The $90 million attack on Iran’s largest cryptocurrency exchange, Nobitex, sent shockwaves around the world. But newly discovered blockchain data suggests the intrusion was far more complex.
A forensic report from blockchain analytics firm Global Ledger shows that, prior to the June 18 attack, Nobitex had been repeatedly transferring user funds using techniques associated with money laundering.
Nobitex Iran Laundered Users' Money Before Being Attacked?
On-chain data shows that Nobitex used a method called peelchaining. This is a technique of breaking large Bitcoins into smaller pieces and transferring them to temporary wallets to hide the origin of the money flow.
This technique makes it harder to trace the flow of funds, often used to obscure the true origin of funds. In the case of Nobitex, analysts say BTC is circulated in a continuous cycle in 30-coin portions.
Global Ledger also found that Nobitex uses temporary deposit/withdrawal addresses — also known as chip-off transactions. These addresses are used only once, sending BTC to new wallets, disrupting the cash flow, making it difficult to track the transaction schedule.
Nobitex wallet after being hacked receives Bitcoin drip from suspicious wallet over time. Source: Global Ledger
Rescue Wallet Is Not A New Wallet
After the attack, Nobitex claimed to have transferred the remaining amount as a safety measure. In fact, blockchain data shows that a wallet containing 1,801 BTC (about $187.5 million) has changed hands.
However, this wallet is not new, as blockchain data shows that since October 2024, the wallet has started accumulating funds withdrawn from smaller wallets, which were the central wallets of the previous money laundering operation.
Sponsored advertising
These activity streams suggest that the post-attack money transfers were just a short-term move in Nobitex’s long-standing money laundering scheme. There is no sign of a change in strategy, and instead, they continued to break the law before and after the attack — as if it were standard procedure.
In particular, a particular wallet — one with the code bc1q…rrzq — kept popping up, receiving deposits from users. This seemed to be the starting point of a chain of hard-to-trace money movements in the Nobitex blockchain ecosystem.
Sponsored advertising
Importantly, this was not an activity that started after the hack. Nobitex had been laundering money this way since before and continued regularly — presque as a routine.
One particular wallet, bc1q…rrzq, continuously receives large user deposits, acting as a transit point in this chain of dirty activities.
Nobitex's actions after the attack were actually just a continuation of a familiar process in blockchain money laundering, apparently as part of a long-term plan.
Pro-Israel hacker group Gonjeshke Darande even released files revealing Nobitex's internal wallet structure — showing the extent of the exchange's control over the flow of funds.
The crisis after the attack did not change Nobitex's operations, instead, blockchain data proves that they have been continuously transferring funds for months, as if this activity had become a routine process.
The exchange's old wallets, especially bc1q…rrzq, all sent Bitcoin to new wallets, then split and forwarded it multiple times — often in chunks of 20–30 BTC — making it nearly impossible to trace.
This method completely disrupts the flow of money, making it difficult for analysts and regulators to determine the exact destination of the funds. This method is similar to what hackers use to hide their tracks when moving money through the blockchain.
It is worth noting that this is not a new action by Nobitex, they have been doing this for a long time and continued after the attack — almost becoming an unwritten rule in their money laundering activities.
Among the wallets, the bc1q…rrzq wallet frequently receives funds from users and is the starting point of many thorny fund movement chains, making it difficult to determine the authenticity of the funds flow.
In conclusion, the attack did not cause Nobitex to change the way it handled funds. Instead, it exposed long-standing, covert operations.
These streams of activity demonstrate, not just an information leak, but also evidence that money laundering is ongoing – part of the exchange’s long-term plan.
Source: https://tintucbitcoin.com/nobitex-iran-rua-tien-truoc-vu-hack-90-trieu-usd/
Thank you for reading this article!
Please Like, Comment and Follow TinTucBitcoin to stay updated with the latest news about the cryptocurrency market and not miss any important information!
