After stealing nearly $100 million in coins and burning them, Iran suffered a crazy on-chain attack from Israel

オリジナル | Odaily Planet Daily ( ＠OdailyChina )

著者 | アッシャー ( アッシャー )

Crypto, which was originally far away from the real world, is being caught in an unprecedented geopolitical storm.

As the conflict between Israel and Iran continues to intensify, a mysterious hacker group, Gonjeshke Darande (meaning predatory sparrow), cyber-broke into Nobitex, Irans largest 暗号 exchange, and precisely looted nearly $100 million in assets – but did not try to cash out. Instead, the huge amount of money was destroyed in public and sent to addresses filled with the words Down with the Iranian regime. This is not only a cyber attack, but more like an on-chain, slightly abstract political explosion. The smoke of war is spreading to the crypto world.

The whole process of the attack: from intrusion to destruction of funds

On the afternoon of June 18, on-chain analyst ZachXBT issued an alert: There was an abnormal outflow of funds from the hot wallet of Nobitex, Irans largest crypto platform, with an initial estimate of $48.65 million. A few hours later, the outflow of funds expanded rapidly, and the amount of losses soared to about $81.7 million. Since then, the amount of theft has continued to rise, mainly concentrated in the stablecoin USDT, across multiple chains such as Tron, EVM chain, and BTC.

But what shocked the entire crypto community was not the amount of money, but the method of attack: these stolen assets were not transferred to currency mixing tools or money laundering by the hacker group Gonjeshke Darande, but were actively transferred to destruction addresses with strong political implications. According to their statement on the X platform, $90 million in crypto assets were destroyed. Some of the destruction addresses are as follows :

• TKFuckiRGCTerroristsNoBiTEXy2r7mNX

• 0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead

• 1FuckiRGCTerroristsNoBiTEXXXaAovLX

• DFuckiRGCTerroristsNoBiTEXXWLW65t

• …

The names of these addresses blatantly contain offensive slogans against Irans Islamic Revolutionary Guard Corps (IRGC), and are clearly intended to be political demonstrations and psychological attacks, rather than simply economic motives.

Hackers motives: political attack, not financial gain

Different from the common behavior logic of crypto attackers who are for profit, the attacker in this incident, Gonjeshke Darande, did not attempt to cash out any funds. Not only that, Gonjeshke Darande also issued a statement, claiming that he would make public the source code, internal network structure and employee communication information of Nobitex this afternoon Beijing time, further revealing the true purpose of the platform.

Gonjeshke Darande said that Nobitex is not an ordinary business platform, but a core tool used by the Iranian regime to circumvent international sanctions and finance terrorist organizations. It is also the most widely used tool for money laundering and cross-border fund transfers in Iran . He even accused the platform of instructing users on how to circumvent sanctions and transfer funds. In addition, he also said that some positions on Nobitex are regarded by the Iranian government as an alternative to military service and have the nature of wartime positions.

It is not difficult to see that Gonjeshke Darandes goal is to expose Nobitex as part of the war machine and completely disintegrate the economic form that Iran relies on.

The expansion of cyber warfare: from physical lifelines to crypto finance

In fact, this is not the first time that Gonjeshke Darande has launched a cyber attack against Iran. In the past three years, the group has launched:

• 2021: Paralyze Iran’s national gas station system;

• 2022: Attack and cause fire at a steel plant in Iran;

• 2024: Hacking and paralyzing the Sepah system, Iran’s national bank.

This time, the attack targets were further upgraded, extending from the national physical system to Irans core encryption trading platform. This kind of action of using encryption platforms as war nodes for precise strikes was extremely rare in the past.

Why choose to destroy funds?

Ordinary hackers attack crypto platforms to cash out, but this time, the attack was to burn money. Gonjeshke Darande doesnt care about the profits, and doesnt even worry about the address being frozen or the transfer path being exposed – because they dont want to spend the money at all. What they want may be political symbolism:

• Publicly demonstrate to the world: We can not only take your money, but also burn it in public;

• Striking Iranian regime symbols: “Nobitex is your crypto lifeline, we destroy it”;

• Inciting unrest: freezing user confidence, weakening platform credibility, and shaking reliance on encryption systems.

From traditional battlefields to the crypto world, crypto assets are no longer just financial tools built on technology, but are becoming a tool of national conflict, the front line of sanctions wars, and a battlefield of psychological warfare.

Nobitex responded: The platform has completely cut off external access to the server, and user funds are fully protected

In response to this hacker attack, Nobitex has issued the 4th official statement, clearly stating that the platform has completely cut off external access to the server to block further risks. The platform emphasized that the transfer of some assets from the hot wallet was an active defense operation by the technical team, aiming to isolate risks and protect user funds at the first time, rather than being directly stolen by attackers.

Nobitex further confirmed that the attacker did destroy approximately $100 million in crypto assets using an abnormal address with strong political slogans. The platform characterized the incident as an attack of psychological sabotage rather than theft driven by economic purposes.

ついに、 the platform promised to pay all losses in full, with funds coming from Nobitexs own reserves and a specially established insurance fund. At the same time, due to the current nationwide Internet and communication outages in Iran, technical support has been delayed, but the platform promised to restore website and application access as soon as the network is restored, and disclose more details of the incident after the investigation is completed.

Odaily Planet Daily will also follow and report further developments of the situation.

This article is sourced from the internet: After stealing nearly $100 million in coins and burning them, Iran suffered a crazy on-chain attack from Israel

Related: The end of the Federal Reserves Operation Choke Point 2.0, what impact will it have on the crypto market?

On April 25, the Federal Reserve announced a major decision: to revoke the 2022 regulatory guidance on banks crypto assets and US dollar token businesses, abolish the relevant regulatory no objection procedures in 2023, and withdraw from the policy statement on crypto asset business risks previously issued jointly with the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC). Operation Choke Point 2.0 to Marginalize the Crypto Industry Choke Point 2.0 is the crypto industrys collective name for a series of banking regulatory policies during the Biden administration. The name comes from the Choke Point Operation in the Obama era, which refers to achieving regulatory goals by putting pressure on banks to cut off financial services for specific industries. In the crypto market, Operation…