The recent hack on Nobitex, Iran’s largest crypto exchange, dealt a major blow to the country’s crypto industry, draining millions in user funds. But the breach may have revealed more than just security flaws, as troubling on-chain history raises questions over the platform’s operations.
According to BeInCrypto, an investigation by blockchain intelligence firm Global Ledger into the June 18 Nobitex hack has found that the platform may have been engaging in stealthy fund movements well before the cyberattack.
Per the report, on-chain analysis has revealed a pattern of practices typically linked to money laundering, such as peelchains, one-use wallets, and systematic balance sweeps, deeply embedded in the exchange’s infrastructure.
The attack on Nobitex affected multiple chains, resulting in the loss of over $90 million in assets. Shortly after the breach, Nobitex moved 1,801 BTC (worth around $187 million) from exposed wallets to new addresses. While the exchange described this as a protective measure, the investigation shows similar movement patterns had been occurring quietly for months.
Hot Wallets, Cold Moves: Nobitex’s shady crypto shuffle
Since as far back as October 2024, Nobitex has been using a stealth tactic known as peelchains, a method where funds are gradually split and passed through intermediaries or one-time-use wallets. This technique is used to quietly move large amounts of crypto, while obscuring their trail and making them difficult to trace.
On multiple occasions, several hot wallets tied to Nobitex repeatedly passed exactly 30 BTC between addresses, often through one-time-use intermediaries. Funds in these flows were eventually sent to exchange addresses or, in some cases, destinations linked to illicit actors.
Additionally, the investigation traced funds moving in and out of a wallet cluster that behaved like a central mixing layer. Many of these wallets had a short lifespan and were used just once before being abandoned, suggesting an intentional scheme to avoid detection.
Further evidence shows that Nobitex’s “rescue wallet,” which was supposedly deployed after the hack to safeguard the remaining funds, was found to have been active for months prior, consistently receiving chipped-off funds. The exchange has also continued similar asset movements post-hack and is said to still hold substantial reserves.
Global Ledger’s findings now raise questions about Nobitex’s operational transparency, including possible ties to illicit activity such as money laundering.
Gonjeshke Darande, the pro-Israel hacker group that claimed responsibility for the attack, previously accused Nobitex of being Iran’s “favorite sanctions violation tool.” The group also cited this as a key reason for targeting the exchange, claiming it as part of a broader retaliation effort tied to the Israel-Iran conflict.
