About $100 million lost! Analysis of funds stolen from Iran’s largest exchange Nobitex

On June 18, Iran's largest crypto exchange Nobitex announced that it was hacked, losing approximately 100 million USD, involving multiple cryptocurrencies such as BTC, ETH, Doge, XRP, SOL, TRX, and Ton.

Author: Beosin

Cover: Photo by Nicolas Arnold on Unsplash

On June 18, Iran's largest crypto exchange Nobitex announced that it was hacked, losing approximately 100 million USD, involving multiple cryptocurrencies such as BTC, ETH, Doge, XRP, SOL, TRX, and Ton.

A pro-Israeli group called "Gonjeshke Darande" has claimed responsibility for the attack, characterizing it as a strike against Iran's crypto infrastructure. The Beosin security team immediately analyzed and tracked the funds, sharing the following results:

Stolen Fund Flows

The attack involved multiple blockchain networks, and through Beosin Trace analysis, the following attacker addresses have been confirmed:

TRON Network: TKFuckiRGCTerroristsNoBiTEXy2r7mNX

Ethereum Network: 0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead

BTC Network: 1FuckiRGCTerroristsNoBiTEXXXaAovLX

Solana Network: FuckiRGCTerroristsNoBiTEXXXXXXXXXXXXXXXXXXX

Ripple Network: rFuckiRGCTerroristsNoBiTEXypBrmUM

TON Network: UQABFuckIRGCTerroristsNOBITEX1111111111111111_jT

Harmony Network: one19fuckterr0rfuckterr0rfuckterr0rxn7kj7u

Dogecoin Network: DFuckiRGCTerroristsNoBiTEXXXWLW65t

Among these, the TRON network saw 23,531 TRX and 49,439,310 USDT stolen, with a total loss of approximately 49.45 million USD, as shown in the following fund flow diagram:

On the Ethereum network, 939,556 USDT, 262.87 ETH, and multiple Ethereum ecosystem project tokens (UNI, AXS, PEPE, MASK, MEME, AAVE, etc.) were stolen, with a total loss of approximately 8.2 million USD. Below is the main stolen asset flow on the Ethereum network:

Beosin Trace Fund Flow Diagram shows 18.47 BTC stolen on the Bitcoin network, with a loss of approximately 1.93 million USD:

Beosin Trace Fund Flow Diagram shows 373,852 XRP stolen on the Ripple network, with a loss of approximately 800,000 USD:

On the Solana network, 173 SOL, 336,067 WIF, and 31,954 RENDER were stolen, with a total loss of approximately 400,000 USD:

On the Dogecoin network, 39,409,954 Doge were stolen, with a loss of about 6.7 million USD, while the Harmony and TON networks suffered a combined loss of approximately 400,000 USD. More attacker addresses are still under investigation, and Beosin Trace and KYT have added the confirmed attacker-related addresses to their blacklist and will continue to track them.

Nobitex's Response Measures

After the attack, Nobitex immediately issued a public statement, indicating that most of the exchange's crypto assets are still stored in secure cold wallets and remain unaffected. Additionally, Nobitex has isolated the attacked systems and enhanced its security posture to reduce the risk of similar attacks in the future.

According to media reports, due to this attack, the Iranian Central Bank has instructed all domestic crypto exchanges to limit their operating hours from 10 AM to 8 PM, implementing stricter regulatory measures.

Summary

Nobitex is not only the largest crypto exchange in Iran but also a key hub in Iran's strictly sanctioned crypto ecosystem, providing a gateway to the global market for users unable to access traditional finance. This attack highlights the inherent conflict between the borderless nature of cryptocurrencies and national geopolitics, and once again demonstrates the urgent need for continuous blockchain intelligence and on-chain and off-chain risk analysis in the crypto ecosystem.

After Nobitex was attacked, Beosin Trace and KYT continue to monitor related wallet address activities. Through on-chain risk analysis and forensics, Beosin Trace and KYT will help our partners clearly and accurately identify and respond to potential emerging on-chain risks.

Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests, and are not related to Web3Caff's stance. The information in the article is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.