The recent hack of Nobitex, Iran’s largest cryptocurrency exchange, has rocked the country’s crypto industry, resulting in the loss of over $90 million in assets. However, the security breach on June 18 may have exposed more than just vulnerabilities in the exchange’s infrastructure. An investigation by blockchain intelligence firm Global Ledger has raised serious questions about the platform’s operations, revealing a history of questionable on-chain activities that could be linked to money laundering.
The Scale of the Hack
The hack, which affected multiple blockchains, led to the draining of millions from Nobitex’s wallets. The exchange promptly moved 1,801 BTC (valued at around $187 million) from compromised wallets to new addresses, citing the transfer as a protective measure. However, the findings of Global Ledger’s investigation suggest that these movements were part of a broader, more covert pattern that had been unfolding for months prior to the hack.
Stealthy Fund Movements and Money Laundering Suspicions
Global Ledger’s on-chain analysis revealed a troubling trend of practices often associated with money laundering. The analysis identified peelchains, one-use wallets, and systematic balance sweeps all of which are typically employed to obfuscate the flow of funds and make them difficult to trace.
Since as far back as October 2024, Nobitex had been using peelchains, a tactic in which funds are gradually split and passed through multiple intermediary wallets, often one-time-use addresses, before being sent to their final destination. This technique is designed to mask the movement of large amounts of crypto and obscure their trail, making it harder for investigators to track the flow of assets.
In addition to peelchains, the investigation found that several hot wallets linked to Nobitex consistently moved exactly 30 BTC between addresses. These funds were often funneled through one-time-use intermediaries, with the final destination being either Nobitex exchange addresses or wallets linked to illicit actors.
Evidence of a Central Mixing Layer
Further analysis showed that a wallet cluster used by Nobitex exhibited characteristics of a central mixing layer, a method commonly used for laundering funds. These wallets had short lifespans and were frequently used only once before being abandoned, further suggesting that this was part of a deliberate attempt to hide the origins of the funds.
Adding to the intrigue, the investigation revealed that Nobitex’s “rescue wallet”, which was supposedly deployed after the hack to safeguard remaining funds, had been active for months before the breach. This wallet had been consistently receiving smaller amounts of crypto, hinting at the possibility that the exchange had been quietly siphoning off funds long before the attack. Moreover, Nobitex is reported to have continued similar asset movements even after the hack, holding substantial reserves in the aftermath.
Accusations of Sanctions Violations
The hack was claimed by Gonjeshke Darande, a pro-Israel hacker group, which accused Nobitex of being Iran’s “favorite sanctions violation tool.” According to the group, Nobitex had been enabling Iran to circumvent international sanctions by facilitating transactions for illicit purposes, including those linked to the Israel-Iran conflict. The group cited this as one of the main reasons for their decision to target the exchange, amplifying the geopolitical tension surrounding the breach.
Questions Over Nobitex’s Operational Transparency
The findings from Global Ledger raise serious concerns about Nobitex’s transparency and operational integrity. The evidence suggests that the exchange may have been engaged in suspicious activities well before the hack, with questionable fund movements pointing to potential involvement in illicit financial operations. The use of private wallets, short-lived addresses, and balance sweeps strongly hints at an effort to hide transactions, which could point to money laundering or other forms of illicit financial activity.
In addition, the continued use of the “rescue wallet” and ongoing asset movements post-hack have led to further scrutiny of the platform’s commitment to safeguarding user funds and ensuring transparency in its operations.
A Deeper Investigation Needed
The hack on Nobitex, while devastating in terms of financial loss, has revealed a troubling on-chain history that points to deeper issues with the platform’s operational practices. The patterns of fund movements, coupled with accusations of enabling sanctions violations, have raised red flags about the exchange’s involvement in potentially illegal activities.
While Nobitex has yet to address these allegations directly, the investigation by Global Ledger suggests that a more thorough examination of the exchange’s operations is warranted. The crypto industry, already struggling with concerns over security and regulatory compliance, must take these revelations seriously to ensure that exchanges operate with the transparency and accountability needed to protect users and prevent illicit activity in the future.
As the fallout from the hack continues to unfold, the investigation into Nobitex’s practices could have far-reaching implications for the crypto industry, particularly in how exchanges are regulated and monitored for suspicious activity.
