Iran has imposed an operational curfew on domestic cryptocurrency exchanges in the wake of the devastating cyberattack on the country’s largest crypto platform, Nobitex.
The unprecedented attack, which unfolded on June 18, exposed deep vulnerabilities in Iran’s digital economy amid its ongoing war with Israel.
The cyberattack appeared to mirror battlefield tensions, since it came days after Israeli airstrikes inside Iranian territory on June 13, which targeted nuclear and military facilities near Tehran.
Notably, Nobitex has long served as the backbone of Iran’s crypto economy, handling more than $11 billion in total inflows, according to a recent Chainalysis report, more than the combined flows of the country’s next ten largest exchanges.
It acts as the main bridge to global crypto markets for Iranian users locked out of traditional financial channels due to sanctions.
Chainalysis has also linked Nobitex to addresses associated with sanctioned entities, including ransomware actors tied to the Islamic Revolutionary Guard Corps and Russian exchanges such as Bitpapa and Garantex.
Hackers drained over $90 million in crypto from Nobitex
Going back to the developments of June 18, the cyberattack targeted Nobitex’s hot wallets in the early hours of June 18, leading to the unauthorized withdrawal of funds across multiple digital assets.
Blockchain analytics firm Chainalysis reported that over $90 million worth of Bitcoin (BTC), Dogecoin (DOGE), Ethereum (ETH), Ripple (XRP), Solana (SOL), Toncoin (TON), and Tron (TRX) were siphoned from the exchange.
Although the Iranian authorities have not publicly confirmed the amount of crypto that was stolen, independent blockchain investigator ZachXBT estimated the total losses at around $81.7 million based on suspicious outflows flagged on Telegram.
The stolen crypto was sent to burn wallets
What followed the breach added fuel to speculation that this was not a typical theft.
The stolen funds were not laundered or sold on the open market but instead sent to unspendable addresses and burn wallets, making recovery impossible.
Some assets were directed to Ethereum’s well-known “0x…dead” wallet, while a portion of Bitcoin was routed to an invalid address with a broken checksum.
Several of these wallets carried vanity labels like “FuckIRGCTerroristsNoBiTEX,” pointing clearly to a politically motivated attack.
Nobitex has, however, assured users that funds stored in cold wallets remain untouched and that its internal reserves will fully cover all losses.
The platform stated that all hot wallets have been drained and replaced and that it has implemented new offline security protocols to prevent future breaches.
While user withdrawals have resumed, confidence in the broader Iranian crypto ecosystem remains fragile.
A pro-Israel group has claimed responsibility
A hacker group calling itself Gonjeshke Darande, or Predatory Sparrow, claimed responsibility for the exploit via a statement on social media.
The group, believed by analysts to have ties to Israeli cyber units, stated that the operation was aimed at disrupting what it called Iran’s “terror-financing crypto infrastructure.”
It accused Nobitex of aiding Iran’s efforts to evade international sanctions and threatened to release the exchange’s source code and internal data if users did not immediately withdraw their funds.
Predatory Sparrow has a history of striking during geopolitical flashpoints, previously disrupting Iran’s fuel systems and financial infrastructure.
Iranian crypto exchange now restricted to operating between 10 AM and 8 PM
In response, the Central Bank of Iran has enforced a national curfew on all cryptocurrency exchanges, restricting operations to between 10 AM and 8 PM local time.
This move is widely seen as an effort to restore confidence and prevent further exploits amid fears of additional cyber incursions.
Chainalysis noted that this curfew could indicate mounting pressure on local platforms, as Iran struggles to contain risks tied to a market deeply entangled in sanction evasion.