While rockets are flying in the physical world, the latest war has also spilled over into cyberspace. The pro-Israeli hacker group Gonjeshke Darande steals around 90 million dollars from the Iranian exchange Nobitex—and then plays a surprising card.

On June 18, the Iranian crypto exchange Nobitex was hacked: more than 90 million dollars in various assets—including Bitcoin, Ethereum, Dogecoin, Ripple, Solana, Tron, and Ton, as well as USDT ($1.00), Pepe, and many other tokens—were stolen. Nobitex is considered the largest crypto exchange in Iran.

The hack was claimed by the pro-Israeli hacker group Gonjeshke Darande. They declared the attack as a politically motivated strike against „the regime’s favorite tool for violating sanctions“—and, as we will see, underscored this claim with their actions.

Crypto For and Against the Regime

But let’s start with what actually happened: Nobitex, as explained by analytics firm Chainalysis, “is the largest crypto exchange in Iran and a central pillar of the digital asset ecosystem in the country.”

Nobitex became the standard platform for Iranians seeking access to the global crypto market—including to circumvent sanctions when transferring money. According to Chainalysis, the total of all crypto deposits made to Nobitex amounts to over 11 billion dollars.

Certainly, Nobitex is also used by legitimate actors: Iranians investing in cryptocurrencies or simply trying to send money abroad—a process made extremely difficult by the regime’s sanctions and capital controls. As previously noted, cryptocurrencies make it harder for the government to control money flows.

However, onchain analysis makes it clear that Nobitex is also used by a range of criminal actors. The exchange interacts with wallets linked to ransomware operators, the Revolutionary Guard Corps, the Houthis, and Hamas. It’s a known fact that the Revolutionary Guards operate in crypto both through mining and through corruption and seizures.

Therefore, as the country’s largest exchange, Nobitex is naturally entangled in these illicit flows. Chainalysis points, for example, to connections and withdrawals from Nobitex to Hamas-linked media or to the sanctioned Russian exchanges Garantex and Bitpapa.

A Relatively Modest Haul

How the hack was carried out remains unknown. What is clear is that almost 100 million dollars in various assets across different blockchains were stolen. Since this is only a fraction of the assets held on Nobitex, it can be assumed that hackers either emptied only the hot wallets or specifically targeted the accounts of the Revolutionary Guard.

However, even the Revolutionary Guard Corps likely hold much more value in crypto from mining, hacks, and seizures. Whether the hackers settled for just under 100 million dollars due to lack of opportunity or for other reasons is unclear.

One thing is clear, though: Nobitex was able to continue operating after the hack. The exchange has told its users that all funds are secure and announced the implementation of new cold wallets to further protect coins.

1FuckiRGCTerrorists

The most fascinating part of this hack began with what happened next: Not only did Gonjeshke Darande gain access to Nobitex wallets—they transferred the assets to addresses for which they demonstrably do not possess the private keys, so-called „burner addresses“: addresses with highly conspicuous character strings such as, in this case:

1FuckiRGCTerroristsNoBiTEXXXaAovLX
TKFuckiRGCTerroristsNoBiTEXy2r7mNX
0xffffffffffffffffffffffffffffffffffffdea

and others. It is possible—in principle—to generate such obvious vanity addresses with custom private keys, the so-called „Vanity Addresses„. But to create letter combinations this long, even the most powerful supercomputers in the world would need thousands of years. The only way to generate them is to forgo the private key entirely.

By sending the funds to these addresses, the hackers prove that they do not have access to the 90 million dollars. Unless they have moved some coins to undisclosed personal addresses, they are demonstrating that they acted out of political motives, not greed.

Hackers Enforcing Sanctions

However, anyone who, like Spiegel Online, headlines that the hackers “destroyed 90 million dollars” is only partially correct.

It’s true that, for example, the 18 stolen Bitcoins sent to „1FuckiRGCTerrorists…“ or the 262 Ether sent to „0xffffffff…“ are lost forever. But almost 50 million USDT (Tether) on the Tron address „TKFuckiRGCTerrorists…“ are not lost.

That’s because these are not native coins like BTC ($106,627.00) or ETH ($3,879.57), but tokens built on smart contract platforms. This allows Tether, the company behind USDT, to freeze, destroy, or reissue USDT tokens. Provided the owners can prove that the tokens belong to them—and so long as doing so does not violate financial sanctions—Tether can restore the tokens and pay them back to their legitimate owners.

This even leaves open the option for Tether to redirect nearly 50 million dollars from the Revolutionary Guard to other actors, such as the Iranian resistance or as reparations for damage done in Israel. In a sense, the pro-Israeli hackers didn’t so much steal coins as they forced Tether to confiscate them.

One could say: this is the first time hackers—rather than government authorities—have enforced financial sanctions. The contrast to the approach of North Korean hackers could hardly be starker: while the latter steal coins from legitimate users for personal gain, the pro-Israeli group confiscates coins from criminals without enriching themselves. This makes it an exceptionally ethical case of black-hat hacking in the crypto space.

Shortly afterward, Nobitex struck back: They published the entire source code of the exchange—including server lists and other sensitive information. It’s possible that further trouble is only just beginning for the exchange and its users.