets strongly point to the background of a state-level actor.
When Crypto becomes the 'soft underbelly' of geopolitical games.
This incident must be interpreted against the backdrop of the currently deteriorating Iran-Israel conflict. When missiles and drones confront each other in the real world, cyberspace has become the 'second battlefield' for both sides.
The existence of Nobitex itself carries a strong geopolitical significance. Under the harsh financial sanctions from the West, it provides countless Iranians and businesses with an alternative channel to bypass the traditional SWIFT system and participate in the global economy. It is not only Iran's largest cryptocurrency exchange but also an important window for the country to fight against financial blockades.
For this reason, it has also become a highly valuable 'soft underbelly' in the eyes of adversaries. Destroying Nobitex not only causes direct economic losses but also psychologically undermines the Iranian people's confidence in 'safe-haven assets', further impacting the already fragile domestic financial stability. As Rob Joyce, a former senior official of the U.S. National Security Agency, commented: 'When a country's critical financial institutions continue to be compromised, a systemic trust crisis is not far behind.'
A wake-up call for the industry: How far are we from 'the next theft'?
From Bybit being hacked for over $1.5 billion in February 2025 to the precise strike on Nobitex, the security issues of crypto exchanges have once again come to the forefront. Although the separation of hot and cold wallets has become the industry standard, the online nature of hot wallets keeps them perpetually exposed to attackers.
The Slow Mist security team has pointed out that techniques such as social engineering, insider infiltration, and supply chain attacks have made the defenses of exchanges far more fragile than imagined. Gonjeshke Darande has even threatened to make the source code public, indicating that they may have gained the highest level of access to the platform, a deep infiltration that is fatal for any centralized service.
This incident has sent a stark warning to all crypto users worldwide: the platform you trust may become a victim of geopolitical conflict at any moment. The ultimate security of assets may not depend on the platform's promises but rather on its position on the geopolitical chessboard.
Conclusion: The 'new normal' of a decentralized world.
The attack on Nobitex marks the arrival of a new era in the crypto world. In this era, code is law, but geopolitics is a higher-level rule that supersedes code. From the ongoing plunder of DeFi protocols by the North Korean hacker group Lazarus to the precise strikes on centralized exchanges by the 'predatory sparrows', the conflict between crypto assets and nation-states is becoming deeply intertwined.
The short-term fluctuations in the market may soon settle, but the shadow hanging over the industry is becoming increasingly dense. For investors, diversifying platform risk, embracing self-custody, and strengthening personal security measures are no longer options but essential survival rules.
In this increasingly intertwined digital and real world, protecting one's assets ultimately relies on oneself.