Hackers Publish Source Code of Iranian Exchange Nobitex After Major Breach

The pro-Israel hacking group Gonjeshke Darande, which claimed responsibility for the breach of the Iranian exchange Nobitex, has released the platform’s source code.

*»The remaining funds in Nobitex are now entirely accessible,»* the attackers declared.

They also shared screenshots believed to show snippets of the code related to the deployment of the exchange, its interface, and security system elements.

Grigory Osipov, the investigation director at Shard, noted that just a few hours after the hack, the perpetrators executed an *“immense”* number of transactions: 109,566 on the TRON network, 2,086 in Bitcoin, and over 39,000 transfers in DOGE.

*»This indicates that the attackers utilized automated solutions during the breach, as well as having a pre-planned scenario and mechanism for extracting the stolen funds,»* Osipov explained.

He specifically highlighted the use of *vanity addresses* for the asset transfers. According to Osipov, these addresses, which feature meaningful names, were *“clearly designed to attract attention.”* Generating such addresses requires significant computational power to brute-force the cryptographic keys; however, pinpointing those who ordered the process is extremely difficult.

*»The motives behind the attackers are distinctly political rather than economic. The goal of such a grand hack is to demonstrate the impotence of the ‘enemy’s’ security infrastructure in the cryptocurrency realm, including leveraging this case for effective publicity and as a strong argument in the information war, followed by economic implications,»* Osipov concluded.

Blockchain investigator ZachXBT was the first to report suspicious transactions linked to Nobitex wallets, later confirmed by the exchange’s team.

According to Chainalysis, the damage exceeded $90 million in Bitcoin, Ethereum, Dogecoin, Solana, and other assets, while the platform’s representatives estimate losses at around $100 million.

The hackers from Gonjeshke Darande labeled Nobitex as *“a key tool of the regime”* for financing terrorism and evading sanctions.

Chainalysis analysts corroborated the political motivation behind the attack, noting that the hackers transferred the assets to disposable wallets with no access to private keys. Essentially, the assets were destroyed instead of stolen for profit, the experts explained.

Chainalysis also emphasized Nobitex’s role in Iran’s sanctioned cryptocurrency economy, describing the exchange as a *“critically important hub,”* granting local users access to global markets.

Experts added that prior on-chain investigations had linked Nobitex with illegal organizations, including ransomware operators affiliated with the Islamic Revolutionary Guard Corps and Russian exchanges under sanctions.

In response to the incident, Iran’s central bank restricted the operating hours of all local trading platforms. They are now allowed to conduct transactions from 10:00 AM to 8:00 PM. This move may indicate the authorities’ attempts to enhance control over the sector to manage systemic risks, according to Chainalysis.

In a recent statement, the Nobitex team remarked that *“the scale and impact of the attack turned out to be more complex than initially anticipated.”*

Nevertheless, the amount of financial losses reported in the previous statement remained unchanged.

*»To ensure a fully secure and stable recovery, we estimate that restoring access to Nobitex services will require additional time. At this stage, we anticipate a gradual and secure restoration of services within the next four to five days,»* the exchange representatives stated.

As a reminder, in May, the losses in the cryptocurrency industry due to hacks reached $244 million, according to PeckShield.