An attack by Israeli-linked hackers on Iran's top cryptocurrency exchange amid a 12-day war in June focused their targeting on accounts held by officials and their so-called hot and cold wallets, a source told Iran International on Friday.
The Western-sanctioned Nobitex exchange was hit on June 18 by the hacking group Predatory Sparrow and $90 million dollars in its currency was destroyed, according to independent monitors. Nobitex has denied any military or government connections.
Hackers analyzed the stolen data and identified assets, networks, and transactions linked to Iranian officials, distinguishing them from those of civilians and ordinary users, the source said.
Nobitex announced after the attack that losses were limited to hot wallets only. However, a source told Iran International that both hot and cold wallets had been affected.
Hot wallets are internet-connected digital wallets designed for quick transactions but vulnerable to hacks. Cold wallets—offline hardware devices or paper keys—offer higher security but are slower and less convenient for daily use.
Determining whether destroyed assets were in hot or cold wallets can be done by examining transaction patterns and blockchain data tagged by analysis firms.
The United States sanctioned Nobitex in September 2022, followed by Canada in December 2022 and New Zealand in 2023, citing the exchange’s role in arms cooperation with Russia and drone transfers in the Ukraine war.
While the released data suggested extensive sanctions-evasion activities, the Nobitex team insisted it is merely a startup and denied any illegal conduct.
During the June conflict, Israel-linked hackers launched some of the most disruptive cyberattacks of the campaign.
The Predatory Sparrow claimed responsibility for destroying $90mn from Iran’s Nobitex cryptocurrency exchange and crippling services at Bank Sepah and Bank Pasargad by disabling their main and backup data centers.
“During the Nobitex hack, the asset withdrawals specifically occurred from high-frequency addresses, typically associated with hot wallets, and were transferred to burn addresses,” Mehdi Saremi Far, a science and technology journalist, told Iran International.
Iran’s cryptocurrency market is estimated at $5–12 billion, with Nobitex handling about 87% of its transaction volume.
TRM Labs, which specializes in detecting and disrupting blockchain-based illicit activity such as ransomware and money laundering, announced in July that Nobitex was not only used for illicit activities but also served as a surveillance tool.
“The Nobitex breach showed that the exchange’s internal infrastructure was designed to evade detection by the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) and US-based blockchain intelligence firms. This included modules for generating stealth addresses, obfuscating transactions, and evading surveillance,” TRM Labs said.
