Nearly $100 million destroyed: A review of the theft of Iranian exchange Nobitex

On June 18, 2025, blockchain detective ZachXBT disclosed that Nobitex, Iran's largest crypto exchange, was allegedly hacked, involving abnormal large-scale asset transfers across multiple public chains. SlowMist further confirmed that the affected assets covered TRON, EVM, and BTC networks, with preliminary estimated losses of approximately $81.7 million. Nobitex also issued a statement confirming that some infrastructure and hot wallets were indeed unauthorized accessed, but emphasized that user funds remain safe. Notably, the attackers not only transferred funds but also actively transferred a large amount of assets to specially designed destruction addresses, with "burned" assets valued at nearly $100 million. Timeline: June 18: - ZachXBT revealed suspicious transactions on the TRON chain - SlowMist confirmed multi-chain attack - Nobitex detected unauthorized access to infrastructure and hot wallets - Hacker group Predatory Sparrow claimed responsibility June 19: - Nobitex blocked external server access - Confirmed assets transferred to non-standard addresses - Predatory Sparrow claimed burning approximately $90 million in crypto assets - Hacker group publicly released Nobitex's source code The core system primarily uses Python and is deployed/managed via K8s. Attackers likely breached operational boundaries to enter the internal network. The attackers used multiple seemingly legal "destruction addresses" with provocative messages, effectively permanently destroying transferred funds. According to MistTrack analysis, the attack involved 110,641 USDT and 2,889 TRX transactions on TRON, with stolen assets spanning multiple EVM chains including BSC, Ethereum, Arbitrum, Polygon, and Avalanche.

On Bitcoin, attackers stole a total of 18.4716 BTC, involving approximately 2,086 transactions.

On Dogechain, attackers stole a total of 39,409,954.5439 DOGE, involving approximately 34,081 transactions.

On Solana, attackers stole SOL, WIF, and RENDER:

On TON, Harmony, and Ripple, attackers stole 3,374.4 TON, 35,098,851.74 ONE, and 373,852.87 XRP respectively:

MistTrack has added the related addresses to the malicious address library and will continue to monitor the developments on the relevant chains.

Conclusion

The Nobitex incident once again reminds the industry that security is holistic, and platforms need to further strengthen security protection and adopt more advanced defense mechanisms, especially for platforms using hot wallets for daily operations. SlowMist suggests:

Strictly isolate cold and hot wallet permissions and access paths, regularly audit hot wallet call permissions; adopt on-chain real-time monitoring systems (such as MistEye) to obtain comprehensive threat intelligence and dynamic security monitoring in a timely manner; cooperate with on-chain anti-money laundering systems (such as MistTrack) to promptly discover abnormal fund flows;

Enhance emergency response mechanisms to ensure effective response within the golden window after an attack occurs.

The investigation of the incident is still ongoing, and the SlowMist security team will continue to follow up and provide timely updates.

Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests, and are not related to the position of Web3Caff. The information in the article is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.