Full Report
A $90 million crypto theft from Nobitex marks the second cyberattack on Iran’s financial systems in as many days. Predatory Sparrow claimed responsibility for both attacks. The post Iran’s financial sector takes another hit as largest crypto exchange is targeted appeared first on CyberScoop.
Analysis Summary
# Incident Report: Massive Crypto Theft from Iranian Exchange Nobitex
## Executive Summary
The largest cryptocurrency exchange in Iran, Nobitex, suffered a major cyberattack resulting in the theft of over $90 million in cryptocurrency. The attack was claimed by the pro-Israel hacktivist group Predatory Sparrow, allegedly in retaliation for Nobitex financing terrorism. While the funds were transferred to vanity addresses designed to send a political message, the exchange's website has since gone offline, indicating severe operational compromise.
## Incident Details
- Discovery Date: June 18, 2025 (Early Wednesday)
- Incident Date: June 18, 2025 (Occurred prior to social media claim)
- Affected Organization: Nobitex (Iran's largest cryptocurrency exchange)
- Sector: Financial Technology (Cryptocurrency Exchange)
- Geography: Iran
## Timeline of Events
### Initial Access
- Date/Time: Prior to June 18, 2025
- Vector: Not explicitly detailed, but implied sophisticated access to exchange funds.
- Details: Attack coincided with a government action to reduce internet speeds to ward off cyberattacks.
### Lateral Movement
- Details: The focus of the public reporting is on the data/fund exfiltration rather than internal network movement.
### Data Exfiltration/Impact
- Date/Time: Early Wednesday, June 18, 2025
- Details: Over $90 million in cryptocurrency was transferred from Nobitex to multiple vanity addresses containing phrases like “F–kIRGCterrorists.” Nobitex’s website subsequently went offline.
### Detection & Response
- Date/Time: Confirmed by Elliptic researchers shortly after transfer.
- Details: Elliptic confirmed the transfer via blockchain analysis. Predatory Sparrow threatened to leak Nobitex source code and internal network information by Thursday morning.
## Attack Methodology
- Initial Access: Not explicitly defined in the context.
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Attack successfully bypassed temporary national internet speed reductions implemented by the Iranian government.
- Credential Access: Not detailed.
- Discovery: The attack targeted the primary function of the exchange—holding and moving crypto funds.
- Lateral Movement: Not detailed.
- Collection: Identification and targeting of high-value cryptocurrency assets stored by Nobitex.
- Exfiltration: Funds were moved to addresses generated via brute force methods, utilizing vanity keys indicating political motivation.
- Impact: Theft of significant financial assets and operational shutdown of the exchange.
## Impact Assessment
- Financial: Theft of more than $90 million in crypto assets from Nobitex.
- Data Breach: Predatory Sparrow threatened to leak Nobitex’s source code and internal network information.
- Operational: Nobitex’s website is currently offline, resulting in a complete service outage.
- Reputational: Significant blow to confidence in key Iranian financial technology infrastructure, especially given the context of other recent state-owned institution attacks.
## Indicators of Compromise
- **Network Indicators (Defanged):** None explicitly mentioned in the provided text that are readily defanged (IPs/URLs).
- **File Indicators:** Threat to release Nobitex source code and internal network information.
- **Behavioral Indicators:** Cryptocurrency transfers to vanity addresses containing political messaging (e.g., variations of "F–kIRGCterrorists").
## Response Actions
- **Containment measures:** The funds were effectively "burned" by the attackers, as the vanity addresses used required computational infeasibility to generate private keys, meaning the attackers could not retrieve the funds themselves; the goal was likely disruption/message sending.
- **Eradication steps:** Not detailed, but likely involved taking the Nobitex platform offline.
- **Recovery actions:** Not detailed, but the exchange is currently offline.
## Lessons Learned
- Iran’s strategy of using cryptocurrency to evade sanctions is highly vulnerable to targeted cyberattacks, as demonstrated by the scale of this theft.
- Defensive measures, such as reducing national internet speeds, proved insufficient against sophisticated, politically motivated hacktivist groups.
- The use of vanity cryptowallet addresses served as a mechanism for the attackers to make a loud, political statement simultaneous with the theft.
## Recommendations
- Implement enhanced, robust cryptographic key management and internal transaction monitoring specifically designed for high-value cryptocurrency holdings, independent of general network security posture.
- Review and harden controls allowing large outbound transfers, possibly requiring multi-factor authentication or secondary authorization layers for transferring funds to newly generated or unusual addresses.
- Develop specific geopolitical threat modeling tailored to hacktivist groups targeting financial infrastructure for political messaging, as standard cybercrime prevention may not suffice.