Cyber attack on Iranian cryptocurrency platform Nobitex netting over $90 million carried out by pro-Israeli entity
In a significant development, Iran's largest cryptocurrency exchange, Nobitex, has suffered a major hack on June 18, with over $90 million in funds sent to hacker addresses. The pro-Israel hacker group Gonjeshke Darande ("Predatory Sparrow") has claimed responsibility for the hack and pledged to publish Nobitex's source code.
Open source investigations have revealed links between Nobitex and individuals affiliated with the Islamic Revolutionary Guard Corps (IRGC) and relatives of Supreme Leader Ali Khamenei. The IRGC, a powerful entity reporting directly to the Supreme Leader, exerts significant control over various sectors of Iran's economy, including the oil trade, enabling it to evade sanctions and finance Iran-affiliated proxy groups.
Elliptic's blockchain analysis identified that sanctioned IRGC operatives, specifically Ahmad Khatibi Aghada and Amir Hossein Niakeen Ravari, have used Nobitex accounts to send bitcoin. Both individuals were sanctioned by the US Office of Foreign Assets Control (OFAC) in September 2022 for involvement in ransomware operations (BitLocker ransomware) and cyber threats targeting critical infrastructure.
The hack appears to be motivated by the recent escalation of tensions between Israel and Iran. The connection between Nobitex, the IRGC, and sanctions is rooted in Nobitex's role as Iran's largest cryptocurrency exchange, which has been linked through open source investigations to IRGC-affiliated individuals and activities aimed at sanctions evasion and illicit finance.
Nobitex's on-chain activity reveals patterns consistent with IRGC-aligned networks, including interactions with wallets linked to Hamas, the Palestinian Islamic Jihad, Houthis, DPRK-affiliated hacking groups, and Syrian actors. Nobitex also interacts with Russian exchange Garantex, itself sanctioned for laundering ransomware and darknet market funds. These connections highlight Nobitex's role in enabling sanctions evasion and funding of international terrorism.
The US Treasury has sanctioned individuals linked to these activities and continues to monitor Nobitex’s operations due to its significant exposure to sanctioned entities and high-risk financial flows. Most of the addresses where the hacked funds are currently held contain the term "F*ckIRGCterrorists" within their public key.
It's important to note that the IRGC is a separate military entity to the Iranian military and is sanctioned as a terrorist group by various jurisdictions, including the United States, Canada, the United Kingdom, and the European Union. The IRGC-affiliated employees are responsible for or complicit in global targeting of various networks, including critical infrastructure, by exploiting well-known vulnerabilities to gain initial access in furtherance of malicious activities, including ransom operations.
In the case of stolen USD-backed stablecoins, the underlying USD that backs the tokens has not been destroyed, but is still held by its issuer. The hack does not appear to be financially motivated, as the vanity addresses used by the hackers were generated through "brute force" methods.
The hacking incident has publicly exposed these connections, prompting ongoing scrutiny and sanctions enforcement by U.S. authorities. Sanctions compliance with the brand name's Research and Investigations Team ensures comprehensive coverage of Nobitex and other Iranian-linked exchanges to ensure virtual asset compliance with sanctions targeting the Iranian government.
- The pro-Israel hacker group, Gonjeshke Darande, has claimed responsibility for the hack on Iran's largest cryptocurrency exchange, Nobitex, and pledged to publish Nobitex's source code, suggesting a political motivation behind the attack.
- Elliptic's blockchain analysis has revealed that sanctioned IRGC operatives have used Nobitex accounts to send bitcoin, linking the exchange to individuals affiliated with the Islamic Revolutionary Guard Corps (IRGC) and relatives of Supreme Leader Ali Khamenei.
- The hacked funds, currently held in addresses with the term "F*ckIRGCterrorists" within their public key, and Nobitex's on-chain activity reveal patterns consistent with IRGC-aligned networks, interacting with wallets linked to Hamas, the Palestinian Islamic Jihad, Houthis, DPRK-affiliated hacking groups, Syrian actors, and a sanctioned Russian exchange, Garantex.
- The US Treasury has sanctioned individuals linked to these activities and continues to monitor Nobitex’s operations due to its significant exposure to sanctioned entities and high-risk financial flows, indicating the ongoing importance of cybersecurity and general-news in the context of crime-and-justice, technology, and international politics.
