Hello, Insight Monitor subscribers, and welcome to a special edition of our newsletter. Today, we’re looking at the hack of Iran’s Nobitex cryptocurrency exchange and the implications of this hack on Iran’s ability to settle financial transactions and fund its Axis of Resistance (proxy network of militias and terrorist groups). As readers of this newsletter know, I often remove the paywall from analysis that I think is in the public interest. Today, there is no paywall because this research is part of my postdoctoral associate position at the University of Calgary’s Faculty of Law, a publicly funded university (which means my research is publicly funded as well). Isn’t higher education in Canada great? Without further ado, let’s talk cryptocurrency, terrorist financing, state-sponsored hacker groups, and the Iran-Israel conflict.

However, if you want to support the ITI research team and other analysis from this newsletter, you’re still welcome to become a paying subscribe! This helps us produce more news and analysis you won’t find anywhere else. And there’s no shortage of topics….

The Nobitex Hack

Last week, in the midst of the Israel-Iran conflict, the largest cryptocurrency exchange in Iran was attacked by a “hacktivist” group, Gonjeshke Darande (Predatory Sparrow). Predatory Sparrow is believed to have “links” to Israel’s military or intelligence agencies, with some analysts suspecting that Israel sponsors the group. The hackers stole $90 million (in Bitcoin, EVM, Ethereum, Ripple, Dogecoin, Solana, and other cryptocurrencies) from the exchange, but effectively “burned”the money by transferring the funds to wallets for which they did not have the keys (the security mechanism needed to access the funds). The hackers also reportedly released the complete source code of the exchange, exposing assets still hosted on the exchange to possible theft. On Thursday, Nobitex responded, saying that no additional losses had occurred.

The Israel-affiliated hackers had previously attacked Iran’s Bank Sepah, and claimed to have destroyed all the bank’s data in retaliation for its association with the Islamic Revolutionary Guards Corp (IRGC).

Iran’s Crypto Lifeline

Nobitex is Iran’s largest cryptocurrency exchange. Since the mid-2010s, cryptocurrency has become increasingly important for Iran’s economy, facilitating payments outside of the formal banking sector (and to evade sanctions and sanctions-related restrictions on financial transactions). Nobitex has provided the majority of cryptocurrency services to Iranians since 2017, and between 2018 and 2022, it is believed to have processed $8 billion in transactions (often with the help of Binance). Nobitex processes transactions across multiple blockchains, including the ones that were attacked in the hack, as well as Tron. In addition to Nobitex, Iran also has four other large exchanges: Wallex.ir, Excoino, Aban Tether, and Bit24.cash.

Terrorist Financing with Tether

Jessica Davis

·

Jan 15

Read full story

Since 2018, Iran has used cryptocurrency to bypass US and international sanctions. The IRGC (and the IRGC QF in particular) uses cryptocurrency to move funds to support its various functions, including intelligence operations and its network of proxy groups (aka the Axis of Resistance). Indeed, Nobitex was reportedly targeted for its role in facilitating sanctions evasion activity and for terrorist financing, specifically between the IRGC QF and proxies such as Hizballah, Hamas, and the Houthis.

According to a statement from Nobitex’s CEO AmirHossein Rad (via a video posted on the social media platform X), the exchange had a delayed response to the hack due to limitations placed on Internet access in Iran and a lack of access to the company’s data centers. The Iranian government is believed to have significantly reduced (and in some cases stopped) all internet access for periods during the conflict. Rad further stated that the exchange will fully compensate clients for all funds stolen from hot wallets (wallets hosted online on the exchange) and reiterated that the exchange remains liquid, as the majority of its assets are held in cold wallets (offline storage devices). He indicated that the exchange will come back online gradually over the next four to five days.

Our terrorist financing analysis course caters to researchers, intelligence, law enforcement, and compliance professionals to help them learn about terrorist financing, and analyze suspicious patterns and activities more effectively. Sign up today!

Disrupting Iranian Illicit Finance

The future of Nobitex and the impact of this hack on Iran’s financial sector is uncertain. If the exchange is able to return to operations and enhance security after the alleged leaking of its source code, the cryptocurrency ecosystem in Iran will remain largely intact. However, if Nobitex is unable to resume services, this will seriously reduce the ability of regular Iranians (and the Iranian regime) to move money into and out of Iran. With Bank Sepah also offline, this poses a significant hindrance to the IRGC’s financial operations.

While Iran’s proxy groups are unlikely to feel the pinch in the short term (1-2 weeks), if these financial service providers remain offline, Iranian proxies will likely start to experience financial limitations and possibly face financial disruption, hindering their ability to procure weapons and goods, as well as pay for services. While other Iranian cryptocurrency exchanges remain functional, they are unlikely to replace Nobitex's processing volume easily, and if or when they attempt to do so, they might also become targets for Predatory Sparrow. Reducing Iran’s ability to provide financial support to its proxies was likely the intended goal of the hack; while this has been achieved in the short term, it remains to be seen whether this will be successful in the long term.

Did you find this Insightful? Share it with a friend!

Share

© 2025 Insight Threat Intelligence Ltd. All Rights Reserved.

This newsletter and its contents are protected by Canadian copyright law. Except as otherwise provided for under Canadian copyright law, this newsletter and its contents may not be copied, published, distributed, downloaded or otherwise stored in a retrieval system, transmitted or converted, in any form or by any means, electronic or otherwise, without the prior written permission of the copyright owner.