Tehran-based crypto exchange Nobitex has begun restoring limited services following a $90 million hack earlier this month, which was claimed by the pro-Israel hacking group Gonjeshke Darande.
In a post on X, Nobitex said that wallet access is now open to users who have completed identity verification, with spot trading users given priority. The exchange plans to re-enable withdrawals on June 30, while other functions like deposits and trading will return gradually — though no firm timeline has been given.
The company also warned users not to send funds to previously used wallet addresses, citing a full migration of its wallet system. “Previous addresses are no longer valid, and any deposits made to them may result in loss of funds,” Nobitex said.
The breach, which took place on June 18, was widely viewed as politically motivated given the group’s public alignment with Israel and Nobitex’s status as Iran’s largest crypto platform. Gonjeshke Darande claimed responsibility, burned most of the stolen funds, and published what appeared to be the exchange’s source code.
The attack has drawn increased attention to the geopolitical dimensions of crypto infrastructure in the region. Blockchain analytics firm Chainalysis reported that Nobitex processed more than $11 billion in crypto inflows — far ahead of other local exchanges — and has apparent links to entities under international sanctions, including Iran’s Revolutionary Guard and Russian crypto platforms.
Blockchain intelligence firm TRM Labs also said there’s an “analytical possibility” that Israeli cyber teams accessed internal information from Nobitex, shortly after it was breached on June 18. The timing, TRM noted, is key: just days later, Israeli authorities announced the arrest of three people accused of carrying out espionage activities on behalf of Iran.
Two of the suspects were reportedly paid in cryptocurrency. One, a 28-year-old named Dmitri Cohen, is alleged to have received $500 in crypto per completed task, which included intelligence gathering and online propaganda.
The hackers, known by their Farsi name which translates to Predatory Sparrow, claimed responsibility for the breach on Wednesday, and followed through Thursday by publishing what they say is Nobitex’s core backend code — scripts, infrastructure data, and privacy configurations.
Nobitex’s CEO, Amir Rad, rejected claims that the company is state-affiliated, describing it as a private entity. He also alleged that the attack was supported by the Israeli government.
Meanwhile, Iranian regulators imposed tighter controls on crypto platforms in the wake of the incident, restricting their operating hours to 10 a.m. to 8 p.m.
The Nobitex case is part of a broader rise in politically driven cyberattacks targeting the crypto sector in 2025. North Korean hacking groups, in particular, accounted for a large share of global crypto thefts this year, including the $1.5 billion Bybit exploit in February. South Korean officials say some of these groups started using AI tools like ChatGPT to assist in their operations.
