A major cyberattack has hit Iran’s largest cryptocurrency exchange, Nobitex, resulting in the destruction of around $90 million worth of crypto assets. This wasn’t a theft, it was a deliberate burn. The group behind the attack is called Predatory Sparrow, also known by its Farsi name Gonjeshke Darande. They are believed to be linked to pro-Israel cyber efforts and have been involved in politically motivated hacks in the past.
This time, they didn’t steal the money. Instead, they moved the funds into special crypto wallets known as “burn addresses.” These are custom wallet addresses created in a way that makes it impossible to access them again, meaning all the funds sent there are gone forever. Many of these addresses had anti-Iranian regime messages embedded in them, like “F‑IRGCterrorists,” directly targeting Iran’s Islamic Revolutionary Guard Corps (IRGC).
According to reports, the hackers targeted several types of cryptocurrencies including Bitcoin, Ethereum, and Dogecoin, all taken from Nobitex’s hot wallets. These wallets were actively connected to the internet, which made them more vulnerable to attacks. After the breach, Nobitex shut down its hot wallet systems and online services. The company later assured its users that cold wallets, the offline storage method, were not affected and the assets stored in them remained secure.
The incident happened on June 18, 2025, and came just a day after another attack by the same group on Bank Sepah, one of Iran’s major banks. This suggests a coordinated campaign targeting Iran’s financial infrastructure, not just a one-off cyber heist. What makes this even more significant is that Predatory Sparrow didn’t try to profit from the attack, they burned the assets to make a political statement.
Cybersecurity companies including Elliptic, Chainalysis, and TRM Labs confirmed that the stolen funds were moved to burn addresses, supporting the claim that the purpose was destruction, not gain. These firms have also highlighted that Nobitex has previously been used by sanctioned groups, including Iran’s IRGC and proxy groups like Hamas and the Houthis. That detail adds more political weight to this attack, making it not just a cybercrime, but an act of digital sabotage.
What’s even more interesting is that the hackers made the burn wallets “vanity addresses.” These are special addresses that are customized to display readable text, such as anti-IRGC slogans. This not only makes the attack public and symbolic but also sends a message to both the Iranian government and the global cybersecurity community.
At the same time, the cyberattack raises questions about Nobitex’s security measures. As Iran’s largest crypto exchange, Nobitex has grown quickly in recent years due to sanctions that pushed many Iranians into crypto. But with growth comes risk, and this incident shows that sophisticated state-linked hacking groups are now targeting financial systems as part of geopolitical cyber warfare.
So far, Nobitex is still investigating the full scale of the damage. Their team is working to understand how the breach occurred and whether any more vulnerabilities exist. While they have promised transparency and reassured users about cold wallet safety, confidence in the platform is definitely shaken.
This attack shows that cyberwarfare is entering a new phase. It’s no longer just about stealing money or spying, it’s about completely destroying digital assets for political goals. The line between hacking and warfare is getting thinner, and this event is proof that financial systems, especially in politically sensitive regions, are becoming battlegrounds.
In the end, $90 million in digital assets vanished in just hours, not due to a scam or a bug, but through a targeted, deliberate act of destruction. It’s a new warning to the world that in the age of crypto, even money itself isn’t safe from politics.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
