Attack on Iranian Cryptocurrency Exchange

An anti-Iranian hacking group calling itself Gonjeshke Darande, or “predatory sparrows,” has claimed responsibility for an attack on one of Iran’s largest cryptocurrency exchanges. The incident, which took place on Wednesday, resulted in losses of nearly $90 million and included threats to disclose the platform’s source code.

This marks the group’s second high-profile attack within a short span, having allegedly compromised data at Iran’s state bank, Sepa, just a day earlier amid escalating tensions between Israel and Iran.

The targeted exchange, Nobitex, is reportedly crucial for the Iranian government, helping it bypass sanctions while facilitating illicit activities worldwide. Following the attack, the Nobitex website went offline, and attempts to reach their support team on Telegram went unanswered. The hackers also did not respond to inquiries.

Nobitex posted on a social media platform about “unauthorized access,” explaining that they temporarily shut down apps and websites to investigate the breach.

Gonjeshke Darande has a history of sophisticated cyberattacks against Iran. Notably, a 2021 operation led to the shutdown of gas stations, and a 2022 attack on an Iranian steel factory caused significant damage, including major fires.

Although Israel has not formally acknowledged its connection to the group, Israeli media frequently reports ties between them. Early Wednesday, hackers moved funds to wallets they controlled, targeting the Islamic Revolutionary Guard (IRGC).

Blockchain analysis suggests that the hackers effectively rendered the stolen funds unusable, possibly to send a political message rather than for financial gain. According to Elliptic, the attack highlights the connection between Nobitex and cryptocurrency wallets linked to groups opposing Israel, such as Hamas and Palestinian Islamic Jihad.

In a letter sent in May 2024 to Biden administration officials, Senators Elizabeth Warren and Angus King expressed concerns about Nobitex’s involvement in facilitating sanctions evasion based on reports from 2022.

Andrew Fierman, with Chainalysis, confirmed the attack’s significant financial impact and suggested its geopolitical motivations, especially since the funds were destroyed.

Chainalysis noted that ransomware groups associated with the IRGC have been known to use Nobitex for cashing out their profits.