- Gonjeshke Darande hacker squad destroyed $90 million on Nobitex.
- Attack burns funds in hacker wallets as political message rather than financial theft
- Exchange allegedly helped Iran evade sanctions and finance proxy groups including Hamas
The anti-Iranian hacking group Gonjeshke Darande has claimed responsibility for destroying nearly $90 million worth of cryptocurrency on Nobitex, one of Iran’s largest digital asset exchanges, in what appears to be a politically motivated cyberattack rather than a traditional theft.
The operation marks the group’s second major strike in two days, following Tuesday’s attack on Iran’s state-owned Bank Sepah amid escalating hostilities between Israel and Iran.
Nobitex acknowledged the breach by taking its website and mobile application offline Wednesday, citing “unauthorized access” to its systems. The platform has not responded to requests for comment, while the company’s Telegram support channel remained unresponsive. Gonjeshke Darande, which has possible ties to Israel according to media reports, also did not respond to inquiries about the attack.
Funds Destroyed Rather Than Stolen in Political Message
Blockchain analysis firms TRM Labs and Elliptic confirmed that approximately $90 million in various cryptocurrencies was moved to hacker-controlled wallets during the early morning hours.
However, the structure of these wallets suggests the attackers cannot access the stolen funds, effectively burning the money to send a political message rather than pursuing financial gain.
The destroyed funds carried messages denouncing Iran’s Islamic Revolutionary Guard Corps, indicating the attack’s geopolitical motivation. This approach differs from typical cryptocurrency thefts where hackers attempt to monetize stolen assets through various laundering techniques or direct conversion to fiat currencies.
Elliptic’s investigation turned up proof that Nobitex has previously sent money to cryptocurrency wallets run by anti-Israel organizations including Hamas, Yemen’s Houthis, and Palestinian Islamic Jihad. This connection supports the hackers’ claims that the exchange facilitates Iranian government sanctions evasion and finances illicit operations globally.
The attack’s timing coincides with heightened tensions between Israel and Iran, including recent missile exchanges that have elevated regional conflict to new levels.
Gonjeshke Darande has established itself as a sophisticated cyber warfare group with a history of targeting Iranian infrastructure, including a 2021 operation that caused widespread gas station outages and a 2022 attack on an Iranian steel mill that resulted in fires and physical damage.
In a May 2024 letter to Biden administration officials, U.S. Senators Elizabeth Warren and Angus King had expressed concerns over Nobitex’s role in facilitating Iranian sanctions evasion. Their warnings cited Reuters reporting from 2022 that documented the exchange’s involvement in circumventing international financial restrictions.
