What Happened
On June 18, 2026, the hacker group Predatory Sparrow (Gonjeshke Darande) claimed responsibility for draining more than $90 million from Nobitex, Iran's largest cryptocurrency exchange. The group announced the operation on Telegram, stating the funds were routed to vanity blockchain addresses containing no usable private keys. The phrase 'F*ckIRGCterrorists' was embedded in the public-key data of the destination addresses. The funds cannot be moved, spent, or recovered. They are permanently unspendable. Predatory Sparrow did not steal the money in any financial sense. It burned it.
The previous day, June 17, Predatory Sparrow also claimed responsibility for a cyberattack on Bank Sepah, an Iranian state bank with documented Islamic Revolutionary Guard Corps ties. The dual operations followed two weeks of escalating kinetic conflict: Israel struck Iranian nuclear and missile infrastructure starting June 13, and the United States and Iran signed a ceasefire memorandum on June 17 that excludes Israeli operations from its constraints. Both the Nobitex hack and the Bank Sepah attack occurred within hours of that ceasefire signing, a timing that security analysts have called deliberate.
The OFAC Designation Set the Stage
On June 2, 2026, the US Treasury's Office of Foreign Assets Control designated Nobitex and three other Iranian cryptocurrency exchanges: Wallex, Bitpin, and Ramzinex. The four exchanges collectively processed approximately 78% of Iran's 2025 cryptocurrency transaction volume. OFAC alleged that Nobitex facilitated IRGC-linked transactions, processed ransomware payments for IRGC-affiliated actors, and helped Iran's Central Bank access hundreds of millions in stablecoins to support the rial and circumvent Western sanctions. The designation publicly mapped Nobitex as IRGC financial infrastructure in a document that Predatory Sparrow could reference sixteen days later.
Predatory Sparrow also leaked what it described as Nobitex's complete source code. TRM Labs analysis of that code found three sophisticated anti-surveillance modules labeled owshen, zpk, and incentivized_mixer, designed to defeat blockchain intelligence clustering. VIP accounts were found to bypass standard compliance logic entirely. The source code analysis independently corroborates the OFAC designation: the technical architecture confirms that Nobitex was engineered to evade the very surveillance frameworks designed to detect IRGC-linked financial flows. The hack did not reveal this. The OFAC designation did. Predatory Sparrow made use of the intelligence.
A Political Statement, Not a Financial Crime
Most exchange hacks are financially motivated. Predatory Sparrow's Nobitex operation was not. The group made that explicit in its public statement: the funds were destroyed, not extracted. Routing $90 million to vanity addresses with no private keys is not a technically sophisticated way to steal money. It is the most unambiguous way to ensure money cannot be moved by anyone, including the attacker. The political message embedded in the address data underlines the intent. Predatory Sparrow was sending a message that could be read on-chain and attributed to no recoverable wallet, because the wallet was designed to be unspendable from the moment the transaction was signed.
The destruction method also functions as a form of cryptographic proof. Because the destination addresses are verifiably vanity addresses with known derivation patterns and no accessible private keys, any forensic analyst can confirm independently that the funds did not go to Predatory Sparrow or to any party capable of spending them. The operation leaves a permanent, verifiable record on the blockchain: $90 million reduced to unspendable dust by a group that wanted the act witnessed, not the money. The record also confirms that Predatory Sparrow's objective was deniability over the funds and permanence of the message, two qualities incompatible with ordinary theft.
What This Means for You
If you held funds on Nobitex, the operational lesson is as blunt as it gets. An exchange that serves as regime financial infrastructure becomes a target in state-level conflicts. The IRGC designation publicly identified Nobitex as a military-financial asset. Predatory Sparrow destroyed it sixteen days later. Nobitex's users did not designate the exchange as IRGC infrastructure. They did not negotiate the policy choices that made it a target. They did not choose to become collateral in a state-level cyberwar. But their funds paid for all of it.
The wider lesson is structural, not specific to Iran. Any exchange that serves as infrastructure for state-level financial activity, whether that is sanctions evasion, central bank access, or regime capital preservation, is exposed to state-level adversaries who treat the exchange as a military target rather than a commercial entity. That threat model is different from ordinary exchange hack risk. It is not mitigated by better password hygiene or two-factor authentication. The adversary is a nation-state-affiliated group acting on strategic rather than financial objectives. That adversary category does not care about your account balance. It cares about the exchange's role in a geopolitical conflict.
Most exchanges are not IRGC sanctions-evasion infrastructure. The Nobitex lesson does not mean that every exchange is a wartime target. What it means is that an exchange inherits the political exposure of whatever role it plays, and that role is rarely visible to the people holding accounts on it. Nobitex's users were not parties to the IRGC designation, the sanctions, or the conflict, but their balances absorbed all three because the exchange was a contested asset in someone else's war. A balance held inside an institution is conditional on that institution's standing with every state that can reach it. The custody and the asset are the same thing only when you hold the keys: then no designation, ceasefire, or hostile state changes what you control, because nobody else's strategic position is sitting between you and your coins.
What to Watch
Watch whether Nobitex or Iranian authorities provide any confirmed account of the hack's technical vector: Predatory Sparrow has not published its methodology and the entry point is unconfirmed. OFAC follow-on actions may target Wallex, Bitpin, and Ramzinex, the three other June 2 designees that have not yet been hit. Any US government response to the hack bears watching: the ceasefire memorandum may create diplomatic pressure to distance Washington from Israeli cyberoperations against Iranian financial infrastructure, or it may not. Nobitex user responses are another signal, as is whether Iranian authorities compensate affected account holders. The Israeli government's posture toward public attribution will matter too, because Predatory Sparrow's open Telegram announcement makes implicit acknowledgment legible even without official statements. And watch the broader implication for custodial exchange users in any jurisdiction where an exchange's regulatory posture could make it a target in a geopolitical conflict.