Dubai, 19 June

Hackers with possible links to Israel have drained more than USD 90 million from Nobitex, Iran's largest cryptocurrency exchange, according to blockchain analytics firms.

The group that claimed responsibility for the hack leaked on Thursday what it said was the company's full source code. “ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN,” the group wrote on its Telegram account.

The stolen funds were transferred to addresses bearing messages that criticised Iran's Revolutionary Guard, Blockchain analytics firm Elliptic wrote in a blog post. It said the attack likely was not financially motivated as the wallets the hackers had poured the money into “effectively burned the funds in order to send Nobitex a political message.”

The hackers group, Gonjeshke Darande — “Predatory Sparrow” in Farsi — accused Nobitex of having helped Iran's government to evade Western sanctions over the country's rapidly advancing nuclear programme and transfer money to militants, in a post on X claiming the attack.

Nobitex appeared to have confirmed the attack. Its app and website were down as it assessed “unauthorised access” to its systems, it said in a post on X.

The theft spanned a range of cryptocurrencies, including Bitcoin, Ethereum, Dogecoin and more, said head of national security intelligence at Chainalysis Andrew Fierman. The breach is “particularly significant given the comparatively modest size of Iran's cryptocurrency market,” he added.

The hack appears to be motivated by escalating tensions in the Israel-Iran conflict, which broke out last week when Israel struck Iran's nuclear sites and military officials, drawing Tehran's response with barrages of missiles. It came after the group said it had destroyed data in a cyberattack against Iran's state-controlled Bank Sepah on Tuesday.

Elliptic said that relatives of Iran's Supreme Leader Ali Khamenei were linked to the exchange and that sanctioned Revolutionary Guard operatives had used Nobitex. It shared evidence that the exchange had sent and received funds from cryptocurrency wallets controlled by Iranian allies including Yemen's Houthis and Hamas.

Gonjeshke Darande has previously claimed responsibility for other high-level cyberattacks against Iran, including a 2021 operation that paralysed gas stations and a 2022 effort against a steel mill that sparked a large fire.

Israeli media have widely reported that Gonjeshke Darande is linked to Israel but the country's government has never officially acknowledged ties to the group.

US Senators Elizabeth Warren and Angus King last year raised concerns about Iran's use of cryptocurrencies to evade sanctions.