THE EDITOR – Hackers with possible links to Israel have drained more than $90 million from Nobitex, Iran’s largest cryptocurrency exchange, according to blockchain analytics firms.
The Times of Israel said the group that claimed responsibility for the hack leaks today what it said was the company’s full source code. “ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN,” the group writes on its Telegram account.
The stolen funds were transferred to addresses bearing messages that criticized Iran’s Revolutionary Guard, Blockchain analytics firm Elliptic writes in a blog post. It says the attack likely was not financially motivated as the wallets the hackers had poured the money into “effectively burned the funds in order to send Nobitex a political message.”
The hackers group, Gonjeshke Darande — “Predatory Sparrow” in Farsi — accused Nobitex of having helped Iran’s government to evade Western sanctions over the country’s rapidly advancing nuclear program and transfer money to militants, in a post on X claiming the attack.
Nobitex appears to have confirmed the attack. Its app and website were down as it assessed “unauthorized access” to its systems, it says in a post on X.
WHERE DOES THE MONEY GO?
Elliptic, a consultancy specialising in crypto-related crime, said it had so far identified more than $90m in cryptocurrency sent from Nobitex crypto wallets to hacker addresses.
The hackers appear to have in effect “burned” those funds, rendering them inaccessible by storing them in “vanity addresses” for which they do not have the cryptographic keys, Elliptic said.
Tom Robinson, Elliptic’s co-founder, told The Guardian it would take current computer technology “billions of years” to create the cryptographic key pairs that match the vanity addresses.
The funds are being held in addresses containing some variation of the term “F*ckIRGCterrorists”. In a post on X, Predatory Sparrow said it had targeted Nobitex and would release its source code and “internal information”.
Predatory Sparrow is regularly described in Israeli media as being Israel-linked, although there has been no official confirmation of the hackers’ identity or their nationality.
“Although there is no confirmation yet that the funds were moved by Predatory Sparrow, the hack appears to be motivated by the recent escalation of tensions between Israel and Iran,” Elliptic said.
Rafe Pilling, the director of threat intelligence at the cybersecurity firm Sophos, said there was no firm evidence linking Predatory Sparrow to a particular state, but it had the characteristics of a government-backed group.
“It bears all the hallmarks of a false persona used by a government-sponsored threat group to conduct disruptive operations against targets linked to illicit Iranian revenue generation, logistical entities, transport infrastructure and other strategic sectors,” he said.
He added: “While we don’t expect to find strong technical links between Israel and Predatory Sparrow, the actions of the group align strongly with Israel’s regional priorities you’d be hard pushed to find another candidate country in the region with the capability to perform these attacks.”
Nobitex said on X it had experienced a “security incident” and was “actively working on implementing a secure and efficient recovery plan”.
Predatory Sparrow claimed in a post on X that it had “destroyed the data” of Bank Sepah and accused the bank of financing the Iranian military. Bank Sepah’s international branch in London has been approached for comment.
Meanwhile, companies tracking global internet activity have reported a near-total internet blackout in Iran, Cloudflare told the Guardian that traffic volumes were 98% below where they were at the same time last week.
However, hackers do not appear to have been the cause of the shutoff. An Iranian government spokesperson, Fatemeh Mohajerani, said this week that internet access had been slowed down to “maintain the network’s stability” and to ward of cyberattacks.
