Pro-Israel hackers destroy $90 million in Iran crypto exchange breach, analytics firm says

Iran’s largest cryptocurrency exchange, Nobitex, was hacked for more than $90 million Wednesday, according to blockchain analytics firm Elliptic.

The funds were drained from platform wallets into addresses bearing anti-government messages explicitly referencing Iran’s Islamic Revolutionary Guard Corps, or IRGC, pointing to a politically motivated cyberattack, Elliptic said.

Pro-Israel hacking group Gonjeshke Darande, or “Predatory Sparrow,” claimed responsibility for the attack and said it would release the exchange’s source code. Elliptic said the exchange was offline at the time of its post.

Predatory Sparrow also claimed credit for a separate cyberattack on Iran’s state-owned Bank Sepah this week.

Fighting erupted between Israel and Iran on Friday and the countries have continued to trade missile fire. Iran supreme leader Ayatollah Ali Khamenei threatened the U.S. with “irreparable damage” Wednesday in response to President Donald Trump’s demand that the country surrender.

Though the stolen assets have not been conclusively attributed to the group, Elliptic noted that the funds were sent to cryptographic addresses the hackers likely cannot control — suggesting the money was intentionally destroyed as a symbolic act rather than stolen for profit.

Elliptic’s research linked the exchange to Iran’s IRGC, a powerful branch of the military designated as a terrorist organization by the United States, United Kingdom, European Union, and Canada.

Past investigations have connected the platform to sanctioned IRGC-linked ransomware operatives and individuals close to Khamenei.

Blockchain data also shows activity between the Nobitex exchange and wallets associated with Hamas, Palestinian Islamic Jihad, and the Houthis.

Elliptic said it’s continuing to monitor virtual asset flows tied to Iranian entities and has updated its compliance tools to reflect emerging threats in the region’s crypto ecosystem.