Unveiled: Months of Disguised Bitcoin Transactions Traced Back to Nobitex Hack
In a recent revelation, Global Ledger, a blockchain intelligence firm, has exposed Iran's top cryptocurrency exchange, Nobitex, for employing money laundering techniques before the $90 million hack that occurred in June 2025.
Before the catastrophic hack, Nobitex had already been using sophisticated methods such as peel chaining and chip-off wallets to obscure funds and complicate traceability. These techniques were part of a deliberate and ongoing liquidity management strategy rather than a new security measure, as previously claimed by Nobitex.
Peel chaining, a common tactic in money laundering activities, involves Nobitex splitting large Bitcoin amounts into smaller chunks and routing these through a series of short-lived wallets. This technique fragments transactions to make the money flow harder to trace.
Chip-off wallets, on the other hand, are single-use deposit and withdrawal addresses created to funnel Bitcoin through multiple new wallets, further obfuscating the source and destination of funds.
On-chain analysis showed that these laundering-like transaction patterns were active months before the hack, with a "rescue wallet" (contrary to its public characterization as a post-hack security wallet) having been in systematic use since October 2024. This wallet consolidated smaller transfers of 20-30 BTC from internal wallets, indicating a well-established process for moving funds in a complex web designed to mask their true origin and destination.
The report indicates that Nobitex's past wallet behavior raises concerns due to repeated use of peelchain-like structures. Global Ledger uncovered a recurring pattern in which Bitcoin was cycled in steady batches of 30 BTC, suggesting deliberate obfuscation. The "rescue wallet" had been receiving 20-30 BTC transfers, consistent with laundering-style activity, before the hack.
Nobitex's on-chain behavior also suggests that the exchange had been using these methods well before the breach, and continued afterward, implying it may have been part of routine operations. This background of sophisticated obfuscation practices suggests that Nobitex operated an embedded layering mechanism to sanitize or hide funds, consistent with activities aimed at evading sanctions or facilitating illicit financial flows.
It is important to note that this article is provided for informational purposes only and should not be construed as financial advice. The article does not mention any crypto positions or assets held by individuals such as Michaela.
The hack itself was politically motivated, conducted by the pro-Israel group Predatory Sparrow, who drained the funds and sent them to vanity addresses they could not control, effectively rendering the cryptocurrencies irretrievable and symbolically "burned."
[1] Global Ledger, "Nobitex: A Deep Dive into Iran's Largest Crypto Exchange," Global Ledger, June 2025. [2] The Shib Magazine, "Predatory Sparrow Strikes Again: Nobitex Hacked for $90 Million," The Shib Magazine, June 2025. [3] The Shib Daily, "Nobitex Hack: A Political Move or a Cyber Attack Gone Wrong?" The Shib Daily, June 2025. [4] Leaked source code and infrastructure documents showcasing the exchange's tight integration with Iran’s domestic financial system, June 2025.
- The Shib Daily published an article suggesting that Nobitex, Iran's largest cryptocurrency exchange, had been employing money laundering techniques such as peel chaining and chip-off wallets, as highlighted in a report by blockchain intelligence firm Global Ledger.
- In the same Global Ledger report, it was revealed that Nobitex's on-chain behavior showed a pattern of funds moving in a complex web designed to mask their true origin and destination, with these laundering-like transaction patterns active months before the hack in June 2025.
- Furthermore, technology magazine The Shib Magazine reported that the hack on Nobitex was followed by immediate scrutiny of its finance and technology, revealing the exchange's tight integration with Iran’s domestic financial system, as evidenced by leaked source code and infrastructure documents.
