Author: Lisa & 23pds Editor: Sherry
On June 18, 2025, the chain detective ZachXBT disclosed that Iran’s largest cryptocurrency trading platform Nobitex was suspected of being attacked by hackers, involving abnormal transfers of large amounts of assets across multiple public chains.
(https://t.me/investigations)
SlowMist further confirmed that the affected assets in the incident covered TRON, EVM and BTC networks, and the preliminary estimated loss was approximately US$81.7 million.
(https://x.com/slowmist_team/status/1935246606095593578)
Nobitex also issued an announcement confirming that some infrastructure and hot wallets did suffer unauthorized access, but emphasized that user funds are safe.
(https://x.com/nobitexmarket/status/1935244739575480472)
It is worth noting that the attacker not only transferred the funds, but also actively transferred a large amount of assets into a specially designed destruction address. The value of the assets that were "burned" was nearly 100 million US dollars.
(https://x.com/GonjeshkeDarand/status/1935412212320891089)
June 18
ZachXBT disclosed that the Iranian crypto exchange Nobitex was suspected of being hacked, and a large number of suspicious withdrawal transactions occurred on the TRON chain. SlowMist further confirmed that the attack involved multiple chains, and the initial estimated loss was about 81.7 million US dollars.
Nobitex stated that the technical team detected that some infrastructure and hot wallets were illegally accessed, and the external interface was immediately cut off and an investigation was launched. The vast majority of assets stored in cold wallets were not affected. The intrusion was limited to some hot wallets used for daily liquidity.
The hacker group Predatory Sparrow (Gonjeshke Darande) claimed responsibility for the attack and announced that it would release Nobitex source code and internal data within 24 hours.
(https://x.com/GonjeshkeDarand/status/1935231018937536681)
June 19
Nobitex The fourth statement was released, indicating that the platform has completely blocked the external access path of the server, and the hot wallet transfer was "the active migration made by the security team to protect the funds". At the same time, the official confirmed that the stolen assets were transferred to some wallets with non-standard addresses composed of arbitrary characters, which were used to destroy user assets, totaling about 100 million US dollars.
The hacker group Predatory Sparrow (Gonjeshke Darande) claimed to have burned about 90 million US dollars worth of crypto assets and called it a "sanctions circumvention tool."
The hacker group Predatory Sparrow (Gonjeshke Darande) disclosed the Nobitex source code.
(https://x.com/GonjeshkeDarand/status/1935593397156270534)
According to the source code information released by the attacker, the folder information is as follows:
Specifically, the following contents are involved:
Nobitex's core system is mainly written in Python and deployed and managed using K8s. Combined with the known information, we speculate that the attacker may have broken through the operation and maintenance boundary and entered the intranet, which will not be analyzed here.
The attacker used multiple seemingly legitimate but uncontrollable "destruction addresses" to receive assets. Most of these addresses comply with the on-chain address format verification rules and can successfully receive assets, but once the funds are transferred in, they are equivalent to permanent destruction. At the same time, these addresses also contain emotional and provocative words, which are offensive. Some of the “destruction addresses” used by the attacker are as follows:
TKFuckiRGCTerroristsNoBiTEXy2r7mNX
0xffFFffFFFFFFFfFffFFFfFfFFFFFFFFFFFFDead
1FuckiRGCTerroristsNoBiTEXXXaAovLX
style="text-align: left;">DFuckiRGCTerroristsNoBiTEXXWLW65t
FuckiRGCTerroristsNoBiTEXXXXXXXXXXXXXXXXXXX
UQABFuckIRGCTerroristsNOBITEX1111111111111111_jT
one19fuckterr0rfuckterr0rfuckterr0rxn7kj7u
rFuckiRGCTerroristsNoBiTEXypBrmUM
We used the on-chain anti-money laundering and tracking tool MistTrack for analysis, and the incomplete statistics of Nobitex's losses are as follows:
According to MistTrack analysis, the attacker completed 110,641 USDT transactions and 2,889 TRX transactions:
The EVM chains stolen by the attacker mainly include BSC, Ethereum, Arbitrum, Polygon and Avalanche. In addition to the mainstream currencies of each ecosystem, it also includes UNI, LINK, SHIB and other tokens.
