Sorting out the abnormal destruction of $100 million in assets on the Iranian exchange

Author: Lisa & 23pds

Editor: Sherry

Original title: Nearly $100 million destroyed: A combing of the theft of the Iranian exchange Nobitex

Background

On June 18, 2025, on-chain detective ZachXBT revealed that Nobitex, Iran's largest cryptocurrency exchange, allegedly suffered a hacker attack, involving abnormal transfers of large assets across multiple public chains.

()

SlowMist ( Further confirmation indicates that the affected assets in the incident include TRON, EVM, and BTC networks, with an initial estimated loss of approximately 81.7 million USD.

![])https://img-cdn.gateio.im/webp-social/moments-1339b49fc2c794c2a593134267dcdb51.webp(

)(

Nobitex also announced that some infrastructure and hot wallets have indeed experienced unauthorized access, but emphasized that user funds are safe.

![])https://img-cdn.gateio.im/social/moments-d9a11bfaa7f33c82010d61b54d4a735e(

)(

It is worth noting that the attackers not only transferred funds, but also actively transferred a large number of assets to a specially crafted destruction address, and the "burned" assets were worth nearly $100 million.

! [])https://img-cdn.gateio.im/webp-social/moments-b3986d41b3457cf3b763dce797006ac1.webp(

)(

Timeline Sorting

June 18

• ZachXBT disclosed that the Iranian cryptocurrency exchange Nobitex is suspected to have suffered a hacking attack, with a large number of suspicious withdrawal transactions occurring on the TRON chain. SlowMist ) further confirmed that the attack involves multiple chains, with initial estimated losses of approximately 81.7 million USD.
• Nobitex stated that the technical team detected unauthorized access to some of the infrastructure and hot wallets, and has immediately disconnected external interfaces and initiated an investigation. The vast majority of assets are stored in cold wallets and are unaffected; this intrusion was limited to the portion of hot wallets used for daily liquidity.
• The hacking group Predatory Sparrow (Gonjeshke Darande) claimed responsibility for the attack and announced that the Nobitex source code and internal data would be released within 24 hours.

()

June 19

• Nobitex released the fourth statement, indicating that the platform has completely blocked external access paths to the servers, and that the hot wallet transfers are "proactive migrations made by the security team to ensure fund safety." Meanwhile, the official confirmation states that the stolen assets were transferred to wallets with non-standard addresses composed of arbitrary characters, which are used to destroy user assets, totaling approximately 100 million dollars.
• The hacker group Predatory Sparrow (Gonjeshke Darande) claims to have burned approximately $90 million worth of cryptocurrency assets, referring to them as "sanction evasion tools."
• The hacker group Predatory Sparrow (Gonjeshke Darande) publicly released the source code of Nobitex.

()

Source Code Information

According to the source code information released by the attacker, the folder information is as follows:

Specifically, it involves the following content:

!

Nobitex's core system is written primarily in Python and deployed and managed using K8s. Based on the known information, we guess that the attacker may have broken through the O&M boundary and entered the intranet.

MistTrack Analysis

The attacker uses multiple seemingly legitimate, but in fact uncontrollable "destruction addresses" to receive assets, most of these addresses comply with the on-chain address format verification rules, and can successfully receive assets, but once the funds are transferred, it is equivalent to permanent destruction, and at the same time, these addresses also have emotional and provocative words, which are aggressive. Some of the "destroy addresses" used by the attacker are as follows:

• TKFuckiRGCTerroristsNoBiTEXy2r7mNX
• 0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
• 1FuckiRGCTerroristsNoBiTEXXXaAovLX
• DFuckiRGCTerroristsNoBiTEXXXWLW65t
• FuckiRGCTerroristsNoBiTEXXXXXXXXXXXXXXXXXXX
• UQABFuckIRGCTerroristsNOBITEX1111111111111111_jT
• one19fuckterr0rfuckterr0rfuckterr0rxn7kj7u
• rFuckiRGCTerroristsNoBiTEXypBrmUM

We use the on-chain anti-money laundering and tracking tool MistTrack for analysis, the losses of Nobitex are roughly as follows:

According to MistTrack analysis, the attacker completed 110,641 USDT transactions and 2,889 TRX transactions on TRON:

!

The EVM chains stolen by the attackers mainly include BSC, Ethereum, Arbitrum, Polygon, and Avalanche, and in addition to the mainstream currencies of each ecosystem, they also include UNI, LINK, SHIB, and other tokens.

!

On Bitcoin, attackers stole a total of 18.4716 BTC, approximately 2,086 transactions.

!

On Dogechain, attackers stole a total of 39,409,954.5439 DOGE across approximately 34,081 transactions.

On Solana, attackers stole SOL, WIF, and RENDER:

!

On TON, Harmony, and Ripple, attackers stole 3,374.4 TON, 35,098,851.74 ONE, and 373,852.87 XRP respectively:

MistTrack has added the relevant address to the malicious address database and will continue to monitor related on-chain activities.

Conclusion

The Nobitex incident once again reminds the industry: security is a whole, and platforms need to further strengthen security protection, adopting more advanced defense mechanisms, especially for platforms that use hot wallets for daily operations. SlowMist( suggests:

• Strictly isolate the permissions and access paths of hot and cold wallets, and regularly audit the permissions for hot wallet calls;
• Adopt on-chain real-time monitoring systems (such as MistEye) to obtain comprehensive threat intelligence and dynamic security monitoring in a timely manner;
• Collaborate with on-chain anti-money laundering systems (such as MistTrack) to promptly detect abnormal fund flows;
• Strengthen the emergency response mechanism to ensure that the attack can be effectively responded to within the golden window.

The follow-up to the incident is still under investigation, and the Slow Fog security team will continue to follow up and provide timely updates on the progress.