Original | Odaily Planet Daily (@OdailyChina)
Crypto, originally distant from the real world, is being swept into an unprecedented geopolitical storm.
As the conflict between Israel and Iran escalates, a mysterious hacker group Gonjeshke Darande (meaning "Predatory Sparrow") "cyber-invaded" Iran's largest crypto exchange Nobitex, precisely stealing nearly $100 million in assets—yet did not attempt to cash out. Instead, this massive sum was publicly destroyed, sent to addresses filled with the phrase "Down with the Iranian regime." This is not just a cyber attack; it resembles an on-chain, somewhat abstract political explosion, with the smoke of war spreading into the crypto world.
The entire attack process: from invasion to fund destruction
On the afternoon of June 18, on-chain analyst ZachXBT raised the alarm: there was abnormal outflow of funds from Iran's largest crypto platform Nobitex's hot wallet, with initial estimates of $48.65 million flowing out. Hours later, the outflow rapidly expanded, with losses soaring to about $81.7 million, and the amount stolen continued to rise, primarily concentrated in the stablecoin USDT, crossing multiple chains including Tron, EVM chains, and BTC.
However, what shocked the entire crypto community was not the amount, but the method of attack: these stolen assets were not transferred to mixing tools or attempted to be laundered by the hacker group Gonjeshke Darande, but were actively transferred to "destruction addresses" with strong political implications. According to their statement on the X platform, they destroyed $90 million in crypto assets, with some of the destruction addresses as follows:
TKFuckiRGCTerroristsNoBiTEXy2r7mNX
0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
1FuckiRGCTerroristsNoBiTEXXXaAovLX
DFuckiRGCTerroristsNoBiTEXXXWLW65t
……
These address names openly carry aggressive slogans against the Iranian Islamic Revolutionary Guard Corps (IRGC), clearly indicating a political demonstration and psychological impact rather than purely economic motives.
Hacker motives: political strike, not economic gain
In stark contrast to the common behavior logic of crypto attackers "seeking profit," this time the attackers Gonjeshke Darande did not attempt to monetize any funds. Moreover, Gonjeshke Darande issued a statement claiming they would publicly disclose Nobitex's source code, internal network structure, and employee communications today afternoon Beijing time, further revealing the platform's true purpose.
Gonjeshke Darande stated that Nobitex is not an ordinary commercial platform, but a "core tool used by the Iranian regime to evade international sanctions and fund terrorist organizations," and is currently the most widely used tool for money laundering and cross-border fund transfers in Iran. They even accused the platform of guiding users on how to evade sanctions for fund transfers. Additionally, they claimed that some positions at Nobitex are viewed by the Iranian government as a form of military service, possessing the nature of "wartime positions."
It is clear that Gonjeshke Darande's goal is to expose Nobitex as part of a war machine and completely dismantle the economic model that Iran relies on.
The expansion of cyber warfare: from physical lifelines to crypto finance
In fact, this is not the first time Gonjeshke Darande has launched a cyber attack against Iran. Over the past three years, the organization has successively caused:
2021: Paralyzed Iran's nationwide gas station system;
2022: Attacked and caused a fire at a steel plant in Iran;
2024: Hacked and paralyzed the Iranian national bank Sepah system.
This time, the attack target has further escalated, extending from national physical systems to Iran's core crypto trading platform. Such precise strikes on crypto platforms as war nodes have been extremely rare in the past.
Why choose to destroy funds?
Ordinary hackers attack crypto platforms to cash out; however, this attack was aimed at "burning money." Gonjeshke Darande does not care about profits, nor are they worried about addresses being frozen or transfer paths being exposed—because they do not want to spend this money at all. What they seek may be political symbolic significance:
Publicly demonstrating to the world: "We can not only take your money but also burn it in public";
Symbolically striking the Iranian regime: "Nobitex is your crypto lifeline, and we are destroying it";
Inciting unrest: Freezing user confidence, undermining the platform's credibility, and shaking reliance on the crypto system.
From traditional battlefields to the crypto world, crypto assets are no longer just "financial tools" constructed by technology, but are becoming tools of national conflict, the front line of sanction wars, and the battlefield of psychological warfare.
Nobitex's response: the platform has completely cut off external access to servers, ensuring full protection of user funds
In response to this hacker attack, Nobitex has issued its fourth official statement, clearly stating that the platform has completely cut off external access to its servers to prevent further risks. The platform emphasized that the outflow of some assets from the hot wallet was a proactive defensive operation by the technical team, aimed at isolating risks and ensuring user fund safety at the earliest possible time, rather than being directly stolen by attackers.
Nobitex further confirmed that the attackers indeed used addresses with strong political slogans to destroy about $100 million in crypto assets, and the platform has classified this incident as a "psychological sabotage" attack rather than a theft driven by economic motives.
Finally, the platform promised to fully compensate all losses, with funding sources including Nobitex's own reserves and a specially established insurance fund. Meanwhile, due to the current nationwide internet and communication outages in Iran, there may be delays in technical support, but the platform promises to restore website and application access as soon as the network is restored and to disclose more details of the incident after the investigation is completed.
Odaily Planet Daily will also continue to follow the further developments of the situation.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
