On June 18, 2025, Iran's largest cryptocurrency exchange, Nobitex, was hacked. Between $48.65 million and $82 million worth of assets were stolen across multiple networks including Tron, Bitcoin, and Dogecoin. Shortly after the breach, a hacker group called "Gonjeshke Darande" claimed responsibility, framing the incident not as a mere crime, but as a politically motivated act of cyber terrorism.
The hackers transferred the stolen assets to vanity addresses with political messages like "FuckiRGCTerroristsNoBiTEX." These addresses are technically irreversible and untraceable, meaning the assets are essentially “burned” and unrecoverable. This action strongly suggests a political performance rather than a financially driven attack.
The incident symbolizes how tensions between Israel and Iran have moved into the realm of cyber warfare. Hacking, data destruction, and the disruption of financial systems are now being used as strategic tools comparable to military weapons. The political message sent by deliberately destroying $82 million is both shocking and powerful. We can only hope this escalation does not lead to further damage or wider conflict.
On June 18, 2025, Iran’s largest cryptocurrency exchange, Nobitex, was hacked by a cybercriminal group. Nobitex has served as a major exchange for Bitcoin, Ethereum, Dogecoin, Tron, and other leading cryptocurrencies within Iran, functioning as a key channel for capital inflow and currency conversion.
The attack targeted multiple blockchain networks simultaneously rather than a single chain. Initial analysis revealed that approximately $48.65 million worth of assets were stolen from networks including Tron, Bitcoin, Dogecoin, and EVM-compatible chains. However, further investigations later estimated the total losses could reach as high as $82 million. The situation took a significant turn when a cyber group known as Gonjeshke Darande claimed responsibility for the attack, framing it not as a common cybercrime, but as a politically motivated cyberterrorist act.
Source: Gonjeshke Darande X
Gonjeshke Darande is a group with a history of paralyzing key infrastructure in Iran:
In 2021, they caused nationwide chaos by disabling the POS systems of fuel stations.
In 2022, they sparked a fire at a major steel plant in southern Iran.
Just a day before this hack, on June 17, 2025, they claimed responsibility for an attack on Sepah, a state-owned Iranian bank, in which servers and customer data were destroyed.
Though the group has never officially confirmed ties to the Israeli government, Western security analysts have long speculated about its potential links to Israeli intelligence agency Mossad. This incident, therefore, appears to be more than a theft—it’s a blatant example of escalating cyber warfare between Israel and Iran.
Source: Medium | What is a vanity address?
What drew particular attention in this incident was that the hacker transferred the stolen assets to wallet addresses known as vanity addresses — all embedded with political messages. A vanity address is a cryptocurrency wallet address that contains a customized phrase or pattern, intentionally generated rather than randomly created like typical addresses.
Here are the vanity addresses used by the hacker:
The repeated phrase “FuckiRGCTerroristsNoBiTEX” conveys a politically charged message, mocking both Iran’s Islamic Revolutionary Guard Corps (iRGC) and the Nobitex exchange. By embedding such provocative language directly into the address strings, the hackers effectively left behind a form of digital graffiti — signaling that the act was as much a political statement as it was a hack.
But did the hackers actually generate these vanity addresses themselves?
Normally, a wallet address is generated by applying hash functions to a randomly created private-public key pair. However, vanity addresses are created through a different, more computationally intense process:
Repeatedly generate key pairs (private and public keys).
Check the resulting wallet address for a desired pattern or phrase.
If the pattern matches, retain the associated private key for use.
Creating a vanity address with a complex string like “FuckiRGCTerroristsNoBiTEX” (24 characters) would, in theory, require approximately 2.1 x 10^42 attempts — a brute-force task so computationally demanding it would take trillions of years, even using hundreds of thousands of GPUs in parallel.
This suggests that the hackers likely did not create these vanity addresses with known private keys. Instead, they generated addresses that no one can access or control — essentially rendering the stolen assets unrecoverable. This strengthens the interpretation of the hack as a symbolic, politically driven act rather than one intended for financial gain.
