OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Geopolitics· Hormuz series· June 18, 2026· 5 min read

Predatory Sparrow Sent Nobitex's $90M to Unspendable Addresses

On June 18, 2026, the Israel-linked hacker group Predatory Sparrow claimed responsibility for draining more than $90 million from Nobitex, Iran's largest cryptocurrency exchange, and destroying the funds by routing them to vanity blockchain addresses with no usable private keys and an anti-IRGC message embedded in the address data. The same group hacked Bank Sepah, an IRGC-linked state bank, the day before. Two weeks earlier, OFAC had designated Nobitex and three other Iranian exchanges covering approximately 78% of Iran's 2025 crypto volume as Islamic Revolutionary Guard Corps (IRGC) sanctions-evasion infrastructure. The hack came one day after the US and Iran signed a ceasefire memorandum that does not constrain Israeli operations. The $90 million was not stolen. It was burned as a geopolitical statement, and Nobitex's users are the collateral.

Key takeaways

  1. On June 18, 2026, Predatory Sparrow (Gonjeshke Darande), a hacker group assessed by security researchers as affiliated with Israel, claimed responsibility for draining more than $90 million from Nobitex, Iran's largest cryptocurrency exchange. The funds were routed to vanity blockchain addresses with no accessible private keys, embedding the phrase 'F*ckIRGCterrorists' in the public-key data. Predatory Sparrow did not retain the value. The funds are permanently unspendable. This was a political destruction, not a financial theft.
  2. The group also claimed responsibility for a cyberattack on Bank Sepah, an Iranian state bank with documented Islamic Revolutionary Guard Corps (IRGC) ties, on June 17. Both operations run alongside kinetic conflict: Israel struck Iranian nuclear and missile infrastructure starting June 13, and the US and Iran signed a ceasefire memorandum on June 17 that does not constrain Israeli operations. The Nobitex hack is the financial-domain track of the same conflict.
  3. On June 2, 2026, OFAC designated Nobitex and three other Iranian cryptocurrency exchanges: Wallex, Bitpin, and Ramzinex. The four exchanges collectively handled approximately 78% of Iran's 2025 crypto volume. Treasury alleged Nobitex facilitated IRGC-linked transactions, processed ransomware payments for IRGC-affiliated actors, and helped Iran's Central Bank access hundreds of millions in stablecoins to support the rial and evade Western sanctions. The OFAC action publicly mapped Nobitex as IRGC financial infrastructure.
  4. Predatory Sparrow also leaked what it described as Nobitex's full source code. TRM Labs analysis found sophisticated anti-surveillance modules (labeled owshen, zpk, and incentivized_mixer) designed to defeat blockchain intelligence clustering. VIP accounts bypassed standard compliance logic entirely. The leaked code confirms the OFAC designation with technical specificity: Nobitex was infrastructure built to evade the surveillance frameworks designed to detect that operation.
  5. The structural lesson for any custodial crypto holder: when an exchange serves as regime financial infrastructure, it becomes a target in state-level conflicts. Nobitex's users did not create the IRGC exposure, did not negotiate the sanctions designation, and did not participate in the decisions that made the exchange a military target. Their funds paid for all of it. Hold your own keys and the exchange layer, with its geopolitical exposure, drops out of your threat model.

What Happened

On June 18, 2026, the hacker group Predatory Sparrow (Gonjeshke Darande) claimed responsibility for draining more than $90 million from Nobitex, Iran's largest cryptocurrency exchange. The group announced the operation on Telegram, stating the funds were routed to vanity blockchain addresses containing no usable private keys. The phrase 'F*ckIRGCterrorists' was embedded in the public-key data of the destination addresses. The funds cannot be moved, spent, or recovered. They are permanently unspendable. Predatory Sparrow did not steal the money in any financial sense. It burned it.

The previous day, June 17, Predatory Sparrow also claimed responsibility for a cyberattack on Bank Sepah, an Iranian state bank with documented Islamic Revolutionary Guard Corps ties. The dual operations followed two weeks of escalating kinetic conflict: Israel struck Iranian nuclear and missile infrastructure starting June 13, and the United States and Iran signed a ceasefire memorandum on June 17 that excludes Israeli operations from its constraints. Both the Nobitex hack and the Bank Sepah attack occurred within hours of that ceasefire signing, a timing that security analysts have called deliberate.

The OFAC Designation Set the Stage

On June 2, 2026, the US Treasury's Office of Foreign Assets Control designated Nobitex and three other Iranian cryptocurrency exchanges: Wallex, Bitpin, and Ramzinex. The four exchanges collectively processed approximately 78% of Iran's 2025 cryptocurrency transaction volume. OFAC alleged that Nobitex facilitated IRGC-linked transactions, processed ransomware payments for IRGC-affiliated actors, and helped Iran's Central Bank access hundreds of millions in stablecoins to support the rial and circumvent Western sanctions. The designation publicly mapped Nobitex as IRGC financial infrastructure in a document that Predatory Sparrow could reference sixteen days later.

Predatory Sparrow also leaked what it described as Nobitex's complete source code. TRM Labs analysis of that code found three sophisticated anti-surveillance modules labeled owshen, zpk, and incentivized_mixer, designed to defeat blockchain intelligence clustering. VIP accounts were found to bypass standard compliance logic entirely. The source code analysis independently corroborates the OFAC designation: the technical architecture confirms that Nobitex was engineered to evade the very surveillance frameworks designed to detect IRGC-linked financial flows. The hack did not reveal this. The OFAC designation did. Predatory Sparrow made use of the intelligence.

