Gonjeshke Darande Hackers Pose as Activists to Infiltrate Iranian Crypto Exchange

Gonjeshke Darande, a cyber threat actor widely suspected to be an Israeli state-sponsored group masquerading as an Iranian opposition hacktivist entity, executed a devastating attack on Nobitex, Iran’s largest cryptocurrency exchange.

This high-profile breach resulted in the destruction of US$90 million in cryptocurrencies, which were deliberately sent to invalid wallets embedded with the provocative string “FuckiRGCTerroristsNoBiTE”.

Massive Cyberattack on Nobitex Signals

This act was not motivated by financial gain but served as a calculated political statement, accusing the Islamic Revolutionary Guard Corps (IRGC) of terrorism and alleging that Nobitex facilitates sanctions evasion for the Iranian regime.

The timing of the attack, following Israeli airstrikes on Iranian military and nuclear facilities on June 13, 2025, underscores its geopolitical significance amid escalating regional tensions.

The technical sophistication of the Nobitex attack points to prolonged reconnaissance and high-privilege access to the exchange’s internal systems well before the final strike.

Gonjeshke Darande leaked the full source code of Nobitex on their Telegram channel, alongside sensitive data such as deployment configurations, privacy mechanisms, and cold wallet management scripts.

According to the Report, this public exposure not only amplifies reputational damage but also invites further exploitation by third parties with malicious intent.

Sophisticated Breach Exploits Internal Vulnerabilities

Screenshots of internal server configurations and backend infrastructure shared by the group suggest deep penetration, possibly through compromised credentials or insider collaboration though concrete evidence remains speculative at this stage.

Nobitex confirmed unauthorized access to its hot wallet, swiftly isolating affected servers and suspending services, while assuring users that cold wallet assets remain secure.

However, nationwide internet disruptions have delayed system recovery, with a phased restoration expected within four to five days.

The attackers’ strategy extended beyond mere financial loss; by releasing wallet addresses linked to the burned funds and issuing statements framing Nobitex as a “key regime tool for financing terrorism,” Gonjeshke Darande aimed to erode public trust in Iran’s financial institutions.

Known also as Predatory Sparrow, the group has a history of targeting Iranian critical infrastructure, including railway systems and steel mills, often aligning their operations with geopolitical flashpoints to maximize psychological and symbolic impact.

Their broader campaign, which recently included an attack on Bank Sepah, reflects a focus on disrupting entities allegedly tied to Iran’s military and nuclear ambitions, as well as sanctions circumvention.

This incident highlights the growing role of cyber operations in geopolitical conflicts, with cryptocurrency platforms emerging as critical battlegrounds due to their perceived neutrality and vulnerability to state-sponsored misuse.

The Nobitex breach serves as a stark reminder of the risks posed by insider threats and long-term undetected access in high-value financial systems, particularly in politically volatile regions.

If confirmed as an Israeli-backed operation, this attack marks a significant escalation in covert cyberwarfare, weaponizing digital assets for both disruption and narrative control.

Given Gonjeshke Darande’s pattern of cyclic attacks tied to regional hostilities, experts warn that more strikes on Iranian financial infrastructure are likely in the near future, urging heightened vigilance and robust cybersecurity measures to counter such sophisticated threats.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates