Nearly $100 million burned: An overview of the Nobitex theft incident in Iran

Author: Lisa & 23pds

Editor: Sherry

Background

On June 18, 2025, on-chain detective ZachXBT revealed that Iran's largest cryptocurrency exchange, Nobitex, was suspected of suffering a hacker attack, with large abnormal asset transfers involving multiple public chains.

(https://t.me/investigations)

SlowMist further confirmed that the affected assets in the incident cover TRON, EVM, and BTC networks, with preliminary estimated losses of approximately $81.7 million.

(https://x.com/slowmist_team/status/1935246606095593578)

Nobitex also issued a statement confirming that some infrastructure and hot wallets indeed suffered unauthorized access, but emphasized that user funds are safe.

(https://x.com/nobitexmarket/status/1935244739575480472)

Notably, the attacker not only transferred funds but also actively moved a large amount of assets to specially designated burn addresses, with the burned assets valued at nearly $100 million.

(https://x.com/GonjeshkeDarand/status/1935412212320891089)

Timeline sorting

June 18

• ZachXBT revealed that the Iranian cryptocurrency exchange Nobitex is suspected of suffering a hacker attack, with a large number of suspicious outgoing transactions on the TRON chain. SlowMist further confirmed that the attack involves multiple chains, with preliminary estimated losses of approximately $81.7 million.

• Nobitex stated that its technical team detected illegal access to some infrastructure and hot wallets, immediately cut off external interfaces, and started an investigation. The vast majority of assets are stored in cold wallets and remain unaffected; this intrusion is limited to part of its hot wallets used for daily liquidity.

• The hacker organization Predatory Sparrow (Gonjeshke Darande) claims responsibility for this attack and announces that it will release the Nobitex source code and internal data within 24 hours.

(https://x.com/GonjeshkeDarand/status/1935231018937536681)

June 19

• Nobitex issued its fourth statement, stating that the platform has completely blocked external access paths to its servers, and that the transfers from hot wallets are "proactive migrations made by the security team to safeguard funds." Meanwhile, the official confirmation states that the stolen assets were transferred to wallets with non-standard addresses composed of arbitrary characters, which were used to destroy user assets, totaling approximately $100 million.

• The hacker organization Predatory Sparrow (Gonjeshke Darande) claims to have burned approximately $90 million worth of cryptocurrency assets, referring to them as "sanction evasion tools."

(https://x.com/GonjeshkeDarand/status/1935593397156270534)

Source code information

According to the source code information released by the attacker, the folder information is as follows:

Specifically, it involves the following contents:

Nobitex's core system is primarily written in Python and uses K8s for deployment and management. Based on the known information, we speculate that the attacker may have breached the operational boundaries to enter the internal network; further analysis will not be elaborated here.

MistTrack analysis

The attacker used multiple seemingly legitimate but uncontrollable "burn addresses" to receive assets. Most of these addresses comply with on-chain address format validation rules and can successfully receive assets, but once funds are transferred in, they are effectively permanently destroyed. Additionally, these addresses include emotional and provocative language, indicating an attack intent. Some of the "burn addresses" used by the attacker are as follows:

• TKFuckiRGCTerroristsNoBiTEXy2r7mNX

• 0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead

• 1FuckiRGCTerroristsNoBiTEXXXaAovLX

• DFuckiRGCTerroristsNoBiTEXXXWLW65t

• FuckiRGCTerroristsNoBiTEXXXXXXXXXXXXXXXXXXX

• UQABFuckIRGCTerroristsNOBITEX1111111111111111_jT

• one19fuckterr0rfuckterr0rfuckterr0rxn7kj7u

• rFuckiRGCTerroristsNoBiTEXypBrmUM

We used the on-chain anti-money laundering and tracking tool MistTrack for analysis, and the estimated losses of Nobitex are as follows:

According to MistTrack analysis, the attacker completed 110,641 USDT transactions and 2,889 TRX transactions on TRON:

The stolen EVM chains primarily include BSC, Ethereum, Arbitrum, Polygon, and Avalanche, covering not only the mainstream currencies of each ecosystem but also various tokens such as UNI, LINK, SHIB, etc.

On Bitcoin, the attacker stole a total of 18.4716 BTC, approximately 2,086 transactions.

On Dogechain, the attacker stole a total of 39,409,954.5439 DOGE, approximately 34,081 transactions.

On Solana, the attacker stole SOL, WIF, and RENDER:

On TON, Harmony, and Ripple, the attacker stole 3,374.4 TON, 35,098,851.74 ONE, and 373,852.87 XRP respectively:

MistTrack has added the related addresses to the malicious address database and will continue to monitor relevant on-chain trends.

Conclusion

The Nobitex incident serves as a reminder to the industry that security is a whole; platforms need to further strengthen security protection, adopt more advanced defense mechanisms, especially for those using hot wallets for daily operations. SlowMist recommends:

• Strictly isolate hot and cold wallet permissions and access paths; regularly audit hot wallet calling permissions;

• Using on-chain real-time monitoring systems (such as MistEye) to promptly obtain comprehensive threat intelligence and dynamic security monitoring;

• Collaborating with on-chain anti-money laundering systems (such as MistTrack), to promptly detect abnormal fund flows;

• Enhance emergency response mechanisms to ensure effective response within the golden window after an attack occurs.

The investigation into the incident is still ongoing, and the SlowMist security team will continue to follow up and provide timely updates on the progress.