Iran’s largest cryptocurrency exchange, Nobitex, has started to bring its platform back online after a $90M cyberattack disrupted operations earlier this month.
The incident, carried out by the pro-Israel hacking group Gonjeshke Darande, drained the exchange’s wallets and leaked sensitive data.
While the breach sent shockwaves through Iran’s digital asset sector, Nobitex is now restoring withdrawal services in phases, beginning with verified users.
However, lingering concerns remain about its security practices, data handling, and potential ties to politically sensitive financial activities.
Nobitex Restores Access for Verified Users
Nobitex has begun a phased restoration of its services, focusing first on wallet access for users who have completed identity verification.
The platform announced that spot wallet users will be prioritised, with other wallet types expected to follow after security and data integrity checks are completed.
Wallet balances will only become visible once these steps are finalised. According to Nobitex, this staged approach allows the team to minimise risks while continuing to assess and strengthen system security.
Users have been specifically warned not to deposit funds into previously used wallet addresses. Nobitex has fully migrated its wallet infrastructure following the breach, and old addresses are now invalid.
Any transfers sent to them risk being permanently lost. This applies particularly to users running mining rigs or automated withdrawals, who must update their systems or wait for new personal addresses.
While withdrawal services are now active for verified accounts, trading and deposits remain on hold. Nobitex has not committed to a fixed timeline for the full reopening of its platform. Instead, it is allowing technical readiness and security requirements to determine the rollout schedule.
The company says it is working to restore all services with minimal delays, though its tone reflects ongoing caution.
The incident has triggered a national response. Iranian authorities imposed new rules following the hack, requiring all domestic cryptocurrency platforms to limit their operating hours to between 10 am and 8 pm.
This move is aimed at reducing the risk of attacks during less supervised periods and forcing platforms to adhere to tighter oversight.
The central role that Nobitex plays in Iran’s crypto ecosystem has made this breach especially disruptive.
The exchange is responsible for the bulk of digital asset trading activity in the country, reportedly processing $11B in inflows, significantly more than all other Iranian exchanges combined.
This concentration of activity has led to renewed calls for decentralised alternatives and stronger regulatory frameworks.
Hack Reveals Broader Links to More Things
The cyberattack on Nobitex has proven to be more than a simple exploit for financial gain. The group behind the breach, Gonjeshke Darande, is known for politically motivated hacking operations, often targeting infrastructure linked to Iranian interests.
In this case, the group claimed responsibility for the $90M theft, leaked Nobitex’s source code, and destroyed a significant portion of the stolen assets.
Shortly after the hack, the attackers published sensitive internal data, including Know Your Customer records, private communications, and wallet information. The leak raised major concerns, not just about user privacy but also about national security.
Within days, Israeli authorities arrested three citizens accused of spying for Iran. The suspects, aged 19 to 28, were allegedly paid in cryptocurrency to conduct surveillance activities such as photographing military sites, tagging political graffiti, and tracking officials.
According to intelligence analysts, the leaked data from Nobitex may have played a role in tracing the suspects’ crypto transactions.
While no direct link has been confirmed, blockchain analytics firm TRM Labs suggested that the Nobitex hack indirectly exposed payment routes and digital footprints, assisting in the arrests. This implies that the breach had significant real-world consequences beyond financial losses.
Further analysis by Chainalysis revealed that Nobitex had previously processed structured transactions linked to wallets flagged for illicit activity. These included patterns consistent with money laundering tactics, such as using multiple intermediaries to obscure fund origins.
The platform has also reportedly been used to interact with sanctioned entities, raising serious concerns about compliance.
The attack has put Nobitex at the centre of a complex intersection between cryptocurrency, espionage, and geopolitical rivalry.
Its infrastructure, which once served as a gateway for everyday users, now appears to have also facilitated covert financial flows and exposed the risks of centralised exchange operations in politically sensitive environments.
These developments illustrate how vulnerable crypto platforms remain to targeted state-backed cyberattacks, especially in regions experiencing high levels of geopolitical tension.
With state actors increasingly turning to digital assets to fund operations or gather intelligence, exchanges like Nobitex are becoming strategic points of vulnerability in broader international conflicts.
Conclusion
Nobitex’s return to partial service may offer hope to users waiting to retrieve their funds, but the wider consequences of the hack remain unresolved. Beyond the financial damage, the breach has exposed troubling connections to espionage, illicit finance, and state-level conflict.
As the exchange works to rebuild trust and functionality, the case serves as a warning about the risks centralised platforms face in volatile geopolitical contexts.
Nobitex must now navigate technical recovery, regulatory scrutiny, and the reputational fallout of being at the heart of one of 2025’s most controversial cyber incidents.