Pro-Israel Hackers Successfully Launch $81 Million Attack on Nobitex

Pro-Israel Hackers Successfully Launch $81 Million Attack on Nobitex

In a series of cyber attacks last week, the pro-Israel hacker group Gonjeshke Darande (also known as Predatory Sparrow) targeted several Iranian entities, including financial institutions and critical infrastructure. The group, believed to have links to the Israeli government, has been active since at least 2021, and operates primarily through highly disruptive cyberattacks.

Gonjeshke Darande's mode of operation typically involves cyber intrusions, data destruction, and the leaking of sensitive information. In their attacks on crypto platforms, they have transferred stolen assets to "vanity wallets" embedded with anti-IRGC (Islamic Revolutionary Guard Corps) messages, making the funds permanently inaccessible. This symbolic destruction is a tactic aimed at causing maximum economic disruption and political embarrassment for Iran.

One of the most notable recent attacks by Gonjeshke Darande was the hack on Nobitex, Iran’s largest crypto exchange, in June 2025. The group stole or "burned" nearly $90–100 million by transferring the funds to wallets considered inaccessible. The attack was politically motivated, aiming to disrupt Iranian financial movements and tarnish the exchange’s reputation, exacerbated by suspicions that Nobitex was involved in money laundering and sanctions evasion.

Prior to the Nobitex hack, Gonjeshke Darande compromised Bank Sepah, a state-owned Iranian bank, in May 2025. They disrupted banking services and leaked sensitive financial data online to expose Iranian government financial activities and hamper their state-backed economy.

The group has also targeted Iran's steel industry, causing fires and economic damage through cyber means. In October 2022, they attacked major Iranian steel companies, releasing dramatic footage to claim responsibility and highlight Iran’s vulnerabilities.

The hack on Bank Sepah reportedly destroyed data linked to the Islamic Revolutionary Guard Corps' operations within the bank. Nobitex, on the other hand, has assured users that all losses will be fully covered using its insurance reserves and internal resources.

Gonjeshke Darande has threatened to release Nobitex's source code and internal information within 24 hours, and warned that any assets remaining there after that point would be at risk. The initial $49 million was drained through an address labeled "TKFuckiRGCTerroristsNoBiTEXy2r7mNX."

The breach drained at least $81.7 million in assets across the Tron network and Ethereum Virtual Machine (EVM)-compatible blockchains. The attackers used a "vanity address" to carry out the exploit, triggering "suspicious outflows" from several wallets tied to Nobitex.

The Israel-linked hacking group targeted Nobitex due to its function as a significant instrument for financing terrorism and facilitating sanctions evasion. The two nations have since exchanged strategic missile attacks, resulting in 24 reported fatalities in Israel and 224 in Iran.

Gonjeshke Darande's operations often coincide with escalating political and military tensions between Iran and Israel. The group has been linked to shutting down gas stations across Iran in 2021 and has possible historical ties to significant cyber events like the 2010 Stuxnet attack.

The breach at Nobitex was limited to a subset of funds held in hot wallets, with user assets remaining secure in accordance with cold storage protocols. Gonjeshke Darande warned users that associating with regime terror financing and sanction violation infrastructure puts their assets at risk.

Sources: [1] The New York Times [2] Reuters [3] The Wall Street Journal [4] The Washington Post

1. In their attacks on crypto platforms, Gonjeshke Darande, known for using disruptive cyberattacks, transfers stolen assets to "vanity wallets" embedded with anti-IRGC messages, making the funds permanently inaccessible as a symbolic destruction aimed at causing maximum economic disruption and political embarrassment.
2. The pro-Israel hacker group Gonjeshke Darande operates in the realm of cybersecurity, targeting not only crypto platforms but also financial institutions and critical infrastructure, as seen in their attack on Nobitex, Iran’s largest crypto exchange, in June 2025.
3. Gonjeshke Darande's activities extend beyond financial entities, as they have also been involved in cyber attacks on Iran's steel industry, causing fires and economic damage, such as the attack on major Iranian steel companies in October 2022.
4. The group's actions often correspond with war-and-conflicts between Iran and Israel, as seen in their alleged role in the shutting down of gas stations across Iran in 2021 and their possible historical ties to significant cyber events like the 2010 Stuxnet attack.
5. The politics behind the cyber attacks are evident, with Gonjeshke Darande targeting entities like Nobitex due to their alleged function as significant instruments for financing terrorism and facilitating sanctions evasion, escalating tensions between the two nations, leading to strategic missile attacks with reported fatalities on both sides.

Read also: