Nobitex Source Code Leaked After $100M Hack: What This Means for Users

What to Know

• The pro-Israel hacker group Gonjeshke Darande released the full source code of Iran’s Nobitex crypto exchange.
• The leak followed a $100 million attack targeting Nobitex’s holdings across Bitcoin, EVM, Ripple, and other blockchains.
• Users who have not withdrawn their assets may face extreme risk, as back-end systems are now publicly exposed.
• Nobitex says it will attempt to restore services within five days despite internet disruptions in Iran.

Nobitex’s Security Breach Escalates as Hackers Publish Entire Codebase

A day after breaching Nobitex and draining over $100 million in crypto assets, the hacker group Gonjeshke Darande took their attack a step further—publicly leaking the Iranian exchange’s full source code, backend scripts, privacy configurations, and server listings. The leak, published via X (formerly Twitter), removes any remaining veil of protection for the platform and could open the floodgates to additional cyber exploits.

This devastating development compounds an already severe incident. On Wednesday, the group—whose name translates from Farsi as “Predatory Sparrow”—claimed responsibility for a massive multi-chain attack that drained wallets on Bitcoin, Ethereum-compatible networks, Ripple, Dogecoin, and Solana. The tokens were deliberately sent to inaccessible burner addresses with provocative names aimed at Iranian authorities.

Political Motive Behind the Attack

This was no ordinary hack. Gonjeshke Darande has a history of politically motivated cyber operations, and their statement accused Nobitex of functioning as a key financial tool for the Iranian regime to bypass international sanctions. The group framed its operation as a digital counterstrike amid escalating tensions between Israel and Iran.

The leak came just days after Israel launched targeted strikes on Iranian nuclear and military facilities, with Iran responding by launching ballistic missiles. The cyberattack adds a digital front to this already volatile conflict, and Gonjeshke Darande appears determined to undermine any technological infrastructure viewed as supportive of the Iranian government.

Leaked Code Dismantles Nobitex’s Defenses

In a damning X post shared on June 19, the group, Farsi for Predatory Sparrow, wrote:

“Time’s up – full source code linked below. ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN.”

بازمانده دارایی های شما در نوبیتکس هم اکنون در معرض دید و خطر هستند

But before that, lets meet Nobitex from the inside:

Exchange Deployment (1/8) pic.twitter.com/jiMfBpNXwd”

— Gonjeshke Darande (@GonjeshkeDarand) June 19, 2025.

The accompanying code dump included exchange deployment instructions, internal security files, and blockchain configuration scripts—effectively giving malicious actors a roadmap to the inner workings of the platform.

Unlike leaks from disgruntled insiders or third-party vulnerabilities, this breach provides complete visibility into Nobitex’s backend operations. As a result, even users who avoided the initial theft may now find their holdings at risk if further attacks are launched using the exposed system.

Wallets Employed Provocative Labels

In a clear political message, Gonjeshke Darande used vanity addresses to redirect stolen assets to wallets named with anti-regime messages. Examples include:

• 1FuckiRGCTerroristsNoBiTEXXXaAovLX
• DFuckiRGCTerroristsNoBiTEXXXWLW65t

These names suggest the attackers generated custom public keys using brute-force techniques but do not possess the corresponding private keys—meaning the funds are effectively burned and irretrievable. In total, over $90 million in value has been locked away in these unreachable wallets.

Nobitex Responds With Recovery Timeline

Despite the breach, Nobitex stated on Thursday that no new thefts had occurred since the source code leak. The company also announced plans to begin restoring exchange services within five days. However, ongoing internet connectivity issues in Iran may complicate that timeline.

It remains unclear what measures the platform is taking to rebuild or replace its now-compromised infrastructure. Given that hackers released the very code used to manage user wallets, security protocols, and exchange operations, a full rebuild may be necessary to prevent future breaches.

Implications for Users

This situation puts remaining Nobitex users in an extremely vulnerable position. Unless their funds were already withdrawn prior to the attack, they may now be exposed to follow-up exploits. Even if no further tokens are drained, the trust in Nobitex’s systems has been severely undermined.

Key risks for users include:

• Code-level exploits: Malicious actors may replicate transactions or initiate fake withdrawals using the leaked code.
• Phishing scams: Attackers can now craft highly convincing fake interfaces and apps resembling Nobitex’s environment.
• User data exposure: It’s unclear if KYC or user identity data is also at risk, but full backend access opens the door to broader data leaks.

Geopolitical Cyber Warfare on the Rise

This attack underscores the growing use of cyber weapons in geopolitical conflict. While crypto platforms have often been targets for criminal gain, this incident illustrates how digital assets and blockchain infrastructure can become targets of ideological or nationalistic warfare.

Gonjeshke Darande has previously taken responsibility for attacks on Iranian infrastructure, including energy systems and transportation. Their involvement in a high-profile crypto exchange breach represents an evolution in tactics—shifting from traditional systems to financial networks deeply embedded in web3 ecosystems.

What Happens Next?

Nobitex now faces a critical turning point. To regain user trust, it must overhaul its codebase, restore operations under rigorous security protocols, and ensure that no additional user data is compromised. Even then, reputational damage may be difficult to repair, especially given the political dimensions of the hack.

For users, the immediate priority should be asset security. If withdrawals resume, any remaining funds should be removed promptly. In addition, any communications appearing to come from Nobitex in the near term should be treated with caution, as phishing attempts are highly likely to spike using information gleaned from the leak.

The Nobitex hack and subsequent source code release marks one of the most politically charged and technically damaging crypto attacks of the year. With over $100 million in losses and the platform’s inner workings now fully public, this event highlights how the intersection of cybersecurity, digital assets, and geopolitical conflict is becoming increasingly complex—and dangerous.