Author: Lisa & 23pds
Editor: Sherry
Background
On June 18, 2025, on-chain detective ZachXBT disclosed that Iran's largest crypto trading platform Nobitex allegedly suffered a hacker attack, involving large asset abnormal transfers across multiple public chains.
(https://t.me/investigations)
SlowMist further confirms that the affected assets in the incident cover TRON, EVM, and BTC networks, with preliminary estimated losses of approximately $81.7 million.
(https://x.com/slowmist_team/status/1935246606095593578)
Nobitex also issued a statement confirming that some infrastructure and hot wallets indeed experienced unauthorized access but emphasized that user fund safety is guaranteed.
(https://x.com/nobitexmarket/status/1935244739575480472)
It is worth noting that the attackers not only transferred funds but also actively moved a large amount of assets to specially created burn addresses, with the value of the 'burned' assets nearing $100 million.
(https://x.com/GonjeshkeDarand/status/1935412212320891089)
Timeline sorting
June 18
ZachXBT disclosed that the Iranian crypto exchange Nobitex allegedly suffered a hacker attack, with a large number of suspicious withdrawal transactions occurring on the TRON chain. SlowMist further confirms that the attack involves multiple chains, with preliminary estimated losses of approximately $81.7 million.
Nobitex stated that the technical team detected unauthorized access to some infrastructure and hot wallets, immediately cut off external interfaces, and initiated an investigation. The vast majority of assets stored in cold wallets remain unaffected; this intrusion was limited to the portion of hot wallets used for daily liquidity.
The hacker group Predatory Sparrow (Gonjeshke Darande) claims responsibility for this attack and declares that it will release the source code and internal data of Nobitex within 24 hours.
(https://x.com/GonjeshkeDarand/status/1935231018937536681)
June 19
Nobitex issued the fourth statement, indicating that the platform has completely blocked external access paths to the server, and the hot wallet transfers are 'proactive migrations made by the security team to protect funds.' At the same time, the official confirmed that the stolen assets were transferred to wallets with non-standard addresses composed of arbitrary characters, which were used to destroy user assets, totaling approximately $100 million.
The hacker group Predatory Sparrow (Gonjeshke Darande) claims to have burned approximately $90 million worth of crypto assets, referring to it as a 'sanctions evasion tool.'
The hacker group Predatory Sparrow (Gonjeshke Darande) publicly released the source code of Nobitex.
(https://x.com/GonjeshkeDarand/status/1935593397156270534)
Source code information
Based on the source code information released by the attackers, the folder information is as follows:
Specifically, it involves the following content:
Nobitex's core system is mainly written in Python and deployed and managed using K8s. Based on known information, we speculate that the attackers may have breached the operation and maintenance boundaries, thus entering the internal network. This analysis will not be expanded upon here.
MistTrack analysis
The attackers used multiple seemingly legitimate yet uncontrollable 'burn addresses' to receive assets. Most of these addresses conform to on-chain address format verification rules, allowing successful asset reception. However, once funds are transferred in, they are permanently destroyed. Additionally, these addresses feature emotional and provocative language, indicating an aggressive intent. Some of the 'burn addresses' used by the attackers are as follows:
TKFuckiRGCTerroristsNoBiTEXy2r7mNX
0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
1FuckiRGCTerroristsNoBiTEXXXaAovLX
DFuckiRGCTerroristsNoBiTEXXXWLW65t
FuckiRGCTerroristsNoBiTEXXXXXXXXXXXXXXXXXXX
UQABFuckIRGCTerroristsNOBITEX1111111111111111_jT
one19fuckterr0rfuckterr0rfuckterr0rxn7kj7u
rFuckiRGCTerroristsNoBiTEXypBrmUM
We used the on-chain anti-money laundering and tracking tool MistTrack for analysis. Nobitex's losses are not fully accounted for as follows:
According to MistTrack analysis, the attackers completed 110,641 USDT transactions and 2,889 TRX transactions on TRON:
The EVM chains mainly targeted by attackers include BSC, Ethereum, Arbitrum, Polygon, and Avalanche, which not only encompass mainstream currencies in each ecosystem but also include various tokens such as UNI, LINK, SHIB, etc.
On Bitcoin, the attackers stole a total of 18.4716 BTC, approximately 2,086 transactions.
On Dogechain, the attackers stole a total of 39,409,954.5439 DOGE, approximately 34,081 transactions.
On Solana, the attackers stole SOL, WIF, and RENDER:
On TON, Harmony, and Ripple, the attackers stole 3,374.4 TON, 35,098,851.74 ONE, and 373,852.87 XRP respectively:
MistTrack has added the related addresses to the malicious address database and will continue to monitor relevant on-chain activities.
Conclusion
The Nobitex incident reminds the industry once again: security is a whole; platforms need to further strengthen security protection and adopt more advanced defense mechanisms, especially for platforms that use hot wallets for daily operations. SlowMist recommends:
Strictly isolate the permissions and access paths of hot and cold wallets, and regularly audit the permissions for hot wallet access;
Implement on-chain real-time monitoring systems (such as MistEye) to promptly obtain comprehensive threat intelligence and dynamic security monitoring;
Coordinate with on-chain anti-money laundering systems (such as MistTrack) to promptly detect abnormal fund flows;
Strengthen the emergency response mechanism to ensure effective response within the golden window after an attack occurs.
The investigation into the incident is still ongoing, and the SlowMist security team will continue to follow up and update progress in a timely manner.
