Share this article

Why Pro-Israel Group's $90M Crypto Hack Could Be a Hammer Blow for Iran's Regime

The hacking group continued its assault on Thursday, releasing the exploited exchange's source code.

(Wesley Tingey/Unsplash+)
(Wesley Tingey/Unsplash+)

What to know:

  • Nobitex was hacked on Wednesday, with attackers stealing $90 million and prompting a full service shutdown.
  • Pro-Israel group Gonjeshke Darande claimed responsibility, using "vanity" wallets with messages like “terrorist” to burn the funds and send a political message, not profit.
  • The hack potentially cripples Iran’s ability to move funds via crypto amid heightened Middle East tensions, exposing vulnerabilities in its sanction-evasion infrastructure.

Iranian cryptocurrency exchange Nobitex was hacked for around $90 million on Wednesday, on the surface of it an almost routine exploit in an industry that already dealt with a $223 million exchange exploit earlier this month.

Below the surface, it was anything but. Digging a little deeper reveals this was not simply a cash grab, in fact, not a cash grab at all, but a political message that could end up being a hammer blow to one of the primary combatants in the escalating conflict in the Middle East.

jwp-player-placeholder
STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters

The hackers, the pro-Israel activist group Gonjeshke Darande, demonstrated their indifference to monetary gain by transferring the stolen funds to a series of inaccessible "vanity" wallets ladened with the words like "terrorist," essentially burning those tokens forever.

Politically motivated sabotage

"This appears to be an act of politically motivated sabotage rather than a financially motivated hack," Elliptic co-founder Tom Robinson said in an interview. "The use of vanity addresses seems to be motivated by wanting to send a message to Nobitex and the Islamic Revolutionary Guard Corps."

The group, whose Farsi name means Predatory Sparrow, the following day leaked the exchange's source code, leaving any remaining tokens on the platform vulnerable to theft.

"Bypassing sanctions doesn't pay." Gonjeshke Darande wrote on X alongside screenshots of the "vanity" wallets storing the stolen funds.

The regime has been under sanctions for years as due to international concerns over its human rights record and attempts to develop nuclear weapons. The European Union introduced sanctions in 2011 and has renewed them every year since, even strengthening them in the meantime. U.S. sanctions date back as far as 1979, to the Iranian Revolution.

Israel said Iran, which has has vowed to eliminate the Jewish state numerous times over the years, was on the verge of developing nuclear weapons. Iran says its program is purely peaceful. Last week, immediately before Israel's air strikes, the International Atomic Energy Agency (IAEA) had violated its non-proliferation commitments.

Gonjeshke Darande's tweet refers to allegations about Iran's use of cryptocurrency to evade the sanctions, echoing concerns Senators Elizabeth Warren and Angus King raised to former U.S. President Joe Biden in 2024.

Without Nobitex, Iran, a nation already hamstrung by oil and financial sanctions, may struggle to move capital around in a time of intense conflict. That could weaken its efforts to mobilize and launch attacks into Israel,.

The truth about vanity wallets

There has been some discussion about the vanity wallets. Does the group have access to the filched tokens, or have they been burned forever?

There is "practically zero chance attackers control these addresses," Yehor Rudytsia, a security researcher at Hacken, told CoinDesk.

Creating the vanity addresses with a private key to unlock them "is computationally trivial task and might be done in micro/milliseconds," Rudytsia said. But finding the 26-character private key would require as many as ~ 2¹⁵² trials. "It is practically infeasible to find the private key which maps to such a public address."

Which means the money has gone.

Oliver Knight

Oliver Knight is the co-leader of CoinDesk data tokens and data team. Before joining CoinDesk in 2022 Oliver spent three years as the chief reporter at Coin Rivet. He first started investing in bitcoin in 2013 and spent a period of his career working at a market making firm in the UK. He does not currently have any crypto holdings.

Oliver Knight