- $81.7M was stolen from Nobitex through vanity address exploits across Tron and EVM chains
- A pro-Israel group, Gonjeshke Darande, claimed responsibility, embedding a clear political message in the wallet address itself
- Nobitex confirmed only hot wallets were affected and assured users that funds will be reimbursed via their insurance fund
- This wasn’t just a financial exploit — it was a targeted, ideological attack that signals how geopolitical conflict is bleeding into crypto
Another week, another major exploit. This time, it’s Nobitex—one of Iran’s largest cryptocurrency exchanges—getting drained for over $81 million in a coordinated attack that blends technical precision with political undertones.
According to onchain sleuth ZachXBT, the exploit siphoned funds via a vanity address exploit, moving assets across Tron and multiple EVM-compatible blockchains. Not exactly your everyday rug pull — this one had a message.
The first red flag was a rather loud one: a Tron wallet dubbed “TKFuckiRGCTerroristsNoBiTEX…”, used to extract $49 million alone. If you were wondering whether this was just a profit-driven attack, the naming convention gives away a much more pointed agenda.
The Hack Was Loud, Intentional, and Political
Shortly after the exploit, a hacker group calling itself “Gonjeshke Darande” came forward claiming responsibility.
The group appears to be pro-Israel, and the message embedded in the vanity address doesn’t leave much room for misinterpretation.
This wasn’t just about stealing crypto — it was about making a statement.
A second vanity address used in the heist — “0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead” — helped drain the rest, bringing the total to over $81.7 million.
The exploit follows a trend we’ve seen more of lately: attackers aren’t hiding. They’re branding their attacks, embedding ideology, and broadcasting intent.
Nobitex’s Response: Hot Wallets Hit, Cold Wallets Safe
Nobitex acknowledged the breach, confirming that a portion of its hot wallets showed signs of unauthorized access. Standard protocol followed: hot wallets were suspended, and damage control kicked in.
According to the exchange, cold storage assets remain untouched, and user funds will be covered using the insurance fund and internal reserves.
It’s a familiar playbook, but the real story here isn’t just the loss of funds — it’s the shift in how and why these attacks are happening.
Beyond Crypto: This Is Geopolitical
Let’s call it what it is. This wasn’t your standard DeFi exploit. This was cyber warfare with a blockchain twist, hitting one of the few regulated Iranian crypto exchanges still operating despite international restrictions.
The attack underscores the evolution of hacking groups in crypto.
It’s no longer just North Korea or anonymous threat actors — we’re now entering a chapter where nation-state proxy groups are leveraging onchain tools to push narratives, disrupt economies, and flex cyber muscle in plain sight.
And with vanity addresses now weaponized for both technical and symbolic impact, every wallet label becomes a headline in itself.
