Nobitex exchange begins restoring service after $90M exploit by pro-Israel hacker group

Nobitex exchange, Iran’s largest cryptocurrency platform, has begun restoring wallet access to users following a major exploit that resulted in more than $90 million in losses.

The company issued an update on June 29 via X, outlining a phased recovery process starting with verified users. According to the statement, only spot wallets are being unlocked initially, with other wallet types to follow once identity verification is completed.

Users are being asked to wait for confirmation before attempting to access their balances, which will be displayed gradually as the security checks proceed.

“Once the accuracy and security of all information is confirmed, Nobitex will begin displaying wallet balances in phases,” the exchange wrote. Nobitex expects the process to finish by mid-week but noted that timelines could shift based on technical and security considerations.

The exploit, carried out on June 18, was claimed by Gonjeshke Darande, a pro-Israel group also known as Predatory Sparrow. Blockchain investigators say roughly $90–100 million in digital assets were drained from hot wallets across Ethereum (ETH) and Tron (TRX), including Bitcoin (BTC), ETH, and Dogecoin (DOGE).

As part of its post-attack response, Nobitex is migrating to a new wallet system. The firm warned users not to deposit funds into previously used addresses, noting that any deposits to old wallets may result in permanent loss.

“If your old deposit address is connected to a mining rig or saved as a default withdrawal address in a blockchain service, make sure to delete it an,” the update advised, stressing the risk of sending funds to invalid wallets.

The hackers reportedly accessed the platform using employee credentials compromised earlier via infostealer malware. The breach exposed parts of Nobitex’s internal systems, including source code and server data, which were later leaked online.

Nobitex, which has processed more than $11 billion in inflows to date, holds a dominant position among Iran-based exchanges. Chainalysis has previously linked it to illicit activities by ransomware groups affiliated with Iran’s Islamic Revolutionary Guard Corps and sanctioned Russian entities. 

With user access gradually resuming and trading features still disabled, the exchange is working to stabilize operations and restore trust. “We are working to resume withdrawal, deposit, and trading services for verified users with minimal delay,” the exchange said.

Full platform functionality is expected to return in the coming days, though Nobitex has warned that the timeline may be revised depending on the results of ongoing system checks.