Hacker group claims leak of Nobitex source code as Iranian exchange’s stolen funds top $100 million

Gonjeshke Darande, the pro-Israel hacker group that claims to be behind the attack on Iran's Nobitex crypto exchange yesterday, claims to have exposed what appears to be the platform's key source code information on the social media platform X.

"Assets left in Nobitex are now entirely out in the open," the group wrote.

The social media post included apparent screenshots of various essential codes of the platform for exchange deployment, privacy, user interface and others that could pose further security risks for the exchange.

Nobitex was hacked earlier on Wednesday, with onchain sleuth ZachXBT reporting suspicious outflows from its wallets on Tron and EVM networks. Nobitex stated in its latest announcement that over $100 million in cryptocurrency was stolen, which was subsequently moved and destroyed by the attackers.

"It is clear that the intention behind this attack was to harm the peace of mind and assets of our fellow citizens under false pretenses," Norbitex wrote .

Shortly after the exploit became public, Gonjeshke Darande claimed responsibility for the attack, saying that Nobitex is a "key regime tool" for financing terrorism and violating sanctions.

Gonjeshke Darande's alleged motive for the attack is connected to the broader conflict between Iran and Israel, which has escalated in recent months, including missile strikes targeting cities and strategic locations.

Not just an exchange

Meanwhile, onchain analytics platform Chainalysis stated in its Wednesday report that Nobitex plays an essential role in the country's sanctioned crypto space, with multiple ties to illicit activities.

"Nobitex isn’t just a local exchange; it serves as a critical hub within Iran’s heavily sanctioned crypto ecosystem, enabling access to global markets for users cut off from traditional finance," Chainalysis wrote.

Chainalysis added that past onchain investigations have linked Nobitex to illicit actors, including IRGC-affiliated ransomware operators and sanctioned Russian crypto exchanges. 

In response to the attack on Nobitex, Iranian authorities have imposed limits on local exchanges, allowing them to operate only between 10 a.m. and 8 p.m. local time, according to Chainalysis, which cited reports.

"[The] exploit underscores the inherent tension between the borderless nature of cryptocurrency and the geopolitical realities of nation-state restrictions," Chainalysis wrote.

The Block has reached out to Nobitex for further comments.