Author: Lisa & 23pds
Editor: Sherry
Background
On June 18, 2025, on-chain detective ZachXBT revealed that Nobitex, Iran's largest cryptocurrency exchange, was suspected to have suffered a hacking attack, involving abnormal transfers of large assets across multiple public chains.
(https://t.me/investigations)
SlowMist further confirmed that the affected assets in the incident covered TRON, EVM, and BTC networks, with preliminary estimated losses of approximately $81.7 million.
(https://x.com/slowmist_team/status/1935246606095593578)
Nobitex also released a statement confirming that some infrastructure and hot wallets had indeed experienced unauthorized access, but emphasized that user funds were safe.
(https://x.com/nobitexmarket/status/1935244739575480472)
It is noteworthy that the attackers not only transferred funds but also actively moved a large amount of assets to a specially created burn address, with the value of the "burned" assets nearing $100 million.
(https://x.com/GonjeshkeDarand/status/1935412212320891089)
Timeline
June 18
ZachXBT disclosed that the Iranian cryptocurrency exchange Nobitex was suspected of being hacked, with a large number of suspicious withdrawal transactions occurring on the TRON chain. SlowMist further confirmed that the attack involved multiple chains, with preliminary estimated losses of approximately $81.7 million.
Nobitex stated that its technical team detected illegal access to some infrastructure and hot wallets, immediately cutting off external interfaces and launching an investigation. The vast majority of assets stored in cold wallets were unaffected, and this intrusion was limited to a portion of hot wallets used for daily liquidity.
The hacker group Predatory Sparrow (Gonjeshke Darande) claimed responsibility for the attack and announced that they would release Nobitex's source code and internal data within 24 hours.
(https://x.com/GonjeshkeDarand/status/1935231018937536681)
June 19
Nobitex issued its fourth statement, indicating that the platform had completely blocked external access to its servers, and that the hot wallet transfers were "proactive migrations made by the security team to protect funds." At the same time, the official confirmed that the stolen assets were transferred to wallets with non-standard addresses composed of arbitrary characters, which were used to burn user assets, totaling approximately $100 million.
The hacker group Predatory Sparrow (Gonjeshke Darande) claimed to have burned approximately $90 million worth of cryptocurrency assets, referring to them as "sanction evasion tools."
The hacker group Predatory Sparrow (Gonjeshke Darande) publicly released Nobitex's source code.
(https://x.com/GonjeshkeDarand/status/1935593397156270534)
Source Code Information
Based on the source code information released by the attackers, the folder information is as follows:
Specifically, it involves the following content:
Nobitex's core system is primarily written in Python and uses K8s for deployment and management. Based on known information, we speculate that the attackers may have breached operational boundaries to enter the internal network, which will not be analyzed further here.
MistTrack Analysis
The attackers used multiple seemingly legitimate but actually uncontrollable "burn addresses" to receive assets. Most of these addresses conform to on-chain address format validation rules and can successfully receive assets, but once funds are transferred in, they are effectively permanently destroyed. Additionally, these addresses contain emotional and provocative language, indicating an attack intent. Some of the "burn addresses" used by the attackers are as follows:
TKFuckiRGCTerroristsNoBiTEXy2r7mNX
0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
1FuckiRGCTerroristsNoBiTEXXXaAovLX
DFuckiRGCTerroristsNoBiTEXXXWLW65t
FuckiRGCTerroristsNoBiTEXXXXXXXXXXXXXXXXXXX
UQABFuckIRGCTerroristsNOBITEX1111111111111111_jT
one19fuckterr0rfuckterr0rfuckterr0rxn7kj7u
rFuckiRGCTerroristsNoBiTEXypBrmUM
We used the on-chain anti-money laundering and tracking tool MistTrack for analysis, and Nobitex's losses are partially summarized as follows:
According to MistTrack analysis, the attackers completed 110,641 USDT transactions and 2,889 TRX transactions on TRON:
The attackers primarily stole from EVM chains including BSC, Ethereum, Arbitrum, Polygon, and Avalanche, including mainstream tokens from each ecosystem as well as various tokens such as UNI, LINK, and SHIB.
On Bitcoin, the attackers stole a total of 18.4716 BTC, approximately 2,086 transactions.
On Dogechain, the attackers stole a total of 39,409,954.5439 DOGE, approximately 34,081 transactions.
On Solana, the attackers stole SOL, WIF, and RENDER:
On TON, Harmony, and Ripple, the attackers stole 3,374.4 TON, 35,098,851.74 ONE, and 373,852.87 XRP, respectively:
MistTrack has added the relevant addresses to its malicious address database and will continue to monitor related on-chain movements.
Conclusion
The Nobitex incident serves as a reminder to the industry: security is a whole, and platforms need to further strengthen security protections and adopt more advanced defense mechanisms, especially for platforms that use hot wallets for daily operations. SlowMist recommends:
Strictly isolate the permissions and access paths of hot and cold wallets, and regularly audit hot wallet access permissions;
Implement on-chain real-time monitoring systems (such as MistEye) to obtain comprehensive threat intelligence and dynamic security monitoring in a timely manner;
Collaborate with on-chain anti-money laundering systems (such as MistTrack) to promptly detect abnormal fund flows;
Strengthen emergency response mechanisms to ensure effective responses within the golden window after an attack occurs.
The follow-up investigation of the incident is still ongoing, and the SlowMist security team will continue to follow up and provide timely updates on the progress.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