On Bitcoin, the attacker stole a total of 18.4716 BTC, about 2,086 transactions.
On Dogechain, the attacker stole a total of 39,409,954.5439 DOGE, about 34,081 transactions.
On Solana, the attacker stole SOL, WIF and RENDER:
On TON, Harmony, and Ripple, the attacker stole 3,374.4 TON, 35,098,851.74 ONE, and 373,852.87 XRP respectively:
MistTrack has added the relevant addresses to the malicious address library and will continue to pay attention to related chain trends.
The Nobitex incident once again reminds the industry: security is a whole, and the platform needs to further strengthen security protection and adopt more advanced defense mechanisms, especially for platforms that use hot wallets for daily operations. SlowMist recommends:
Strictly isolate cold and hot wallet permissions and access paths, and regularly audit hot wallet call permissions;
Use on-chain real-time monitoring systems (such as MistEye) to obtain comprehensive threat intelligence and dynamic security monitoring in a timely manner;
Cooperate with on-chain anti-money laundering systems (such as MistTrack) to promptly detect abnormal fund flows;
Strengthen emergency response mechanisms to ensure that effective responses can be made within the golden window after an attack occurs.
The incident is still under investigation, and the SlowMist security team will continue to follow up and update the progress in a timely manner.
Cardano creator Charles Hoskinson is offering $1 million to anyone who can crack the new Lace Paper Wallet, a challenge open until the end of 2024. Is this a masterstroke of innovation or a high-stakes gamble?
KikyoIn 2023, cryptocurrency scams surged, with Americans losing billions, including $650 million in a scheme run by NovaTech and its leaders, and significant fraud via Google’s Play Store. Victims, including Maria Vaca, faced massive financial losses and threats, highlighting the urgent need for enhanced security and vigilance in the crypto market.
AnaisPortal to Bitcoin, a key player in Bitcoin DeFi, announced launch of BitScaler, a technology set to revolutionise Bitcoin's scalability without core upgrades or new opcodes. With the testnet launch imminent, could Portal to Bitcoin be on the verge of transforming the crypto industry?
CatherineCosplay-to-Earn: How $WEEBS Token Is Changing the Game for Anime Fans
WeatherlyHamster Kombat is recently mired in internal conflicts and investor disputes, leading to the indefinite postponement of its HMSTR token airdrop. With other mounting issues, is this the start of the end for Hamster Kombat?
KikyoLuigi D'Onorio DeMeo’s X account was hacked on 19 August 2024, and used to promote a fake Pokémon-themed memecoin, PIKA, in a pump-and-dump scheme. The hackers gained access through a phishing email and quickly spread malicious links, exploiting DeMeo’s reputation before the scam was detected.
AnaisBinance-backed DIN announced on 20 August that it raised $4 million in a pre-listing round, boosting total funding to $8 million. To further its mission to redefine the decentralised AI data economy, it launched the Chipper Node Sale on 13 August.
CatherineSunwaves Tokens (SW) are set to revolutionize the festival experience by offering exclusive perks, enhanced fan engagement, and seamless blockchain integration. With its innovative approach, SW could redefine how festivals connect with their global audience.
AnaisBinance and its former CEO, CZ, face a lawsuit for alleged money laundering. Ironically, Binance recently prevented the loss of $2.4B from scams this year. With CZ’s release expected in September, how will this legal battle affect him post-prison, and will the lawsuit gain traction?
KikyoTapSwap has introduced a new game, "Tappy Town," despite ongoing delays in its token distribution. The airdrop for the TAPS token has been postponed multiple times, leading to user frustration and skepticism about the platform's priorities.
Weatherly