A Political Statement, Not a Financial Crime

Most exchange hacks are financially motivated. Predatory Sparrow's Nobitex operation was not. The group made that explicit in its public statement: the funds were destroyed, not extracted. Routing $90 million to vanity addresses with no private keys is not a technically sophisticated way to steal money. It is the most unambiguous way to ensure money cannot be moved by anyone, including the attacker. The political message embedded in the address data underlines the intent. Predatory Sparrow was sending a message that could be read on-chain and attributed to no recoverable wallet, because the wallet was designed to be unspendable from the moment the transaction was signed.

The destruction method also functions as a form of cryptographic proof. Because the destination addresses are verifiably vanity addresses with known derivation patterns and no accessible private keys, any forensic analyst can confirm independently that the funds did not go to Predatory Sparrow or to any party capable of spending them. The operation leaves a permanent, verifiable record on the blockchain: $90 million reduced to unspendable dust by a group that wanted the act witnessed, not the money. The record also confirms that Predatory Sparrow's objective was deniability over the funds and permanence of the message, two qualities incompatible with ordinary theft.

What This Means for You

If you held funds on Nobitex, the operational lesson is as blunt as it gets. An exchange that serves as regime financial infrastructure becomes a target in state-level conflicts. The IRGC designation publicly identified Nobitex as a military-financial asset. Predatory Sparrow destroyed it sixteen days later. Nobitex's users did not designate the exchange as IRGC infrastructure. They did not negotiate the policy choices that made it a target. They did not choose to become collateral in a state-level cyberwar. But their funds paid for all of it.

The wider lesson is structural, not specific to Iran. Any exchange that serves as infrastructure for state-level financial activity, whether that is sanctions evasion, central bank access, or regime capital preservation, is exposed to state-level adversaries who treat the exchange as a military target rather than a commercial entity. That threat model is different from ordinary exchange hack risk. It is not mitigated by better password hygiene or two-factor authentication. The adversary is a nation-state-affiliated group acting on strategic rather than financial objectives. That adversary category does not care about your account balance. It cares about the exchange's role in a geopolitical conflict.

Most exchanges are not IRGC sanctions-evasion infrastructure. The Nobitex lesson does not mean that every exchange is a wartime target. What it means is that an exchange inherits the political exposure of whatever role it plays, and that role is rarely visible to the people holding accounts on it. Nobitex's users were not parties to the IRGC designation, the sanctions, or the conflict, but their balances absorbed all three because the exchange was a contested asset in someone else's war. A balance held inside an institution is conditional on that institution's standing with every state that can reach it. The custody and the asset are the same thing only when you hold the keys: then no designation, ceasefire, or hostile state changes what you control, because nobody else's strategic position is sitting between you and your coins.

What to Watch

Watch whether Nobitex or Iranian authorities provide any confirmed account of the hack's technical vector: Predatory Sparrow has not published its methodology and the entry point is unconfirmed. OFAC follow-on actions may target Wallex, Bitpin, and Ramzinex, the three other June 2 designees that have not yet been hit. Any US government response to the hack bears watching: the ceasefire memorandum may create diplomatic pressure to distance Washington from Israeli cyberoperations against Iranian financial infrastructure, or it may not. Nobitex user responses are another signal, as is whether Iranian authorities compensate affected account holders. The Israeli government's posture toward public attribution will matter too, because Predatory Sparrow's open Telegram announcement makes implicit acknowledgment legible even without official statements. And watch the broader implication for custodial exchange users in any jurisdiction where an exchange's regulatory posture could make it a target in a geopolitical conflict.

Nobitex's funds were not stolen. They were burned. When an exchange is regime infrastructure, it becomes a military target, and its users become the collateral.

Sources

  1. [1]US Department of the Treasury, Office of Foreign Assets Control — Designation of Nobitex and Three Iranian Cryptocurrency Exchanges Pursuant to IRGC Sanctions Authorities, June 2, 2026 (official OFAC press release and SDN listing)
  2. [2]Predatory Sparrow (Gonjeshke Darande) — Telegram channel statement claiming responsibility for the Nobitex hack and Bank Sepah cyberattack, June 18, 2026
  3. [3]TRM Labs — Analysis of Nobitex source code disclosing anti-surveillance modules (owshen, zpk, incentivized_mixer) and VIP compliance bypass logic, June 2026
  4. [4]CoinDesk — Reporting on Predatory Sparrow's claimed hack of Nobitex and fund destruction via vanity blockchain addresses, June 18, 2026
  5. [5]The Record by Recorded Future — Predatory Sparrow (Gonjeshke Darande) threat actor profile and reporting on June 2026 operations against Nobitex and Bank Sepah
  6. [6]Reuters — Reporting on the US-Iran ceasefire memorandum signed June 17, 2026, and provisions excluding Israeli military operations from its constraints
  7. [7]Associated Press — Reporting on Israeli military strikes on Iranian nuclear and missile infrastructure, June 13-17, 2026
  8. [8]OFAC SDN List — Bank Sepah designation as an entity linked to the Islamic Revolutionary Guard Corps (historical, maintained current designation)
  9. [9]Mandiant (Google Threat Intelligence) — Predatory Sparrow attribution research and documented operational history including 2021 Iranian rail attack and 2022 Iranian steel plant attacks
  10. [10]Wired / MIT Technology Review — Background research on Predatory Sparrow's identity assessment as Israel-affiliated and its track record of politically destructive cyberoperations against Iranian infrastructure
Hormuz series · Part 10 of 12
← Previous part
Geneva Deal June 19 Ends Iran's Bitcoin Toll
Next part →
Drone Strike Tests the Hormuz Bitcoin-Toll Ceasefire

More in Hormuz

IRGC Missiles Reach Bahrain and KuwaitDrone Strike Tests the Hormuz Bitcoin-Toll CeasefireGeneva Deal June 19 Ends Iran's Bitcoin Toll