Gonjeshke Darande Threat Actors Pose as Hacktivist Infiltrated Iranian Crypto Exchange

In a significant escalation of cyber warfare in the Middle East, suspected Israeli state-sponsored threat actors operating under the name “Gonjeshke Darande” (Predatory Sparrow) successfully infiltrated Nobitex, Iran’s largest cryptocurrency exchange, on June 18, 2025.

Rather than extracting funds for profit, the attackers deliberately “burned” approximately US$90 million in various cryptocurrencies by transferring them to invalid wallet addresses containing the politically charged string “FuckiRGCTerroristsNoBiTE,” directly implicating Iran’s Islamic Revolutionary Guard Corps (IRGC).

The attack occurred within a volatile geopolitical context, just five days after Israeli airstrikes targeted key Iranian military and nuclear facilities on June 13, which had triggered immediate retaliation from Iran.

By targeting a financial institution accused of sanctions evasion, Gonjeshke Darande aimed to deliver a symbolic strike against Iran’s economic infrastructure while exposing alleged regime corruption.

Outpost24 researchers identified that the operation bore hallmarks of long-term strategic planning, with evidence suggesting the threat actors had established persistent access to Nobitex’s internal systems well before executing the final attack.

The timing appears calculated to maximize both psychological and financial impact during heightened regional tensions.

The group’s technical sophistication became further apparent when they published Nobitex’s complete source code on Telegram, revealing sensitive deployment configurations, internal privacy mechanisms, and scripts related to cold wallet management systems.

The iinternal server configurations allegedly from Nobitex that were published by the threat actors, demonstrating access to backend infrastructure and datacenter resources.

The infiltration methodology likely involved either exploitation of privileged access credentials obtained through prior reconnaissance or possible insider collaboration.

According to Nobitex’s public statement, unauthorized access affected parts of their infrastructure including hot wallets, prompting immediate service suspension and network isolation of compromised servers.

// Simplified representation of the targeted wallet structure
const invalidWallet = "1FuckiRGCTerroristsNoBiTExxxxxxxxxxxxx";
function transferFunds(sourceWallet, amount) {
  // Irreversible transfer to politically-named burn address
  return blockchain.transfer(sourceWallet, invalidWallet, amount);
}

This incident represents a evolution in cyber-enabled geopolitical confrontation, where cryptocurrency infrastructure has become a new frontline in state-level conflicts. Nobitex estimates recovery efforts will require 4-5 days, further complicated by nationwide internet disruptions in Iran following the attack.

Cybersecurity experts anticipate additional strikes against Iranian financial institutions in the coming weeks, particularly those with alleged connections to sanctions evasion or IRGC funding channels.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free tria