This raises an important question: the hackers sent the stolen assets to addresses for which no one, not even themselves, can know the private keys. What does that mean? In effect, they gave up ownership of the funds. That’s because in order to access a wallet, you need its private key — and recovering a private key from just the wallet address is virtually impossible.
Source: Medium | ECDSA in Go — A Simple Introduction
Here's a closer look at why:
Public Key Extraction Barrier: In networks like Tron, Bitcoin, and Dogecoin, wallet addresses are constructed using a combination of a network byte, a 160-bit hash of the public key, and a checksum. But due to the one-way nature of cryptographic hash functions, it's practically impossible to retrieve the original public key hash — let alone the actual public key — from the wallet address alone.
Elliptic Curve Discrete Logarithm Problem (ECDLP): Even if a public key were somehow obtained, calculating the corresponding private key is computationally infeasible. In a 256-bit Elliptic Curve Digital Signature Algorithm (ECDSA) system, the probability of brute-forcing the private key is 1 in 2^256 — roughly 1.1 × 10^77 attempts. That’s more than the number of atoms in the observable universe.
So in practical terms, it is absolutely impossible to derive the private key from these addresses. That means the hackers intentionally sent the funds to addresses that no one can access — essentially burning the assets beyond recovery.
This act transforms the hack into a political statement. Rather than stealing $48–$80 million worth of crypto for personal gain, the hackers publicly destroyed the funds. The burn was a deliberate and irreversible act of digital protest — not just a heist, but a calculated, high-stakes performance to deliver a political message through financial sacrifice.
Source: SpecialEurasia
Tensions between Israel and Iran have long been central to the geopolitics of the Middle East. But now, that conflict has expanded beyond the physical battlefield and into cyberspace. Missiles and drones are no longer the only weapons; hacking, data destruction, and the disruption of financial infrastructure have become core elements of modern warfare.
This incident — orchestrated by the hacker group Gonjeshke Darande — makes that shift painfully clear:
The destruction of data from Iran’s state-owned bank
The breach of its largest crypto exchange and the deliberate burning of assets
The global broadcast of a political message embedded directly in blockchain wallet addresses
This was not a random or profit-driven cybercrime — it was a deliberate, coordinated political strike. Nobitex wasn't just a private exchange; it was a vital part of Iran's crypto-based capital flow. That made it a symbolic and strategic target.
Cyberwarfare is no longer theoretical — it is already here. The attackers willingly rendered $82 million in assets useless. This incident was not just a hack — it was sheer dread, laced with a message of madness.
The author believes attacks like this — where ordinary civilians are harmed in the crossfire of digital war — must never be repeated. To those affected by this incident, especially users who lost access to their assets, we offer our deepest sympathy.
Historically, there have been cases where political messages were conveyed through acts of economic damage. One prominent example is Mahatma Gandhi, who in September 1921 protested British textile imports by burning approximately 150,000 pieces of foreign cloth. These historical cases inflicted damage only upon one’s own property, and the protesting individuals lent legitimacy to their political stance through self-sacrifice.
Even when damage is inflicted, it must be precisely targeted. In the 1773 Boston Tea Party, for instance, colonists dumped 9,000 pounds of East India Company tea into the harbor as a targeted act of protest against oppressive colonial taxation. The act was directed at the ruling institution’s assets, and the target of resistance clearly matched the target of damage. In contrast, the Nobitex hack fundamentally differs in that its victims include ordinary civilians. The $82 million burned by Gonjeshke Darande included personal funds belonging to individuals who had no direct involvement in the conflict.
An even more serious issue lies in the group’s justification — they destroyed other people’s assets based on a unilateral suspicion that Nobitex served as a channel for war financing. Such actions constitute a form of private sanctions, with the hacker group unilaterally acting as judge and executioner, absent any formal legal process or verified evidence.
When political messages result in civilian harm, the legitimacy of the message itself is undermined. If Gonjeshke Darande’s true aim had been to deliver a political statement — and nothing more — they could have transferred the assets to a wallet they controlled or simply left messages on-chain. Instead, they chose irreversible destruction of civilian property, a choice that shifts the act from symbolic protest to ideological extremism.
Related Articles, News, Tweets etc. :
