Pro-Israel Group Claims Cyberattack on Iran’s Largest Cryptocurrency Exchange

• More than $73 million was stolen on Nobitex through vanity wallet addresses on Tron and EVM chains.
• A pro-Israel hacker group took responsibility and threatened to publish the source code of Nobitex.
• Nobitex claimed that cold wallets are secure and that it would reimburse the users out of its insurance fund.

Nobitex, a crypto exchange based in Iran, has been severely breached, resulting in the loss of nearly 73 million dollars in crypto assets. First reported by blockchain sleuth ZachXBT, the attack was directed at wallets over both Ethereum-compatible and Tron blockchains using custom wallet addresses called “vanity addresses.”

ZachXBT found the suspect transfers, tracing them to the addresses named as “TKFuckiRGCTerroristsNoBiTEXy2r7mNX” and “0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead,” that sent around $49 million into unknown wallets on Tron. Onchain analysis shows the total effect may exceed $73 million, but Nobitex itself has not reported the extent of the loss.

The attacker wallet, KFucki, followed a conventionally identifiable naming pattern to taunt the target and carry out quick transfers. Nobitex noted that it had received unauthorized access to a portion of its hot wallets, which they reportedly froze promptly. It promised the users that the cold storage funds would not be accessed, and losses would be paid with insurance reserves and company funds.

Hackers Promise Source Code Leak Within Hours

In a post on X, a hacker group calling itself “Gonjeshke Darande” claimed responsibility. The group that has previously targeted Iranian industrial sites described Nobitex as a central node in Tehran’s financial network. It claimed that the interchange contributes to the evasion of sanctions and funding of malevolent activities.

The group warned users to pull their funds out and promised to release the source code and internal documents of Nobitex within 24 hours. It also claimed that the Iranian government had integrated Nobitex into military and strategic operations and that working at the exchange fulfills military service requirements.

Security analysts believe that Gonjeshke Darande has connections to Israeli cyber intelligence agencies. Although authorities did not corroborate the statement, it brings a geopolitical component to an initially financial intrusion. The group has been known to have several cyberattacks on the Iranian infrastructure, like steel plants and gas stations.

Rising Crypto Hacks Signal Broader Industry Weakness

The Nobitex attack is part of a trend that blockchain security firm CertiK has described as an increasing wave of crypto-related thefts. More than 2.1 billion have already been stolen in 2025, with most cases related to wallet compromises and bad key management. Ronghui Gu, co-founder of CertiK, explained that social engineering attacks like address poisoning have been overtaking smart contract exploits in scope.

These scams lure users to send assets to phony addresses, avoiding technical intrusion. In response, analysts recommend that exchanges implement more effective operational controls, greater security when using private keys, and partitioning hot wallet use to limit the potential effect of a single hack.