Digital Blow To Tehran: Hackers Disrupt Iran’s Illicit Finance Network
Photo by Amir Mohammad Fallah on Unsplash
The Nobitex Hack
One June 18, 2025, in the midst of the Israel-Iran conflict, the largest cryptocurrency exchange in Iran was attacked by a “hacktivist” group, Gonjeshke Darande (Predatory Sparrow). Predatory Sparrow is believed to have “links” to Israel’s military or intelligence agencies, with some analysts suspecting that Israel sponsors the group. The hackers stole $90 million (in Bitcoin, EVM, Ethereum, Ripple, Dogecoin, Solana, and other cryptocurrencies) from the exchange, but effectively “burned” the money by transferring the funds to wallets for which they did not have the keys (the security mechanism needed to access the funds). The hackers also reportedly released the complete source code of the exchange, exposing assets still hosted on the exchange to possible theft. The day after the attack, Nobitex responded, saying that no additional losses had occurred.
The Israel-affiliated hackers had previously attacked Iran’s Bank Sepah, and claimed to have destroyed all the bank’s data in retaliation for its association with the Islamic Revolutionary Guards Corp (IRGC).
Iran’s Crypto Lifeline
Nobitex is Iran’s largest cryptocurrency exchange. Since the mid-2010s, cryptocurrency has become increasingly important for Iran’s economy, facilitating payments outside of the formal banking sector (and to evade sanctions and sanctions-related restrictions on financial transactions). Nobitex has provided the majority of cryptocurrency services to Iranians since 2017, and between 2018 and 2022, it is believed to have processed $8 billion in transactions (often with the help of Binance). Nobitex processes transactions across multiple blockchains, including the ones that were attacked in the hack, as well as Tron. In addition to Nobitex, Iran also has four other large exchanges: Wallex.ir, Excoino, Aban Tether, and Bit24.cash.
Since 2018, Iran has used cryptocurrency to bypass US and international sanctions. The IRGC (and the IRGC QF in particular) uses cryptocurrency to move funds to support its various functions, including intelligence operations and its network of proxy groups (aka the Axis of Resistance). Indeed, Nobitex was reportedly targeted for its role in facilitating sanctions evasion activity and for terrorist financing, specifically between the IRGC QF and proxies such as Hizballah, Hamas, and the Houthis.
According to a statement from Nobitex’s CEO AmirHossein Rad (via a video posted on the social media platform X), the exchange had a delayed response to the hack due to limitations placed on Internet access in Iran and a lack of access to the company’s data centers. The Iranian government is believed to have significantly reduced (and in some cases stopped) all internet access for periods during the conflict. Rad further stated that the exchange will fully compensate clients for all funds stolen from hot wallets (wallets hosted online on the exchange) and reiterated that the exchange remains liquid, as the majority of its assets are held in cold wallets (offline storage devices). He indicated that the exchange would come back online gradually over the next four to five days.
Our terrorist financing analysis course caters to researchers, intelligence, law enforcement, and compliance professionals to help them learn about terrorist financing, and analyze suspicious patterns and activities more effectively. Sign up today!
Disrupting Iranian Illicit Finance
The future of Nobitex and the impact of this hack on Iran’s financial sector is uncertain. The exchange has slowly begun restoring some of its services, and most core functions have since resumed. However, Nobitex has strongly advised its users not to send funds to any old deposit addresses, indicating that doing so may result in irreversible losses. If the exchange is able to fully stabilize operations and enhance security after the alleged leaking of its source code, the cryptocurrency ecosystem in Iran will remain largely intact. However, if Nobitex is unable to sustain or complete the resumption of services, this will seriously reduce the ability of regular Iranians (and the Iranian regime) to move money into and out of Iran. With Bank Sepah also offline, this poses a significant hindrance to the IRGC’s financial operations.
While Iran’s proxy groups likely did not feel the pinch immediately, if these financial service providers remain offline or only partially functional, Iranian proxies would likely start to experience financial limitations and possibly face financial disruption, hindering their ability to procure weapons and goods, as well as pay for services. While other Iranian cryptocurrency exchanges remain operational, they are unlikely to easily replace Nobitex's processing volume, and any attempt to do so could expose them to targeting by Predatory Sparrow. Reducing Iran’s ability to provide financial support to its proxies was likely the intended goal of the hack; while this was achieved in the short term, it remains to be seen whether it will be successful in the long term.