Nobitex, Iran’s largest cryptocurrency exchange, has begun restoring access to user wallets following a devastating cyberattack earlier this month that resulted in the theft of more than $90 million in digital assets. The recovery efforts are being rolled out in stages as the platform works to verify user identities and implement upgraded security infrastructure.
In a public statement issued Sunday, Tehran-based Nobitex confirmed that it had begun reactivating wallet access for verified users, starting with spot trading wallets, while additional wallet services - such as custodial, mining, and trading bots - would be brought online as further identity checks are completed.
“We are working to resume withdrawal, deposit, and trading services for verified users with minimal delay,” the exchange said, while cautioning that the timeline may shift based on technical issues or enhanced security requirements. The phased reboot comes in the aftermath of one of the most severe cyber incidents to hit Iran’s fintech sector, not only exposing gaps in Nobitex’s infrastructure but also prompting regulatory action by Iranian financial authorities.
The Nobitex hack, which took place in early June, resulted in the loss of $90 million worth of cryptocurrencies, including large amounts of Bitcoin, Ethereum, Tether, and other ERC-20 tokens. Blockchain analytics firms traced the stolen assets through multiple wallets and obfuscation techniques, making recovery extremely difficult.
Nobitex did not disclose the exact vector of the breach but described it as a “targeted, sophisticated cyberattack” involving extensive data compromise and wallet penetration. The platform was forced to take all trading and wallet services offline and initiate a full system migration, which is still ongoing.
The scale and coordination of the attack led Iran’s central bank and other regulatory bodies to intervene, issuing temporary directives to all domestic crypto platforms.
Users Warned: Old Wallet Addresses No Longer Valid
As part of its system overhaul, Nobitex has revoked all previously issued wallet addresses and warned users not to send funds to old deposit addresses.
“Deposits made to outdated wallet addresses may result in permanent loss of funds,” the company stated. “Users operating mining rigs, payment bots, or automated withdrawals must update configurations immediately.”
Nobitex said it would issue new wallet addresses to verified users after their identity checks are complete. Balances will only become visible once all security audits and data consistency validations are finalized.
This change affects not only individual investors but also crypto miners, a significant user segment in Iran due to the country’s subsidized energy sector and its complex relationship with sanctioned cross-border crypto flows.
In a bid to prevent further breaches, Iranian authorities have ordered all domestic crypto exchanges to restrict their operational hours, mandating that services only run between 10 a.m. and 8 p.m. local time.
The measure is intended to minimize the risk of after-hours cyberattacks, especially during periods when security staffing and monitoring capabilities are limited. While this is seen as a stopgap solution, critics argue that it reflects deeper vulnerabilities in the country’s cyber defense strategy.
Security analysts noted that Iran’s crypto sector has become increasingly attractive to both criminal and state-linked adversaries, particularly due to the government’s use of digital assets to bypass international sanctions.
The incident highlights the growing intersection of cybersecurity, digital finance, and geopolitical conflict in the Middle East.
Predatory Sparrow Claims Responsibility: A New Front in Cyberwarfare?
In a development that has further politicized the attack, the pro-Israel hacking group Predatory Sparrow (Gonjeshke Darande) claimed responsibility for the breach. The group posted messages on Telegram and other platforms taking credit for the exploit, marking it as part of a broader cyber campaign against Iranian infrastructure.
Predatory Sparrow has been previously linked to high-profile cyberattacks on Iranian industrial facilities, rail systems, and government databases, often leaving digital calling cards mocking the Islamic Republic.
While their involvement in the Nobitex attack has yet to be independently confirmed by cybersecurity firms, the claim has escalated tensions and reinforced fears that digital finance platforms are now frontline targets in regional cyberwarfare.
If confirmed, the Nobitex exploit would mark one of the first known geopolitical-motivated crypto exchange hacks, rather than a profit-driven criminal exploit.
Nobitex is by far the largest crypto exchange in Iran, reportedly processing over 70% of the country’s digital asset trading volume. It serves millions of users and is integrated into a wide array of financial services, including merchant payments, mining payouts, and informal remittance flows.
As Iran has increasingly turned to crypto for economic resilience amid decades of U.S. and EU sanctions, Nobitex has played a central role in facilitating crypto-fiat liquidity, enabling businesses and individuals to convert rials into dollar-linked stablecoins and other crypto assets.
The attack, therefore, does not just represent a technical failure - it signals a broader threat to Iran’s financial sovereignty in the digital age. It also exposes the fragile infrastructure underpinning the country’s crypto-dependent workaround to the global financial system.
User Confidence and Market Impact: Long Road Ahead
The Nobitex hack has dealt a significant blow to user trust, not just in the platform but across Iran’s crypto ecosystem. While Nobitex has pledged to make users whole and is working on internal security audits, many users remain skeptical - especially as the exchange has not yet announced a concrete compensation plan for those affected by the breach.
On social media and Iranian crypto forums, users have expressed frustration at the slow recovery process, vague timelines, and lack of real-time updates.
“I can’t see my balance. I can’t deposit. I don’t know when I can withdraw,” one user wrote on Telegram. “It’s like being locked out of your own bank.”
Some have begun shifting their assets to foreign peer-to-peer platforms, even at higher fees, due to fears of ongoing vulnerabilities in the domestic exchange landscape.
The Nobitex breach has raised urgent questions about the security standards of crypto infrastructure in politically isolated nations. With Iranian officials vowing to strengthen cybersecurity frameworks, it remains unclear whether future policy will lean toward greater regulation and oversight - or stricter control and suppression of crypto platforms.
There are also concerns about how the attack may influence future foreign investment in Iran’s burgeoning blockchain and fintech sectors. Any narrative that crypto exchanges in sanctioned nations are vulnerable to cyberwarfare could deter innovation and funding, even as Iran seeks to localize Web3 tools for sovereign use.