The pro-Israel "Predatory Sparrow" hacking group claims to have stolen over $90 million in cryptocurrency from Nobitex, Iran's largest crypto exchange, and burned the funds in a politically motivated cyberattack.

The attack occurred on June 18, 2025, with Nobitex first reporting the breach on X at 2:24 AM EST.

"This morning, June 19, our technical team detected signs of unauthorized access to a portion of our reporting infrastructure and hot wallet," reads Nobitex's post.

"Immediately upon detection, all access was suspended and our internal security teams are closely investigating the extent of the incident."

Soon after, Predatory Sparrow claimed responsibility for the attack through their Gonjeshke Darande X account, promising to publish the company's source code and internal information stolen during the cyberattack. Nobitex's website has remained offline since the attack.

"After the IRGC's 'Bank Sepah' comes the turn of Nobitex. WARNING! In 24 hours, we will release Nobitex's source code and internal information from their internal network. Any assets that remain there after that point will be at risk," reads Predatory Sparrow's post.

"The Nobitex exchange is at the heart of the regime's efforts to finance terror worldwide, as well as being the regime's favorite sanctions violation tool. We, 'Gonjeshke Darande,' conducted cyberattacks against Nobitex."

Blockchain analysis firm Elliptic reports that more than $90 million in crypto was drained from Nobitex's wallets and funneled into addresses controlled by the hackers.

However, instead of attempting to capitalize on the breach and keep the stolen crypto for themselves, the hacking group sent nearly all of the crypto to vanity addresses, which are cryptographic wallet addresses with embedded anti-Islamic Republic Guard Corps (IRGC) messages such as "F*ckIRGCterrorists."

These vanity addresses require a lot of computational power to generate with usable private keys, and according to Elliptic, the creation of such long string names in a vanity address is "computationally infeasible." This means the hackers intentionally burnt the crypto so that no one could gain access to it again.

"The hack also does not appear to be financially motivated," explains Elliptic.

"The vanity addresses used by the hackers are generated through "brute force" methods - involving the creation of large numbers of cryptographic key pairs until one contains the desired text. But creating vanity addresses with text strings as long as those used in this hack is computationally infeasible."

Elliptic reports that their investigations into Nobitex also show ties to the IRGC and Iranian leadership.

Other researchers previously linked the exchange to relatives of Supreme Leader Ali Khamenei, IRGC-affiliated business interests, and sanctioned individuals, who have reportedly used Nobitex to move funds generated from the DiskCryptor and BitLocker ransomware operations.

The Predatory Sparrow hacktivist group breached the Iran-controlled Bank Sepah a day before the Nobitex attack and also focused on disruption and damage rather than financial gain.

These attacks come as Iran increasingly isolates itself from the global Internet to reduce the risk of escalating cyberattacks on its infrastructure.