top of page
Search

Digital Firestorm: Gonjeshke Darande Torches $90M in Crypto in Politically Charged Strike on Iran’s Nobitex

In an unprecedented act of cyber sabotage, the threat actor Gonjeshke Darande — a group widely believed to be a front for Israeli intelligence — has claimed responsibility for a devastating attack on Iran’s largest cryptocurrency exchange, Nobitex. The June 18 operation resulted in the destruction of approximately $90 million in digital assets, marking one of the most ideologically driven cyberattacks in recent memory.


Unlike typical state-aligned cyberattacks aimed at data theft or ransom, this strike was not about profit. Instead, the attackers deliberately “burned” the funds by transferring them to non-recoverable wallets with politically charged names, effectively removing them from circulation forever. In doing so, they sent a clear message to Iran’s leadership — and the world.


“It is very unusual to see millions of dollars' worth of cryptocurrency burned with the sole purpose of causing disruption and making a political statement,” said Lidia López Sanz, Outpost24 Strategic Research Lead. “In this case, Gonjeshke Darande appears to have chosen to not steal the funds for profit, in order to deliver a stronger message.”

Cyber Warfare in the Shadow of Airstrikes


The timing of the attack was no coincidence. It occurred just days after a major Israeli military operation on June 13, which targeted Iranian nuclear and military sites. In the wake of that escalation, Gonjeshke Darande struck Nobitex, accusing the platform of serving as a tool of the Iranian regime to circumvent sanctions and finance terrorism through the IRGC.


The group’s public statement declared Nobitex a “key regime tool for financing terrorism and violating sanctions,” and posted screenshots of internal systems as well as a full leak of the exchange’s source code — effectively opening the doors to further exploitation by third parties.


The wallets that received the destroyed crypto contained names like “FuckiRGCTerroristsNoBiTE,” underlining the symbolic and psychological dimensions of the operation. Gonjeshke Darande wasn’t just trying to disrupt — it was trying to humiliate.


Anatomy of the Breach


The precision and depth of the attack suggest long-term access and careful preparation. Internal server screenshots, backend source code, cold wallet configurations, and deployment scripts were all exposed. While Nobitex has acknowledged that its hot wallet infrastructure was compromised, the company has withheld full details of the intrusion, citing an ongoing investigation.


In its public response, Nobitex emphasized that cold wallets — typically offline and more secure — were not affected. However, national internet disruptions have delayed recovery efforts and fueled speculation about the broader implications of the breach.


A Signature of Psychological Warfare


Gonjeshke Darande, known by aliases like Predatory Sparrow and Adalat Ali, has been waging a cyber campaign against Iran since at least 2019. The group blends technical sophistication with spectacle, often targeting public infrastructure — from railway systems and gas stations to steel mills — and leaving behind messages aimed at sowing distrust and dissent.


This latest attack marks a turning point: a pivot toward economic warfare through the lens of digital finance. Cryptocurrency platforms like Nobitex are now frontline targets in a cyber war where money, ideology, and national security are inseparable.


A Coordinated Campaign


The Nobitex hack wasn’t an isolated incident. Days earlier, Gonjeshke Darande claimed to have infiltrated Bank Sepah — a major financial institution linked to the IRGC — and destroyed critical data. In both cases, the group explicitly cited Iran’s missile and nuclear ambitions as justification for its actions.


These attacks underscore a broader strategy: to erode Iran’s financial and operational resilience by targeting the institutions underpinning its sanctions evasion networks. Each digital intrusion is crafted not just to disrupt but to discredit.


Lessons for the Global Cybersecurity Community


The Nobitex incident reveals the growing potency of ideologically motivated cyberattacks. It also exposes how high-value crypto platforms — especially those operating in opaque regulatory environments — are vulnerable to both internal and external threats.


Insider access, long-term infiltration, and the deliberate weaponization of leaked data signal a level of operational maturity rarely seen outside nation-state circles. The psychological weight of destroying $90 million in assets, rather than stealing them, is a stark reminder that modern cyber warfare is often about impact, not income.


If Gonjeshke Darande is indeed acting on behalf of the Israeli state — as most analysts believe — this represents a strategic shift toward digital financial destabilization as a tool of foreign policy.


And it's unlikely to be the last.


Looking Ahead


With tensions between Iran and Israel intensifying, experts warn that we may be witnessing the early stages of a prolonged cyber conflict with no clear front lines. Cryptocurrency exchanges, state-owned banks, and financial technologies are all in the crosshairs — not just for their monetary value, but for their symbolic power.


For now, the burning of $90 million on Nobitex’s ledgers will remain etched into the annals of cyberwarfare: not as a theft, but as a statement — and a warning.

bottom of page