An Israeli-linked hacktivist group Gonjeshke Darande said it stole from Nobitex, an Iranian exchange, and released its full source code.
Israeli-Linked Hackers Steal $100m, Leaking Nobitex of Iran’s Source Code
19 June 2025 - 21:00 CEST
Gonjeshke Darande, which translates to Predatory Sparrow, is an anti-Iranian hacking group with with a record of successful cyber-attacks on Iranian companies and infrastructure.
Earlier this week, it claimed to have successfully attacked and destroyed data at Iranian state-owned Bank Sepah, which the hackers claimed used funds to "finance the regime's terrorist proxies."
The group claimed responsibility for both attacks in public posts on its X account.
Threats and Action
On 18 June, the hacking group posted in both English and Arabic, noting “After Bank Sepah comes the turn of Nobitex.” The group threatened that, in 24 hours, the Nobitex source code would be released and any assets remaining on the exchange will be at risk. It was followed up with a post proving assets had already been burned from the exchange, saying “bypassing sanctions doesn’t pay @nobitexmarket.”
"Bypassing sanctions doesn’t pay"
It wasn’t an empty threat. At 07:00 UTC on 19 June, Gonjeshke Darande released the full source code of the exchange, with a note that “ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN.”
The exchange has confirmed the attack in a series of posts on X, noting that “around $100 million” is estimated to have been stolen, but that “user assets are covered by the Nobitex Reserve Fund, and no user funds will be lost.”
As at 13:00 UTC on 19 June, the Nobitex website was unavailable. The company has estimated a four-to-five-day timeline for the restoration of services.
Hacktivism and Geopolitics
Gonjeshke Darandeas has previously been linked to hacks against Iran. One in 2021 that caused outages at gas stations, and another in 2022, which resulted in a significant fire at a steel production facility. The Israeli government has not acknowledged Gonjeshke Darande as a state-supported asset.
These attacks tie into a pattern of suspected hacking groups attacking cryptocurrency infrastructure for profit. Earlier this year, two hacker groups identified as TraderTraitor and Lazarus Group attacked Bybit, a cryptocurrency exchange based in Dubai, stealing $1.5 billion of Ether (ETH). The groups were accused by the US FBI (Federal Bureau of Investigation) of acting on behalf of the North Korean government, which uses the stolen monies to fund its nuclear weapons programme.
According to South Korea’s National Intelligence Service, the North Korean government is estimated to have stolen around $1.2 billion in crypto assets over the last five years.
