Pro-Israel hackers deliver on threat to release Nobitex's source code

A pro-Israel hacking collective has followed through on its promise to release the full source code of Nobitex, Iran’s largest cryptocurrency exchange, just a day after orchestrating a high-profile blockchain exploit involving more than $100 million in digital assets. 

The group known as Gonjeshke Darande, also referred to as Predatory Sparrow, published a post on social media platform X on Thursday confirming the release of Nobitex’s internal data. 

“Time’s up, full source code linked below. ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN,” the post read.

Hacker releases blockchain script post $100 million exploit

The leak, posted on an X thread, included components of the platform’s infrastructure such as blockchain scripts, internal privacy configurations, and a list of servers. Cybersecurity analysts say the disclosure effectively cripples the back-end security of Nobitex, leaving any remaining assets on the exchange vulnerable to further attacks.

Time's up – full source code linked below.

ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN.
بازمانده دارایی های شما در نوبیتکس هم اکنون در معرض دید و خطر هستند

But before that, lets meet Nobitex from the inside:

Exchange Deployment (1/8) pic.twitter.com/jiMfBpNXwd

— Gonjeshke Darande (@GonjeshkeDarand) June 19, 2025

The source code release follows through on threats issued a day earlier, when the group claimed responsibility for a coordinated attack across multiple blockchain networks. 

According to the statement, the group’s motivation stemmed from Nobitex’s alleged role in assisting the Iranian government in bypassing international sanctions. They labeled the exchange as “the regime’s favorite sanctions violation tool.”

Predatory Sparrow has taken credit for other cyberattacks in recent days, including one targeting Iran’s state-owned Bank Sepah. 

$100M in crypto burned, not stolen

On Wednesday, blockchain analytics firms Chainalysis and Elliptic confirmed that approximately $100 million worth of crypto assets, including Bitcoin, Ethereum, XRP, Dogecoin, Solana, Tron, and Toncoin, were impacted in the heist. 

According to Chainalysis’s head of national security intelligence, Andrew Fierman, the stolen assets were sent to burner wallets, cryptographic addresses that the attackers cannot access. 

Analysts believe the funds were not stolen for profit but were instead destroyed to send a political message. “The motive for stealing the $90+ million in funds is for something other than financial gain,” Fierman stated, calling the act symbolic and destructive.

Elliptic’s analysis also supports this interpretation, noting the use of provocatively named vanity wallets such as “1FuckiRGCTerroristsNoBiTEXXXaAovLX” and “DFuckiRGCTerroristsNoBiTEXXXWLW65t.” These addresses appear to have been created with brute-force generators and lack recoverable private keys, likely a deliberate effort to make the funds irretrievable.

Yehor Rudytsia, a security researcher at blockchain firm Hacken, said the choice of wallet addresses used in the attack was more “political” than a typical financial theft. 

“The wallet names and behavior suggest a political statement rather than a financially motivated theft,” Rudytsia said.

He added that most of the assets, over 20 different tokens on EVM-compatible chains, were sent to clean burner addresses. “The only potential for partial recovery lies with Tether, which could reissue the $55 million in stolen USDT,” he explained.

Nobitex responded to the developments on Thursday, saying that no additional losses occurred following the data leak. The exchange announced plans to restore services within five days, although ongoing internet disruptions inside Iran may slow recovery efforts.

Exchange linked to Iranian military and militant groups

The hacker has claimed Nobitex is connected to Iran’s Islamic Revolutionary Guard Corps (IRGC), a military organization designated as a terrorist entity by the United States, United Kingdom, European Union, and Canada. 

Research by Elliptic has previously linked Nobitex to ransomware operatives sanctioned for ties to the IRGC, and individuals with close affiliations to Iran’s Supreme Leader Ayatollah Ali Khamenei.

Blockchain data also shows transactional activity between Nobitex wallets and accounts connected to groups including Hamas, Palestinian Islamic Jihad, and Yemen’s Houthi movement.

Your crypto news deserves attention - KEY Difference Wire puts you on 250+ top sites