Gonjeshke Darande Hackers Impersonate Activists to Breach Iranian Crypto Exchange

The advanced threat group known as Gonjeshke Darande suspected of being an Israeli state-sponsored entity successfully infiltrated and disrupted Nobitex, Iran’s largest cryptocurrency exchange.

The hack came at a time of acute regional tension, just days after Israeli airstrikes on Iranian strategic assets and Iran’s subsequent military retaliation.

Far beyond a simple heist, the breach was designed as a statement attack, aiming to destabilize Iran’s financial apparatus, expose regime vulnerabilities, and undermine public trust in government-linked institutions.

Technical Execution

Gonjeshke Darande, while masquerading as an Iranian hacktivist group, leveraged privileged access to Nobitex’s internal systems, suggesting extended prior infiltration and reconnaissance.

The attackers proceeded to exfiltrate approximately US$90 million in cryptocurrency, not for financial gain, but to destroy value by transferring funds into invalid wallets embedded with anti-regime messages.

These wallet addresses, such as “FuckiRGCTerroristsNoBiTE,” directly accused the Islamic Revolutionary Guard Corps (IRGC) of terrorism and condemned the government’s alleged use of Nobitex to bypass international sanctions.

Further compounding the damage, Gonjeshke Darande published the full source code of the Nobitex platform, including sensitive internal configurations and details of cold wallet management scripts.

This leak has significant operational and reputational ramifications, exposing Nobitex’s infrastructure to additional exploitation and eroding user confidence.

The attackers claimed to possess authentication credentials and internal documentation, though speculation persists around possible insider involvement or long-term lateral movement within the exchange’s network.

Institutional Response

Nobitex responded by confirming a breach of its hot wallet infrastructure, prompting immediate service suspension and server isolation.

The exchange emphasized that cold wallet reserves remained untouched, but acknowledged that restoration efforts would be delayed due to concurrent nationwide internet disruptions.

Nobitex has maintained a degree of operational transparency, yet withheld specific technical details of the breach, citing ongoing investigations and the need for enhanced access controls moving forward.

This cyberattack is not an isolated incident but part of a discernible escalation in cyber operations targeting Iran’s financial and critical infrastructure, coinciding with recent military hostilities between Israel and Iran.

Gonjeshke Darande, whose operational portfolio includes high-impact attacks on Iranian railways, gas stations, and steel mills, consistently combines technical sophistication with psychological operations intended to degrade regime authority and disrupt state capabilities.

The group’s activities blur the line between activism and covert cyberwarfare, strategically amplifying the political effects of each operation.

According to the Report, The Nobitex incident epitomizes a paradigm shift in the role of cyberattacks within geopolitical conflict, with financial platforms and digital assets now serving as key battlegrounds.

The attack underscores multiple emerging threats: the susceptibility of cryptocurrency infrastructure to ideologically driven sabotage, the dangers posed by insider access or persistent threat actors, and the use of cyber operations to apply sustained pressure on regime-aligned financial networks.

While investigations continue, the evidence points to a meticulously planned operation with both technical and psychological objectives.

Analysts warn that further attacks against Iranian financial institutions, particularly those linked to sanctioned entities or the IRGC, are likely as Gonjeshke Darande exploits regional instability.

The Nobitex breach marks a significant moment in the evolution of cyber-enabled conflict in the Middle East.

It reflects an evolving strategy to erode the credibility and resilience of state-linked digital platforms through a fusion of cyber disruption, data destruction, and public exposure an approach set to shape the region’s cyber landscape in the months ahead.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates